Gone phishing

SMS, email scams target UTRGV community

UTRGV President Guy Bailey has been requesting Apple gift certificates from faculty and staff, or so an SMS phishing scam claims.

The UTRGV Information Security Office sent an email Sept. 27 informing the campus community about an SMS phishing scam that inquired individuals to purchase Apple gift certificates and share the back codes to the sender, “Bailey.”

Kevin Crouse, chief information security officer of the Information Security Office, said this is the first time his department has received reports of an SMS phishing scam impersonating the university president. 

He said the scam has been occurring via short messaging service (SMS), which is called smishing. 

“[Smishing is] a very popular attack vector nowadays because people are less suspicious on their phone,” Crouse said. “There’s less, what we would call, visual real estate. So, it’s a lot easier to obscure stuff. … People will see their phone and just click to respond to something real fast. So, it’s very common.” 

As of press time Friday, the Information Security Office has received only two reports of the scam.

Business executive scams, such as these, have been around for a long time, according to the chief information security officer. 

“They … tend to have targeted, in the past, newer employees because, you know, they don’t necessarily know if [messaging] would be Dr. Bailey’s … mode of operations,” Crouse said. 

Within growing institutions, such as UTRGV, these scams are only going to become more common as the institution gains a higher profile, he said.

Asked what steps have been implemented to avoid these scams in the future, Crouse replied that having people report smishing scams is the “biggest line of defense.”

“When it’s a phishing message that comes through email, we move to … block it, to purge it, that sort of thing so that it can’t continue to come through,” he said. “… But when it comes to SMS phishing, there’s not a lot we can do because it comes through people’s cell phones. So, the biggest course of action for us is always to … then notify people and say, ‘Hey, this is happening.’”

The chief of the Information Security Office added there are steps individuals must take if they accidentally interact with a phishing scam. 

“If they accidentally interact and click on the link, the very first thing they should do is change their passwords,” Crouse said. “Always change your passwords if you think you clicked on a link you shouldn’t have. … Pay attention to what you click on.” 

He also said his department already conducts simulated phishing tests with faculty and staff but would like to try them with students starting, hopefully, in the spring.

“We’ve been doing it for faculty and staff for about a year now, and we’ve seen a huge decrease in the number of people who fall for phishing scams, which is why now we would like to try it with students,” Crouse said. “What happens is … they click on that link, it says, ‘Hey, this was a scam and here’s why it was a scam, and here is how you can avoid it.’ So, it provides some of that education piece right there at the moment of [it] happening.”

In an interview with The Rider last Tuesday, computer science sophomore Javier Arias said cybersecurity is important to him.

“I am in the computer science field, so I can understand why it is important and because right now, these days, we have a lot of information there,” Arias said. “We have our address, our full name, credit cards, everything. So, if something gets stolen, you are going to lose everything, your money in your bank account, everything.”

The computer science sophomore said he has received emails claiming he won a grant but ignores them because they look suspicious, especially if he did not apply for anything. 

Tomas Aguado, assistant director of UTRGV Business Information Systems, said it is important to stay informed about potential scams. 

“Spread voice, you know, to family members, brothers, sisters, parents,” Aguado said. “… It is important for [them] to know. It is the only way to stop this problem, this phishing problem, by everybody being educated and aware.” 

For more information on phishing scams and how to avoid them, email is@utrgv.edu or visit utrgv.edu/is.