Personalized scams and how to protect yourself

Criminals continue to develop creative ways to fool us. A new type of scam has been gaining popularity recently—personalized scams. Thieves find or purchase identifying information, then use it to craft a customized attack.  

How do personalized scams work?
Traditional scam emails or phone calls are typically generic. Think of the infamous Nigerian Prince or “You Won the Lottery” examples. Personalized scams are different. The criminals start by doing research and crafting a tailored message for each intended victim. They find or purchase names, passwords, phone numbers, or other details. This information is found on hacked websites, social media sites or in public government records. 

A common attack is to track down your email address, name, and an old password that you used on a hacked website. The criminal claims to have evidence about embarrassing or criminal activity and references your password(s) as proof that they’ve hacked your accounts. If you don’t pay them, they threaten to share the information with your family and/or law enforcement. 

Despite this threat, your computer is very rarely at risk. The scammer is simply using a few details in order to scare you into believing they have a record of all your online activity. 

What should I do if I’m targeted?
Recognize that emails and calls like these are scams. Feeling scared when someone has personal information about you is natural, but remember the sender is almost always lying.  

Here are some clues to look for: 

  • Be suspicious of highly urgent emails and phone calls. Scammers use fear and urgency to play to our emotions and it’s a tactic designed to rush us into making mistakes. 
  • Requests for payment in Bitcoin, gift cards, or other untraceable methods are nearly always fraudulent. 

Ultimately, though, common sense is your best defense to defeat these intrusive attacks.  

ITS will continue phishing education in May using emails that mimic real attacks. If you receive an email that you suspect is phishing, don’t click any links, download any attachments, or reply.  

For more information on reporting phishing emails, see the IT Service Portal guide, Reporting a Phishing Message (How-to). 

Peter Lundstedt, ITS