Cyber Security Alerts

May 2023

Dear Mercy Students, Faculty, and Staff:

             Please see below for a Public Service Announcement from Mercy College:

With the end of the spring term and the beginning of summer vacation there has been a noticeable increase in the number of fraudulent job opportunities being offered. Students, in particular, are urged to use caution when responding to job offers via email that they have not applied for, ask them to reply with personal information, or are poorly written containing spelling errors and incorrect grammar.

If you receive communication about a job and feel that something does not seem right, we recommend you stop all contact with that employer and contact safety@mercy.edu to report the incident. You can also report the scam to the Federal Trade Commission. If you have sent or received money, you should contact your banking institution immediately.

How To Avoid a Job Scam

Before you accept a job offer, take these steps to avoid common job scams:

•    Search online. Look up the name of the company or the person who’s hiring you, plus the words “scam,” “review,” or “complaint.” See if others say they’ve been scammed by that company or person. No complaints? It doesn’t guarantee that a company is honest, but complaints can tip you off to possible problems.
•    Talk to someone you trust. Describe the offer to them. What do they think? This also helps give you vital time to think about the offer.
•    Don't pay for the promise of a job. Honest employers, including the federal government, will never ask you to pay to get a job. Anyone who does is a scammer.
•    Never bank on a “cleared” check. No honest potential employer will ever send you a check to deposit and then tell you to send on part of the money, or buy gift cards with it. That’s a fake check scam. The check will bounce, and the bank will want you to repay the amount of the fake check.

What To Do if You Paid a Scammer
No matter how you paid — debit or credit card, mobile payment app or wire transfer, gift card, cash reload card, or cryptocurrency — immediately contact the company you used to send the money, report the fraud, and ask to have the transaction reversed, if possible. For specific advice on how to reverse different types of payments, read What To Do If You Were Scammed.

Report Job Scams to the FTC
If you see a job scam, or lose money to one, report it to the FTC at ReportFraud.ftc.gov. You can also report it to your state attorney general.
•    To report a scam, file a complaint online with the Federal Trade Commission. Check out their video on how to report scams and more ways to avoid fraud.

As a reminder: See Something, Say Something! Often your sharp eyes, ears and minds are our best defense. If you see something suspicious, please immediately report it to Campus Safety by emailing safety@mercy.edu or the OIT Helpdesk by emailing helpdesk@mercy.edu or by calling 914-674-7526.

              And remember: If it seems too good to be true, it probably is.  

RE: Fraudulent Unemployment Claims

The Office of Human Resources has become aware of a surge in fraudulent unemployment claims.

• Please see notification from IRS click here.
• New York State Police also warned of an uptick in fraudulent claims, click here and click here.
• Bad actors Criminals are using stolen identities, likely stolen from previous breaches and systems.

We recommend University community members remain vigilant and use due diligence when browsing third-party sites, banks, financial institutions, and others.

• Change password(s) for any personal and financial account(s) and monitor them closely for any suspicious activity. Password guidelines click here
• Follow Information Security Tips on our website click here
• Cyber Security Tips to Protect Privacy click here
• Cyber Security Tips to Protect from Phishing click here

In addition, community members may want to do the following:

• Place a free fraud alert on accounts with the three credit bureaus (Experian, TransUnion, and Equifax) click here
• Getting a free credit report click here
• Report any suspected identity theft to the FTC click here
• File a report with their local police department, if you think you have been a target of Identify Theft

If you receive a notice of a fraudulent unemployment claim from the NYS DOL (Department of Labor), please visit the DOL website to report the fraudulent activity activity click here and FTC website click here. Please reach out to Human Resources hr@mercy.edu for any assistance.

June 2023

Dear College Community,

Security Vulnerability
The Office of Information Technology (OIT) has become aware of critical security vulnerabilities impacting multiple Apple Products. More information can be found here. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

What do I need to do? 

Apple has released security updates to address these vulnerabilities. OIT recommends that College Community users apply these updates to their Apple Product(s) including personal computers, phones, tablets, and other computing devices as soon as possible. To update Apple devices, please follow the steps below: 

• Update the software on your Mac - Click here
• Update your iPhone, iPad, or iPod touch - Click here
• Update your Apple Watch - Click here
• Update your Apple TV - Click here
• Update your Windows iTunes – Click here

April 2023

Security Vulnerability
The Office of Information Technology (OIT) has become aware of security vulnerabilities impacting multiple Apple Products. More information can be found here. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. 

What do I need to do? 
Apple has released security updates to address these vulnerabilities. OIT recommends that College Community users apply these updates to their Apple Product(s) including personal computers, phones, tablets, and other computing devices as soon as possible. To update Apple devices, please follow the steps below: 

• Update the software on your Mac - Click here
• Update your iPhone, iPad, or iPod touch - Click here
• Update your Apple Watch - Click here
• Update your Apple TV - Click here
• Update your Windows iTunes – Click here

January 2023

Security Vulnerability
The Office of Information Technology (OIT) has become aware of security vulnerabilities impacting multiple Apple Products. More information can be found here. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. 

What do I need to do? 
Apple has released security updates to address these vulnerabilities. OIT recommends that College Community users apply these updates to their Apple Product(s) including personal computers, phones, tablets, and other computing devices as soon as possible. To update Apple devices, please follow the steps below: 

• Update the software on your Mac - Click here
• Update your iPhone, iPad, or iPod touch - Click here
• Update your Apple Watch - Click here
• Update your Apple TV - Click here
• Update your Windows iTunes – Click here

Security Vulnerability
The Office of Information Technology (OIT) has become aware of security vulnerabilities impacting multiple Apple Products. More information can be found here. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. 
What do I need to do? 
Apple has released security updates to address these vulnerabilities. OIT recommends that College Community users apply these updates to their Apple Product(s) including personal computers, phones, tablets, and other computing devices as soon as possible. To update Apple devices, please follow the steps below: 

• Update the software on your Mac - Click here
• Update your iPhone, iPad, or iPod touch - Click here
• Update your Apple Watch - Click here
• Update your Apple TV - Click here
• Update your Windows iTunes – Click here

April 2022

Dear College Community,

Security Vulnerability

The Office of Information Technology (OIT) has become aware of security vulnerabilities impacting multiple Apple Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.

What do I need to do? 

Apple has released security updates to address these vulnerabilities. OIT recommends that College Community users apply these updates to their Apple Product(s) including personal computers, phones, tablets, and other computing devices as soon as possible. To update Apple devices, please follow the steps below: 

• Update the software on your Mac - Click here
• Update your iPhone, iPad, or iPod touch - Click here
• Update your Apple Watch - Click here
• Update your Apple TV - Click here
• Update your Windows iTunes – Click here
•  

September 2021

Security Vulnerability
The Office of Information Technology (OIT) has become aware of security vulnerabilities impacting multiple Apple Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. 

What do I need to do? 
Apple has released security updates to address these vulnerabilities. OIT recommends that College Community users apply these updates to their Apple Product(s) including personal computers, phones, tablets, and other computing devices as soon as possible. To update Apple devices, please follow the steps below: 

• Update the software on your Mac - Click here
• Update your iPhone, iPad, or iPod touch - Click here
• Update your Apple Watch - Click here
• Update your Apple TV - Click here
• Update your Windows iTunes – Click here

September 2021

The Office of Information Technology Services has become aware of multiple vulnerabilities impacting multiple Apple Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here.

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for remote code execution. 

• Safari is a graphical web browser developed by Apple, based on the WebKit engine.
• watchOS is the mobile operating system for Apple Watch and is based on the iOS operating system.
• iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
• iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
• macOS Big Sur is the 17th and current major release of macOS.
• macOS Catalina is the 16th major release of macOS.
• macOS Mojave is the 15th major release of macOS.

What do I need to do? 

Apple has released security updates to address these vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system. OIT recommends that College Community users apply these updates to their Apple Product(s) including their personal computers, phones, tablets and other computing devices as soon as possible.  

To update Apple devices, please follow the steps listed below: 

• https://support.apple.com/en-us/HT201222
• https://support.apple.com/en-us/HT212804
• https://support.apple.com/en-us/HT212805
• https://support.apple.com/en-us/HT212806
• https://support.apple.com/en-us/HT212807
• https://support.apple.com/en-us/HT212808

Alert – Major Vulnerability in Apple Products (Zero Day)

Security Vulnerability
The Office of Information Technology Services has become aware of multiple zero-day vulnerabilities impacting multiple Apple Products - known as CVE-2021-1782, CVE-2021-1870 & CVE-2021-1871. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here.

For more details on these vulnerabilities, please visit the Apple Security pages for the following products:

• Xcode 12.4
• iCloud for windows 12.0
• iOS 14.4 and iPadOS 14.4
• tvOS 14.4
• watchOS 7.3

What is a “Zero-Day” Vulnerability? 
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.

What do I need to do? 
Apple has released security updates to address these vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system. OIT recommends that College Community users apply these updates to their Apple Product(s) including their personal computers, phones, tablets and other computing devices as soon as possible.  

To update Apple devices, please follow the steps listed below: 

• Update the software on your Mac - Click here
• Update your iPhone, iPad, or iPod touch - Click here
• Update your Apple Watch - Click here
• Update your Apple TV - Click here
• Update your Windows iTunes – Click here

June 2022

The Office of Information Technology (OIT) has become aware of a zero-day vulnerability nicknamed “Follina” impacting multiple Microsoft Office Suite of Products. Follina is the nickname given to a new vulnerability discovered as a zero-day and identified as CVE-2022-30190. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here and here.

Why is this a serious Vulnerability?

An attacker can send you a malicious Office document that will compromise your machine with malware when you open it. This is a serious vulnerability as it is already actively being exploited in the wild and doesn’t require users to enable macros.

What is Microsoft doing about it?

Microsoft has offered mitigation steps that disable the MSDT URL Protocol. However, users should proceed with caution because of possible conflicts and crashes with existing applications. Please see Microsoft's Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

What do I need to do? 

OIT has taken steps and is automatically applying a critical update to all College computers, including desktops and laptops.

OIT urges college community users to practice the following on a regular basis:

1. Never open document from that you don’t expect , even if it comes from known senders.
2. Unless there is clear need, don’t turn off protected mode from documents that originate from internet or email.
3. Refrain from opening .rtf files that originate from internet, even in preview mode.

April 2022

The Office of Information Technology (OIT) has become aware of zero-day vulnerabilities impacting multiple Microsoft (Windows Operating System) Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here and here.

What do I need to do? 

OIT is automatically applying these critical updates to all College computers, including desktops and laptops. OIT recommends that College Community users take a few minutes to restart their college computers to ensure that the needed updates have been applied successfully. 

To check manually for updates, please Select Start -> Settings -> Update & Security -> Windows Update -> Check for updates (or install now)

OIT also recommends that College Community users apply these updates to their personal Microsoft Product(s) including their Windows Computers, Windows Phones, Surface Tablets, and other Windows computing devices as soon as possible.  

To update Microsoft devices, please follow the steps listed below: 

• Update your Windows 11 Computer - Click here
• Update your Windows 10 Computer - Click here
• Update your Windows 8 Computer - Click here
• Update your Windows Phone - Click here

July 2021

The Office of Information Technology (OIT) has become aware of zero-day vulnerabilities impacting multiple Microsoft (Windows Operating System) Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here and here.

What do I need to do? 

OIT is automatically applying these critical updates to all College computers, including desktops and laptops. OIT recommends that College Community users take a few minutes to restart their college computers to ensure that the needed updates have been applied successfully. 

To check manually for updates, please Select Start -> Settings -> Update & Security -> Windows Update -> Check for updates (or install now)

OIT also recommends that College Community users apply these updates to their personal Microsoft Product(s) including their Windows Computers, Windows Phones, Surface Tablets, and other Windows computing devices as soon as possible.  

To update Microsoft devices, please follow the steps listed below: 

• Update your Windows 10 Computer - Click here
• Update your Windows 8 Computer - Click here
• Update your Windows Phone - Click here

April 2023

Mercy University community members use a variety of online services including Outlook Email, Teams, OneDrive, Mercy Connect, Blackboard and more. For data privacy and security, and to access these online services users are required to use Multi-Factor Authentication (MFA or 2FA). 

Microsoft is making a mandatory change to MFA for organizations around the globe, using number matching. Microsoft will enforce number matching for all users starting May 8, 2023. To read more about number matching please click here. A multi-factor authentication (MFA) fatigue attack – also known as MFA Bombing or MFA Spamming – is a new social engineering cyberattack strategy where attackers repeatedly push second-factor authentication requests to the target victim's email, phone, or registered devices. 

Maintaining the highest level of security of the personal, private, and confidential information of Mercy University community members is of the utmost importance to the University. To that effect Microsoft is making a global change and enforcing “Number Matching” via the Microsoft Authenticator App. Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator.
 
What do I need to do? 
Starting May 8, 2023 – when a user responds to an MFA push notification using the Microsoft Authenticator app, they'll be presented with a number. They will need to type that number into the Authenticator app to complete the approval.

April 2023

Phishing emails below appear to have been sent to members of the College Community

Please note: Mercy College will never ask you to send your 2FA/MFA Code (Multi-Factor Authentication) via email, text, phone call etc. Please never provide your password or MFA code to anyone (or approve access in the Microsoft Authenticator App for unknown requests).

You can forward the email to helpdesk@mercy.edu and then immediately delete the email.  Please never respond to or click links in such emails from unknown sources. If you have already clicked on the link or attachment, please contact the HELPDESK immediately.

OIT advises the College community to remain vigilant for Phishing & Money Scams. Cyber actors may send emails with malicious attachments or links to trick victims into revealing sensitive information. Please exercise caution in handling any email, attachments, or hyperlink, and be wary of social media pleas, texts, or calls.

December 2022

As the holiday season approaches, the Office of Information Technology (OIT) encourages the College Community to be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online. Cyber actors may send emails and ecards containing malicious links or attachments infected with malware or may send spoofed emails requesting support for fraudulent charities or causes.

‘Tis the season for holiday gifts and shopping! To avoid waiting in lines and traffic, many people opt out of going to malls and choose to shop online. Cyber threat actors are aware of that fact, and it is their time to be active and develop new methods of tricking people. 

Please be vigilant and avoid falling into their traps, act and protect your personal and financial information. It will reduce the likelihood of your information falling into the wrong hands and ensure that you have a more hassle-free shopping experience this holiday season.
               
Tips for Safe Surfing 
OIT encourages online holiday shoppers to review the following resources:

• Shop Smart and Stay Safe This Holiday Season – Click here
• Holiday Online Shopping Page – Click here
• Using Caution with Email Attachments – Click here 
• Avoiding Social Engineering and Phishing Attacks – Click here
• The Federal Bureau of Investigation’s (FBI’s) Alert – Click here 

 Please be vigilant and err on the side of caution and do not open any suspicious attachments and links. Please be careful when using your credentials and financial information on an unfamiliar or unexpected website(s).

September 2022

Dear College Community,

The email below (and a few variations) appears to have been sent to members of the College Community. PLEASE DO NOT OPEN OR REPLY TO SUCH EMAILS.  

You can forward the email to helpdesk@mercy.edu and then immediately delete the email. Never respond to or click links in such emails from unknown sources. If you have already clicked on the link or attachment, please contact the HELPDESK immediately. 

Please note: All incoming emails to Mercy College email accounts from external parties will have a pre-fix in the subject of the message and a disclaimer in the body of the message. This text will only appear if the email is coming from an external email system.  
 
If you see this disclaimer text in the subject and body of an email you receive, please exercise caution when clicking on any links or opening attachments. You should never provide sensitive or confidential information such as usernames and password when responding to such emails. 

Defending Against Cyber Scams

With the Fall Semester starting, Office of Information Technology (OIT) is seeing an advanced persistent threat and an increase in phishing and social engineering scams. Cybercriminals are using advanced tactics and Phishing & Money Scams for commercial gain, deploying a variety of ransomware and other malware.

OIT advises the College community to remain vigilant for Phishing & Money Scams. Cyber actors may send emails with malicious attachments or links to trick victims into revealing sensitive information. Please exercise caution in handling any email, attachments, or hyperlink, and be wary of social media pleas, texts, or calls.

For more information (and Cyber Security Tips & Tricks), please visit our Information Security Resource Center at https://www.mercy.edu/information-technology/information-security

As a reminder: See Something, Say Something! Often your sharp eyes, ears and minds are our best defense. If you see something suspicious, please immediately report it to the OIT Helpdesk by emailing helpdesk@mercy.edu or calling 914-674-7526.

March 2022

As everyone is aware, crime in our area, particularly within our mass transit systems, has become a growing concern to many.  The Department of Campus Safety offers the following tips to help keep you safe:
 

• Be aware of your surroundings at all times, especially if using an electronic device.  Use well populated and well-lit streets.  When walking in desolate areas or at off hours, do so in groups.   If you suspect that you are being followed, stay away from deserted blocks and move towards areas where there are people or enter the nearest open store.
• If going out with a friend(s), stick together and do not leave anyone by themselves, particularly in bars and clubs.
  • Remember that cellphones and electronic devices are prime targets for thieves.
  • Refrain from wearing headphones on the subway or bus.
  • Never carry your wallet in your rear pants pocket or in the outer compartment of your backpack.
  • Cover jewelry, turn stone rings toward the palm side of your hand.
  • Sit away from the subway car door to avoid a purse or chain snatch. 
  • Use only subway entrances marked by a green indicator light, where there is a clerk present 24 hours a day.
  • Have your money or metro card available ahead of time.
  • Use marked and designated waiting areas in subway stations during off peak hours.
  • Ride in the conductor's car during off peak hours.
  • Stand back from the edge of the platform and wait close to the wall if available.
  • sit near the front of the bus.

Thank you for your attention.

Office of Campus Safety

March 2022

The Office of Information Technology (OIT) is closely monitoring the situation unfolding in Ukraine. U.S. government and security professionals are urging Americans to take steps to protect themselves from a higher risk of Russian cyberattacks following the invasion of Ukraine.

The U.S. Cybersecurity & Infrastructure Security Agency, which is part of the U.S. Department of Homeland Security has issued a warning to businesses that says they should be prepared to defend against cyberattacks originating from Russia. “Every organization—large and small—must be prepared to respond to disruptive cyber activity,” the agency says in its warning.

To keep Mercy faculty, staff, students, and data secure and protected, OIT advises the College Community to stay on alert and offers the following Cyber Hygiene recommendations:

• Turn on multifactor authentication (MFA): Use multifactor authentication on all your accounts, including email, social media, shopping, and financial services, for extra protection. To turn on MFA on personal accounts, please see the following links:
  • Google 
  • Apple
  • Microsoft
  • Amazon
  • Yahoo Email
  • Facebook, Instagram, WhatsApp
• Update everything, including software: Update antivirus and malware software, operating systems and applications, especially web browsers, on all devices including mobile phones, tablets, desktop computers and laptops. Turn on automatic updates.
• Think before you click: Before clicking on links or attachments or downloading files, take a beat. Most cyberattacks start with a phishing email, which looks legitimate but isn’t and can be used to steal your passwords, Social Security number, credit card numbers and other sensitive information or to run malicious software known as malware. 
• Use strong, unique passwords: Protect all your account credentials including username and password. Use strong passwords and don't reuse them. It is best to subscribe to a password manager to generate and store unique passwords. 
• Don’t believe everything online: “All sides in any conflict will also be working to use information streams to their advantage. People should be very cautious about the information they share,” said Jessica Beyer, principal research scientist and lecturer at the University of Washington.

For more information (and Cyber Security Tips & Tricks), please visit Mercy’s Information Security Resource Center at mercy.edu/information-technology/information-security

As a reminder: See Something, Say Something! Often your sharp eyes, ears and minds are our best defense. If you see something suspicious, please immediately report it to the OIT Helpdesk by emailing helpdesk@mercy.edu or calling 914-674-7526.

January 2022

Dear Mercy Students, Faculty, and Staff:

             Please see below for a Public Service Announcement from Mercy College and the FBI:

Cybercriminals Tampering with QR Codes to Steal Victim Funds

The FBI is issuing this announcement to raise awareness of malicious Quick Response (QR) codes. Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.

A QR code is a square barcode that a smartphone camera can scan and read to provide quick access to a website, to prompt the download of an application, and to direct payment to an intended recipient. Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use.

Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.

Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim's mobile device and steal the victim's location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.

Businesses and individuals also use QR codes to facilitate payment. A business provides customers with a QR code directing them to a site where they can complete a payment transaction. However, a cybercriminal can replace the intended code with a tampered QR code and redirect the sender's payment for cybercriminal use.

While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code. Law enforcement cannot guarantee the recovery of lost funds after transfer.

TIPS TO PROTECT YOURSELF:

• Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
• Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
• If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
• Do not download an app from a QR code. Use your phone's app store for a safer download.
• If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
• Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
• If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
• Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.

If you believe you have been a victim of stolen funds from a tampered QR code, report the fraud to your local FBI field office at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.

November 2021

Dear Mercy Students, Faculty, and Staff:

             Please see below for a Public Service Announcement from Mercy College and the FBI:

Holiday Scams: 

When shopping online during the holiday season—or any time of year—always be wary of deals that seem too good to be true. Do your part to avoid becoming a scammer’s next victim.

Every year, thousands of people become victims of holiday scams. Scammers can rob you of hard-earned money, personal information, and, at the very least, a festive mood.

The two most prevalent of these holiday scams are non-delivery and non-payment crimes. In a non-delivery scam, a buyer pays for goods or services they find online, but those items are never received. Conversely, a non-payment scam involves goods or services being shipped, but the seller is never paid.

According to the Internet Crime Complaint Center’s (IC3) 2020 report, non-payment or non-delivery scams cost people more than $265 million. Credit card fraud accounted for another $129 million in losses.

Similar scams to beware of this time of year are auction fraud, where a product is misrepresented on an auction site, and gift card fraud, when a seller asks you to pay with a pre-paid card.

If You’ve Been Scammed 

• Call your credit card company or you bank. Dispute any suspicious charges.
• Contact local law enforcement.
• Report the scam to the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.

Tips to Avoid Holiday Scams 

Whether you’re the buyer or the seller, there are a number of ways you can protect yourself—and your wallet.

Practice good cybersecurity hygiene. 

• Don’t click any suspicious links or attachments in emails, on websites, or on social media. Phishing scams and similar crimes get you to click on links and give up personal information like your name, password, and bank account number. In some cases, you may unknowingly download malware to your device. 
• Be especially wary if a company asks you to update your password or account information. Look up the company’s phone number on your own and call the company.

Know who you’re buying from or selling to.

• Check each website’s URL to make sure it’s legitimate and secure. A site you’re buying from should have https in the web address. If it doesn’t, don’t enter your information on that site.  
• If you’re purchasing from a company for the first time, do your research and check reviews.
• Verify the legitimacy of a buyer or seller before moving forward with a purchase. If you’re using an online marketplace or auction website, check their feedback rating. Be wary of buyers and sellers with mostly unfavorable feedback ratings or no ratings at all.
• Avoid sellers who act as authorized dealers or factory representatives of popular items in countries where there would be no such deals.
• Be wary of sellers who post an auction or advertisement as if they reside in the U.S., then respond to questions by stating they are out of the country on business, family emergency, or similar reasons.
• Avoid buyers who request their purchase be shipped using a certain method to avoid customs or taxes inside another country.

Be careful how you pay.

• Never wire money directly to a seller. 
• Avoid paying for items with pre-paid gift cards. In these scams, a seller will ask you to send them a gift card number and PIN. Instead of using that gift card for your payment, the scammer will steal the funds, and you’ll never receive your item. 
• Use a credit card when shopping online and check your statement regularly. If you see a suspicious transaction, contact your credit card company to dispute the charge.

Monitor the shipping process.

• Always get tracking numbers for items you buy online, so you can make sure they have been shipped and can follow the delivery process.
• Be suspect of any credit card purchases where the address of the cardholder does not match the shipping address when you are selling. Always receive the cardholder’s authorization before shipping any products.

• For more information (and Cyber Security Tips & Tricks), please visit the College’s Information Security Resource Center at mercy.edu/information-technology/information-security

As a reminder: See Something, Say Something! Often your sharp eyes, ears and minds are our best defense. If you see something suspicious, please immediately report it to Campus Safety by emailing safety@mercy.edu or the OIT Helpdesk by emailing helpdesk@mercy.edu or by calling 914-674-7526.

And remember: If it seems too good to be true, it probably is.  Enjoy the Holidays!

Konrad Motyka
Mercy College
Executive Director for Campus Safety &
Emergency Management

The Department of Campus Safety and Office of Information Technology have been made aware of the following Alert:

References in this Academia product to any specific commercial product, process or service or the use of any corporate name herein is for informational purposes only and does not constitute an endorsement, recommendation, or disparagement of that product, process, service or corporation on behalf of the FBI. 

The FBI Miami, Tampa, and Jacksonville Field Offices, in coordination with the FBI Office of the Private Sector (OPS), prepared this Liaison Information Report to inform the education facilities sector of spoofed emails and fraudulent checks being employed by individuals impersonating employees of the United 
Nations International Children’s Emergency Fund (UNICEF) to defraud U.S. college students for financial gain. Recent reporting from the FBI’s Internet Crime Complaint Center (IC3) indicates fraudsters posing as UNICEF employees used a variety of tactics to obtain personally identifiable information (PII) from U.S. college students and, when successful, defrauded students of an average of $3,000 each.  

In most of these schemes, fraudsters sent an email to the student’s college email address, with the sender’s address typically appearing to originate from another student at their college, concerning an internship or part-time employment position with UNICEF. The fraudsters usually mailed checks with United States Postal Service (USPS) tracking to the students, containing their first paycheck and additional funds allegedly intended to purchase items for foster homes or orphanages on behalf of UNICEF.  After the students deposited the checks into a personal banking account, the fraudsters directed the students to purchase cryptocurrency or gift cards, or to otherwise transfer the funds to another financial account. Financial institutions later determined the checks to be fraudulent. Examples of these schemes impacting Florida college students included, but were not limited to, the following: 

• In March 2021, a Florida college student received an email to their student email address regarding an internship opportunity with UNICEF to work from home, allegedly to purchase items for foster homes. Per the email’s instructions, the victim contacted a “director” who asked for personal information including the victim’s name, home address, and telephone number. About two weeks later, the victim received a cashier’s check which the victim believed was intended to purchase items for foster children. A day after depositing the check, the “director” instructed the victim via text message to purchase and then transfer bitcoins, as well as transfer $500 from a cash app, to other accounts. The victim’s financial institution indicated the check was more than likely fraudulent.
• In March 2021, a Florida college student received an email to their student email address regarding a part-time job opportunity with UNICEF. The victim completed an application providing personal information including their social security number. Two weeks later, the victim received an email from a “supervisor” with a job offer and information advising the victim that they would begin receiving assignments shortly. The victim subsequently received a text message providing a USPS tracking number to track a package containing a check that allegedly was sent by the agency. The “supervisor” instructed the victim to deposit the check into a personal bank account and then to purchase six $500 gift cards. After each purchase, the “supervisor” asked the victim to take photographs of the receipt and gift card and send them to the “supervisor.” The victim later learned the check was fraudulent, after the gift cards had been redeemed. 
• In March 2021, a Florida college student received an email from an alleged student regarding a professor who was seeking students who wanted to earn extra money working with UNICEF. The student contacted the “professor” via email and the two began corresponding about the job position. The “professor” then sent a text message to the student, advising a check was en-route and providing a USPS tracking number. While the student was waiting for the check to clear, the “professor” asked the student to wire the funds to the manager of a foster home. After the student had wired the funds, the student’s financial institution determined the check had been altered or was fictitious.
• In December 2020, a Florida college student received an email from an alleged student attending the same college, regarding a part-time, remote position with UNICEF during the COVID-19 pandemic. The email instructed the student to contact another email address for more information. After contacting the indicated email address, the student received an application via an online Google Docs form. The application contained a job description and requested personal information including the student’s name, telephone number, and email address. The student then received a “welcome aboard” letter with the telephone number of a “contact supervisor.” The “supervisor” reached out to the student regarding a check that had been sent. Once the student received the check, the “supervisor” then sent instructions regarding which cards the student should purchase and to which addresses the student should send the cards.

Indicators 
The following indicators may assist in identifying related suspicious activities. These suspicious activities include but are not limited to any individual, group, or activity and should be observed in context and not individually. 

• Unsolicited emails containing grammatical and spelling errors, requesting PII, or originating from domains that are not organization specific. A best practice would be to verify the authenticity of email addresses by contacting organizations through their official websites.

This Academia Product was disseminated from OPS’s Information Sharing and Analysis Unit. Direct any requests and questions to your FBI Private Sector Coordinator at your local FBI Field Office:  fbi.gov/contact-us/field-offices