UCA recently lost $4,738.74 from phishing scams according to several UCAPD reports. 

Faculty members Lesley Graybeal, JoAnna Cupp and Jeff Whittingham had their direct deposit information changed late last semester without their knowledge.

Their information was changed to reroute direct deposit payments to accounts with Green Dot Bank, an online-only bank owned by Green Dot Corporation, a financial technology company headquartered in Austin, Texas, and one of the world’s largest providers of prepaid debit cards.

Graybeal and Whittingham each had a paycheck sent to Green Dot Bank. Cupp reported the fraud before any funds were deposited and Whittingham reported it in time for UCA to pull the money back into its account.

Graybeal did not know her account had been compromised until UCA’s IT department contacted her Nov. 17.

“IT, PD, and I never found out how my information was phished,” Graybeal said over email. “IT found out that my account had been phished. I’m not sure how, and I had to spend a morning on the phone with the bank closing the affected account, opening a new one, updating my direct deposit and filing a police report.”

According to the police reports, Trevor Seifert, UCA IT vice president, found three IP addresses associated with California State University in Long Beach used to access the accounts. UCAPD reported the information to the FBI Internet Crimes Complaint Center and there are no leads at this time.

A phishing scam is an attempt to gain personal information about someone over the internet. 

“Phishing targets individuals through email, text messages, phone calls, and other forms of communication,” Seifert said over email. “The attempt aims to trick the recipient into falling for the bad actor’s desired action, such as revealing financial information, system login credentials, or other sensitive information.”

Seifert said students are often targeted by phishing emails, too.

“For students, it is primarily a ‘Job Opportunities’ scam where the email describes a job as a student worker and asks for replies to a particular email address or a text message. UCA only offers jobs through our People Admin website,” Seifert said. “We have seen a few instances of phishing attempts for credentials. The email appears to be from something like Microsoft or Google, but the link redirects you to a website not owned by a reputable entity, and when you log in to the site they are capturing your username and password.”

“There are many things you can do and look at to help protect yourself from a phishing attempt.  If the communication is via email, look at the ‘from’ field and not just the vanity name, but the actual email address the communication came from,” Seifert said.

“All UCA business should come from an @uca.edu account.  If there are links within a suspicious email, we recommend you don’t click on it. You can open a new browser window and search for the particular entity or reference within the link to see if it is valid,” he said.

Seifert said the key areas to focus on when trying to mitigate phishing scams are “education, training and communication.”

“We do have additional protection around our UCA domain to try and catch/prevent suspicious emails from hitting the end user’s inbox,” Seifert said. 

The IT department has also run phishing simulations to help with awareness training and minimize risk in the case of an actual event, Seifert said.

“The last phishing simulation was sent to 1,827 end users. The results showed that 11% (216) clicked the link within the email and of those 3% (57) actually provided their credentials to the site,” Seifert said.

Seifert said a challenge with protecting users against phishing scams is that “the landscape is ever-changing.”

“There are entire organizations of bad actors in the world that try to make a living by creating new ways of phishing sensitive information and then using that information to their advantage,” Seifert said.

One way to tell if an email is a scam, Seifert said, is “if it seems too good to be true, it probably is.”

“A lot of the phishing scams tied to job opportunities usually offer high pay for low hours worked,” Seifert said.  “The other area of concern is if someone is asking you for personally identifiable information and you did not initiate the interaction it is probably a bad actor trying to gain access.”

Suspicious emails can be forwarded to UCA’s IT department to be investigated. 

“If you do feel like you have been phished for sensitive information like your identity, name, date of birth, social security number, etc. you can always visit your local police station and file a report,” Seifert said.  “That way if you do have any fraudulent activity against your or your accounts you can provide the police report to entities like banks or credit card companies.”