Frauds, Scams and Cons

Fraudulent Direct Deposit Requests

Yale Police has received a few incident reports regarding emails impersonating Yale faculty and staff members requesting to have direct deposit information changed. In these attempts, the criminals use a spoofed display name and create email accounts using the name of the individual they are impersonating to convince the recipient that the email request is legitimate. In the initial communication, they will often ask for direct deposit change forms or provide filled out forms found online. These requests will attempt to divert an individual’s payroll check to the criminal’s account. Sometimes the emails will have noticeable red flags, such as spelling and grammatical errors; however, they may be well drafted and more difficult to identify as fraudulent.

Check the email sender’s name and header. If you are using your phone, you may have to expand to To and From information to see the full address. The display name may appear legitimate, but the associated email address will not quite match with whom the sender claims to be. The criminals use email domain names that resemble that of legitimate domain names to con the email recipient. You can also check the email header for more information that could assist in determining if the email is legitimate.

Criminals also target employees through phishing emails designed to capture an employee’s login credentials. Once the employee’s credentials are obtained, the credentials are used to access the employee’s payroll account in order to change their bank account information. Rules are added by the criminal to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to the criminal’s account.

Steps to mitigate:

  1. Report all crimes and suspicious activity to the Yale Police
  2. Use two factor authentication or two levels of approval and verbal agreement from the requesting individual
  3. Those who receive suspicious communications from a supposed known contact are encouraged to call the sender (the employee) on the phone to verify any requests
  4. Alert and educate your team about this scheme, including preventative strategies and response
  5. Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from
  6. Instruct employees to refrain from supplying login credentials or personally identifying information in response to any email
  7. Apply heightened scrutiny to bank information initiated by employees seeking to update or change direct deposit credentials

Source: FBI, GTM Resources and NJCCIC

Each year during the holidays and semester break, Yale Public Safety receives reports of fraud, burglaries and larcenies to include package theft. A recent trend reported in the region includes phishing and SMiShing (text-based phishing) scams.

During the holiday season many people receive emails from known businesses for sales, promotions, order confirmations, and shipping notices. Cybercriminals can create spoofed emails that appear legitimate and may contain links or attachments that install malware or direct users to spoofed websites that steal personal and financial information. This can also take the form of a fake package delivery notification, attempting to trick individuals into opening malicious links and attachments in order to steal personal data or launch malware.

Some steps you can take to protect yourself include:

  • Enable Multi-Factor Authentication
  • Avoid Connecting Devices to Public Charging Stations-do not make purchases using public WiFi
  • Verify Charities Before Donating
  • Beware of ‘Secret Santa’ Gift and Other Gift Exchanges, compensated on line surveys (if it seems too good to be true it probably is)
  • When Clicking On URL Links Found On Social Media- Use A URL Expander To Ensure You Are Accessing A Legitimate Site
  • Don’t fall for a spoofed email or text-check the number/email, look for irregularities in language and terminology
  • Beware of online retailers that use a FREE email service instead of a company email
  • Look for on line retailers that use encryption- web addresses should begin with https:// and include a locked padlock icon

Other resources to combat fraud include:

Source: Open, USAA, FBI and NJCCIC

Yale Police periodically receive reports of impersonation scams in which scammers impersonate academic officials, government agencies, law enforcement and other organizations in an attempt to steal personally identifiable information (PII), obtain login account credentials, or extort funds. Legitimate law enforcement agencies and official government organizations typically initiate enforcement action contact by postal mail or in person. Scammers will make contact through email, SMS text messaging, phone calls, and social media platforms to convince their targets to take action. The impersonation of law enforcement agencies, academic officials, and government agencies are used to create a sense of legitimacy and authority. At times, the actual name of a legitimate law enforcement official or employee will be used in the email signature and spoofed in the display name and email address. Some telltale signs of spoofed emails include spelling errors, incorrect titles, grammatical inconsistencies, sense of urgency, and demanding and threatening language.

Phishing emails may contain information about accessing a document and a link with an expiration date to create a sense of urgency. If clicked, the link directs the victim to an online document or site that prompts the victim to enter account credentials to verify their identity and access the document. Once entered, the account details and PII are stolen and used by the scammers to commit further malicious activity, such as account compromises, identity theft, and fraud.

Report any fraud and fraud attempts to the Yale Police Department at 203-432-4400.

Source:NJCCIC

College students seeking to find employment and build their resume can be targeted by scammers. Ruthless individuals advertise employment opportunities the same way legitimate employers do, through online ads posted on social media and on job sites, in print publications , and on TV and radio. They promise you a job, but what they want is your personal information and money. The Federal Trade Commission has provided the below some examples of jobs scams and tips to help you avoid them.

Examples of Job Scams

Work-from-home job scams

Many people would like to work from home and generate income. Scammers know this, so they place ads, often online, claiming that they have jobs where you can make thousands of dollars a month working from home with little time and effort. The job could be anything from reshipping products to selling things to people you know. Sometimes the scammers try to get you interested by saying that you can be your own boss, start your own business, or set your own schedule.

But instead of making money, you end up paying for starter kits, “training,” or certifications that are useless. You might also find that your credit card is charged without your permission, or you get caught up in a fake check scam. If someone offers you a job and they claim that you can make a lot of money in a short period of time and with little work, that’s a scam.

Here are some examples of work-from-home job scams:

  • Reshipping scams. If you’re searching for a job online, you might see positions advertised for quality control managers or virtual personal assistants that have been placed by scammers. But here’s how you can tell it’s a scam: once you’re “hired,” the company says that your “job” is to receive packages at home, discard the original packaging and receipts, repackage the products, and then reship them to an address they give you.
    Sometimes the address is overseas. The products are often high-priced goods, like name-brand electronics, bought using stolen credit cards. Reshipping goods is never a real job. That’s simply being part of a scam. Sometimes the company tells you it will send your first paycheck after you work for a month, but the paycheck never arrives. And when you try to contact the company, you’ll find that the phone number is no longer connected and the website is deactivated. This “job” is a scam, and if you gave your personal information thinking it was for payroll, you may now have an identity theft problem.
  • Trade-based money laundering scheme, or the ‘package mule scam.’ People are contacted by scammers and led to believe they have a legitimate job as a package inspector. These people are asked to receive packages at their home, then check out the package, add a new label and ship it out. The packages are likely purchased illegally, possibly with stolen credit card information. The person asked to re-ship is essentially the middle-person, adding to the supply chain and making it harder for police to track the criminals.
  • Reselling merchandise scams. In this scam, you may get a call out of the blue from a stranger offering you a job opportunity. Or you may see an ad online or in your local newspaper. In either case, they say that you can make money buying brand-name luxury products for less than retail prices, then selling those products for a profit. But after you pay for the products, the package never arrives or, if it does, it’s full of junk.

Nanny, caregiver, and virtual personal assistant job scams

Scammers post fake job ads for nannies, caregivers, and virtual assistants on job sites. Or they may send emails that look like they’re from someone in your community, or who is part of an organization you know, like your college or university. If you apply, the person who hires you might send you a check. They’ll tell you to keep part of the money for your services and then send the rest to someone else. That is a scam. A legitimate employer will never ask you to do that. What happens next is that the check is fake. It can take weeks for a bank to discover this, but once they do, the bank will want you to repay that full amount. So: if you get an offer that includes depositing a check and then using some of the money for any reason, that’s a scam. Walk away.

Mystery shopper scams

Getting paid to shop sounds like a dream job — especially if you’re going to school full-time or looking for a side job. But while some mystery shopping jobs are legitimate, many are scams. Legitimate mystery shopping companies won’t ask you to pay for certifications, directories of jobs, or job guarantees. If someone asks you to pay to get a job, that’s a scam. And if they want you to deposit a check and send money back, stop. That’s a sign of a fake check scam. Read Mystery Shopper Scams to learn more.

Job placement service scams

While many staffing agencies, temporary agencies, headhunters, and other placement firms are legitimate, others lie about what they will do for you, promote outdated or fake job openings, and charge fees for so-called services. Legitimate placement firms do not typically charge a fee. Instead, the hiring company pays them a fee to find qualified candidates. If a placement firm asks you for a fee, walk away. You could be dealing with a scam.

Government and postal jobs scams

You respond to an ad that promises jobs with the federal government or postal service. But then you have to pay a fee to get the job, or pay for study materials so you’ll get a high score on the postal exam. Those are scams. Information about job openings with the federal government or U.S. Postal Service is free and available to everyone. And it’s free to apply for a federal or postal job. Find and apply for a job with the federal government at USAJobs.gov, or visit usps.com/employment to find jobs with the U.S. Postal Service.

How to Avoid a Job Scam

Before you accept a job offer, and certainly before you pay for one, take these steps to protect yourself from job scams:

  • Do an online search. Look up the name of the company or the person who’s hiring you, plus the words “scam,” “review,” or “complaint.” You might find out they’ve scammed other people.
  • Talk to someone you trust. Describe the offer to them. What do they think? This also helps give you vital time to think about the offer.
  • Don’t pay for the promise of a job. Legitimate employers, including the federal government, will never ask you to pay to get a job. Anyone who does is a scammer.
  • Never bank on a “cleared” check. No legitimate potential employer will ever send you a check and then tell you to send on part of the money, or buy gift cards with it. That’s a fake check scam. The check will bounce, and the bank will want you to repay the amount of the fake check.

Tips for Finding a Job

When you’re searching for a job, use safe and reliable sources. Here are a few places to start:

  • USAJobs.gov — This is the federal government’s official site with job openings nationwide.
  • CareerOneStop — Sponsored by the U.S. Department of Labor, CareerOneStop lists hundreds of thousands of jobs. It also links to employment and training programs in each state.
  • USA.gov — Find local government websites, which list any open positions they may have on their websites.

Also, when you’re applying for a job, an employer may do a background check.

What to Do if You Paid a Scammer

Call the Yale Police at 203-432-4400 or contact us using the Live Safe app. No matter how you paid — debit or credit card, bank or wire transfer, gift card, or cash reload card — immediately contact the company you used to send the money, report the fraud, and ask to have the transaction reversed, if possible.

Source: FTC and FBI

As mobile payments have continued to grow in popularity and the number of individuals that prefer them more than other forms of payment, the risk of scams increases as well. Mobile payment service providers such as Cash App, PayPal, and others provide proactive steps to ensure their customers are aware of possible scams and fraudsters. It is important that you are aware of all of the ways you can keep your personal information and money safe, while using these means of payment.

  • All Mobile Service Providers:
    • Only send payments to people you trust
    • Verify and double-check all recipient information before sending a payment, to confirm you are sending it to the correct person
    • Do not send money to someone promising something in the future (e.g. free money in return, promise of increasing your money, prize or sweepstakes you need to pay fees for)
  • Cash App:
    • No Cash App service representative will ever ask you for your sign-in code over the phone, social media, or through any other channel
    • No Cash App service provider will ever ask you to send money to another Cash App account
    • No Cash App service provider will ask you to provide sensitive information (e.g. full debit card number, your bank account number, Social Security number, etc.)
  • PayPal:
    • If you see a transaction you did not authorize, report it to PayPal
    • Ensure the URL is authentic before submitting your login information
    • Example of a fake PayPal webpage:

If you think you are a victim of fraud, please contact the Yale University Police Department. Use the LiveSafe app to effectively communicate with our police department.

References:

  • Avoid Scams and Keep Your Money Safe with Cash App
  • Mobile Payment Apps: How To Avoid a Scam When You Use One
  • Hashedout

Quick Response Codes, also known as QR codes, have progressively been adapted for numerous purposes. QR codes often look like randomly places small black squares that are arranged in a borderless square. Unlike Universal Product Codes (UPC) that are found on the majority of products in U.S. stores, QR codes are not limited to manufactured items. QR codes are being used by various locations, to provide touch-free interactions in places that are trying to avoid the transmission of COVID-19. These codes have proven to be very effective and economical. Unfortunately, some have used these useful tools with bad intentions. The following are a few ways QR codes have been used maliciously:

  • Adding nefarious contacts to the contact list
  • Connect the device to a malicious network
  • Send text messages to one or all contacts in a user’s address book
  • Complete a telephone call to a telephone number that imposes charges on the calling phone
  • Send a payment to a destination where it cannot be recovered
  • Reveal the user’s location by tracking and sending it to an app or website
  • Follow social-media accounts without the user’s knowledge
  • Add a preferred wi-fi network

Although it may be frightening to think of the possible exploits, they are not inevitable. Here are some preventative measures you can take:

  • Take a good look first – make sure the QR code is legitimate and it is not a code that was posted over the original
  • Only scan codes from trusted entities – Do not scan a randomly found QR code
  • Be suspicious if, after scanning a QR code, a password or login information is required
  • Watch out for bit.ly links – check the link that appears after scanning the QR code

If you think you are a victim of fraud, please contact the Yale University Police Department at (203) 432-4400 or use the LiveSafe app to effectively communicate with our police department.

References:

  • You receive a call or email saying that you owe money (taxes/student loans), committed fraud, or your VISA status has expired.
  • The caller uses threats, intimidation, and legal jargon to get what they want. (eg: threats of deportation and arrest).
  • Beware! Calls and emails are often spoofed. You may receive multiple calls or calls from similar agencies (eg: IRS and FBI) making it appear to be legitimate. Sometimes the scammers search the internet and find names of real/legitimate law enforcement officers and use those as a way to imply legitimacy.
  • Verify the telephone number online and by calling the number directly.
  • Legitimate officers won’t call or email and threaten or demand payment, especially via gift cards and wire transfers.
  • Pay attention to the words used, are they appropriate, consistent, and grammatically, correct?
  • Pay attention to links within text messages and email. There are several red flags to watch out for to recognize a phishing attack. Is the message irregular? Although this trick is commonly employed over email, savvy thieves are now trying to install ransomware or steal your financial or personal information by impersonating a bank, credit card company or service provider by phone calls or even text messages. Phishing is when a fraudster tricks a consumer into providing their personal information through a fake app or website.
  • A recent trend is called Thread Hijacking. This technique uses malicious messages sent within existing email conversations. The names are spoofed to appears to be legitimate contacts within the email thread.
  • Reports all fraud and attempts to defraud to Yale Police at 203-432-4400 or thru the Live Safe app.

Source: NJCCIC, USAA, FBI

Phone spoofing occurs when a scam caller contacts an individual with the intention of retrieving personal information or payment(s). This type of scam may take one or both of the following two forms: (1) call spoofing in which the caller sends false information to change what is displayed as the caller ID or (2) neighbor spoofing in which a telephone number similar to the recipient’s number is used to increase the likelihood of the person answering the call. A scammer using phone spoofing may identify themselves as a representative of a law enforcement agency, energy company, state agency, etc. to request payment. It is important to note that a government agency will not ask for payment in the form of gift cards and rarely provide phones as the only form of communication for payment of any type of debt.

How to Avoid Spoofing Scams:

  • Do not answer calls from unknown numbers. Allow each one to go to Voice Mail. Call the company back using the phone number provided on a bill, statement, or an official website.
  • If a caller asks you to hit a button to stop receiving calls, you should end the call. By hitting the button indicated, you may be notifying the caller that your number is valid and they in turn can sell that information to other telemarketers and/or scammers.
  • Use extreme caution if you are being pressured for immediate payment.
  • Do not respond to questions, especially those that can be answered with “yes” or “no” – scammers have been known to record these answers to use later to make unauthorized charges while impersonating you. For example, many use “Can you hear me?” to get you to respond by saying “yes.”

If you think you have been the victim of a spoofing scam, you can contact the Yale University Police Department at (203) 432-4400 or use the LiveSafe app to effectively communicate with our police department.


Source: Virginia Fusion Center (2021) “The Use of spoofed Phone Numbers in Scams”

Have you received a call from the IRS saying something like this? “I am ****, and I am calling regarding an enforcement action executed by the US Treasury, requiring your serious attention. Ignoring this will be an intentional second attempt to avoid initial appearance before a magistrate judge or a grand jury for a federal criminal offense. My number is (***) ***-****. I advise you to cooperate with us and help us, help you. Thank you.”

Student’s Guide To Fraud Scams (Source: IACLEA and IAFCI)

Remember

  • Check with the Yale Bursar’s office to confirm any fees owed on your student account.
  • The Internal Revenue Service DOES NOT communicate via e-mail, or text. Contact would be through regular United States Postal Service mail.
  • The IRS does not want your iTunes or Google Pay gift cards. They will not send you on a scavenger hunt at Walmart, 7-Eleven, or the Apple Store.
  • The IRS will never threaten to send local police, immigration officers, or other Law enforcement entities (FBI, CIA, Dog the Bounty Hunter, or Bond, James Bond) after you for a non-payment.
  • Behavior Blackmail Scams

College students are extorted for money in return for maintaining their reputation on campus, with family, and with friends. Students are caught in a photo or video doing something inappropriate. The blackmailer threatens to publish this unless payment is made.

  • With the prevalence of a phone in every hand in a multitude of social media apps, students should be aware their every action can make its way onto the internet.
  • Keep website and app privacy settings set to the strictest levels possible.
  • Do not share compromising photos with anyone, even dating partners. Not all relationships last forever or end on friendly terms. Do not save intimate photos on your device.
  • Be mindful of others who may he intoxicated or acting inappropriately, and don’t post their photos online. Remember the internet is forever and your actions today may directly impact someone’s future.

During tax season we often see an increase in tax related fraud. Don’t fall victim to any of the scams listed below. If you encounter anything suspicious, report it to the Yale Police Department by calling 203-432-4400 or by using the Live Safe app.

Phishing
Con artists use unsolicited email and fake websites to lure potential victims into divulging personal information that will then be used to commit identity theft and fraud. Be wary of unexpected emails from the IRS promising refunds or threatening to collect, say IRS officials. They’re fake — the IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.

Verification requests
Don’t be fooled by scammers asking you to “verify” your W-2 or personal information. Some may ask you to upload a picture of your forms. The only time that the IRS would request ID verification would be if they were concerned about a suspicious tax return with a real taxpayer’s name or Social Security number. lf that’s the case, the IRS would generally send a letter in the mail first and ask you to verify your identity using an online Identify Verification Service.

Phone scams
Scammers impersonating IRS agents may make aggressive or threatening calls demanding money or offering a refund. Sometimes they even spoof their caller ID information to appear as if they’re calling from an IRS office. The first IRS contact with taxpayers is usually via mail. The IRS does not accept payment in the form of gift cards ever.

Inflated refund claims
Beware of tax preparers who ask you to sign a blank check, promise big refunds before looking at your records or charge fees based on a percentage of your refund. They use fliers, phony storefronts and sometimes infiltrate community groups and churches. These scammers may file a false return in your name and take your refund.

Fake charities
After disasters, it’s common for scammers to impersonate charities; some even contact victims, claiming to be with the IRS. These groups often have names similar to legitimate organizations. Don’t give out personal financial information or Social Security numbers. And don’t give or send cash.

Identity theft
One of the most common identity theft scams involves filing tax returns using stolen Social Security numbers. Protect your personal data, check your credit report annually and review your Social Security Administration earnings statement each year to make sure you haven’t been targeted.

Other sources of information

Source: USAA

  1. Get your free credit report at annualcreditreport.com.
    Each year you may receive one free credit report from each of the 3 credit agencies (Trans Union, Equifax, or Experian)
  2.  Register to access your social security benefits statement on the Social Security website.
    You can review your benefits and earnings record, and ensure no one is fraudulently using your SSAN.
  3. Know who you are paying, via person to person payments (Zelle, Venmo, etc).
  4.  Do not pay for merchandise using a debit card. Debit cards are linked to a bank account and create hurdles when compromised by fraud. Use a credit card instead.
  5.  Keep thorough records. Could you provide a full description of your laptop to the police if it is stolen? Document the make, model, color, and unique serial number of your property.
  6.  Check ATM machines for skimming devices prior to inserting your card.
    Cover the pin pad with your hat, hand or other clothing during use.
  7.  Don’t assume phone calls or emails (even from people you know) are authentic. Caller ID can be spoofed using real government phone numbers. Hang up and verify/call back to verify authenticity. Email addresses can also be spoofed.
  8.  Check actual e-mail addresses and not just e-mail subjects/headings. Report phishing when an e-mail is suspect. Your professor or Department Chair should not be asking you to buy gifts cards or to wire transfer money.
  9.  Verify the driver, license plate, and vehicle make/model with your transportation network (Uber, Lyft) app prior to entry.
  10.  Do not deposit a check into your account if requested by an unknown individual. You are responsible for all items deposited into your account.