Gone Phishing: The Marks of an E-scam

Early this week, your alert DHI Director received an email from the Benefits Help address at The New School’s Human Resources. It went something like this: “Dear employee: please attach a copy of your 2015 W-2 and return it to us promptly. Sincerely, Human Resources.”

My fraud alert went off. I put it in spam, tagging it as “suspicious,” and you should have too. But it reminded the staff at the DHI that it doesn’t hurt to warn our colleagues about classic phishing scams. What is phishing? It’s when criminals try to elicit information from you that then gives them access to your finances. It is one of the fastest growing white collar crimes there is, and one of the most difficult to police because phishers “relay” these messages through servers in dozens of countries to hide their identities (want to hide your Internet identity? We’ll teach you how next week!)

The request for your W-2 was particularly insidious. A positive response would have handed over your address and social security number for sale and re-sale on the global market. Furthermore, one of the big phishes in the sea right now is for a criminal to file your federal and state tax returns and claim your refunds. When you go to file your taxes, you will find that the job has been done by  someone else and the refunds paid, never to be seen again. Hundreds of thousands of people in the United States were hit with this one last year.

You will know that an email is a phish if it meets one or more of the following criteria:

  • It asks for social security numbers, passwords, or other information to be transmitted over the Internet.
  • It claims that the request is urgent, and that you will suffer some harm if you do not comply.
  • It contains grammatical or spelling errors that are not characteristic of Human Resources communications.
  • If that information is something that Human Resources already has, and has perhaps generated in the first place — for example, your W-2, which you should have received in the mail last week and that you (or HR) can download from the secure My New School platform.
  • You may have noticed that official emails arrive on an official New School template: this one didn’t. Sometimes phishers will try to replicate the template (indeed, it is a relatively simple task to reveal codes on The New School website and grab the unique and distinctive logo we now use), so a proper appearance should not put your mind at ease entirely.

The good news is that, since the criminals had to phish, they did not break into My New School, although our buddies at Information Technology are probably looking for those attempts now. So be safe out there on the scary Interwebs! And remember — if you have a question, we at the DHI are happy to help you out.