Information Technology Services will add a new safeguard Dec. 9 to protect the campus community from phishers who set up fake email accounts to impersonate a real person on campus.

To combat this vulnerability, a new email rule will flag off-campus accounts with the banner, “The following recipient is outside your organization” whenever the recipient responds to a message from a non-University account.

Criminals’ use of fake accounts, referred to as Business Email Compromise or BEC, has grown at an alarming rate – and the main targets on college campuses are administrative professionals who support academic and administrative leaders, said Chief Information Security Officer Dennis Schmidt.

Part of the problem is that victims are not aware they are communicating with an outside account because, by default, they only see the name of the person in the “From” column and not the entire email address.

“We hope this banner will help increase vigilance and caution of outside communication,” Schmidt said.

Traditional phishing scams target large numbers of users to trick them into clicking on links and providing credentials. The BEC is a more sophisticated scam because it uses public information, such as organizational charts, to pinpoint specific individuals, Schmidt said.

The criminals who set up these fake accounts often write emails that are short and to the point in an effort to appear more conversational in tone, and thereby trick the reader into believing they came from a supervisor.

“In many cases, the administrative support professional receives an email that appears to be ‘from’ their superior with time-sensitive needs, such as a request to purchase hundreds of dollars in gift cards,” Schmidt said. “They are asked to use their own money to purchase cards with promises for repayment.”

Administrators can also help by establishing expectations for how to respond to email requests.

For instance, ITS recommends that supervisors tell their staff that they will never pressure them to spend their own money for work purposes with promises for future reimbursement.

Supervisors should also set the expectation that staff members confirm – either in person, a phone call or a text – any purchase request sent in an email. They should never use a personal email account to conduct work-related business.