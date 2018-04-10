COLUMBUS — Thousands of university students and employees targeted by email phishing schemes this year have taken the bait. Fortunately, they were duped not by real scammers, but by their own schools — in simulations meant to make them more adept at spotting real threats.

When Ohio State University did its first student-focused phishing in January — a strategy also used in the corporate world — over 18 percent of the recipients clicked through. The University of Alabama at Birmingham’s employee-focused phishing awareness campaign snagged over 7,000 people in March, or about a quarter of the recipients.

Ohio State sophomore Ezequiel Herrera, who prides himself on quickly responding to messages, was caught off guard twice by the fake phishing emails. The first time, he said, he felt proud his school was taking that kind of educational action. The second time left him frustrated.

“I was sort of like, ‘Wow, I’m really, really bad,’” Herrera, 19, said with a smile. Since then, he said, he has become more cautious while scrolling through emails from unfamiliar senders.

The faux phishing messages mimic emails about financial aid, holidays, resetting passwords or other topics but contain signs of potential fraud, such as generic greetings, requests for urgent action or information, spelling errors, and senders from unfamiliar domain names. Recipients who click links in the emails are redirected to tips about good cybersecurity habits and how to spot and report real attempts at stealing passwords or other sensitive information.

“A phishing simulation helps people understand the role that they play in managing security — that it’s not up to their IT support or the help desk or whoever that they can sort of blindly walk along,” said Helen Patton, Ohio State’s chief information security officer. “A lot of what makes an organization secure is what happens between an individual and their keyboard or their phone.”

Patton talks about it like a digital vaccination, helping protect individuals and the broader campus community against cyberattacks that could cost far more than the phishing simulations.

Just last month, U.S. prosecutors accused a group of Iranians of hacking the computer systems of about 320 universities in the U.S. and abroad to steal billions of dollars’ worth of science and engineering research that was then used by the government or sold for profit. Prosecutors said spear-phishing emails were used to target over 100,000 professors, but they didn’t publicly identify those individuals or their schools.

Ohio State has used phishing simulations for employees since 2016. Officials won’t disclose exact results for security reasons but say responses have improved since the early rounds when, for example, a message about a second-floor printer was clicked by people in facilities that didn’t even have a second floor.

In a hurried, tech-reliant culture in which so many people exchange so much information at their fingertips on smartphones and other devices, Patton said, the battle is getting people to slow down.

The practical, experiential training of fake phishing has proved more effective compared than slideshows, webinars or other common types of training that can get stale, said Joanna Grama, who directs the cybersecurity program at the higher education technology association EDUCAUSE.

The risk, of course, is that folks will feel tricked, so it’s important that the training be educational, not punitive, Grama said.

At Alabama-Birmingham, one faculty member decried the phishing simulation as a waste of time, but most responses were positive, said Curt Carver, the university’s vice president for information technology, who recalls first hearing about the concept of self-phishing over a decade ago.

Some people report the messages as suspicious, and others send replies like “Ha, you got me!” or “Didn’t get me this time!” A few, he said, expressed interest in making it more of a game, wanting to gauge how well they detect phishing attacks compared with others.

“They’ve realized … they can be a hero, they can be a person that helps protect everybody else,” Carver said.

BBB Scam Spotlight: March 2018

COLUMBUS (April 10, 2018) – Each year, one in four North American households are scammed. Because money loss and identity theft can happen to anyone, BBB encourages community members to protect and inform others by reporting any scam-related experiences to BBB’s Scam Tracker.

In March, Central Ohio consumers reported over $18,000 lost to scams.

BBB analyzed 84 Scam Tracker reports from March 2018 to shed a spotlight on four scams affecting our Central Ohio community:

1. Phone Scams: The top means of scam contact this past month was through telephone calls. BBB would like to offer the following tips to help consumers combat scam calls:

Do not answer calls from numbers you do not recognize. If the caller is legitimate, they will leave a voicemail. Even if a scammer chooses to leave a message, you can take time to determine if it is worth pursuing instead of being put on the spot.

Be wary of recorded messages telling you to press a number to be removed from the call list. Since pressing a button confirms that you have a working number, it is best to hang up.

Some scammers may call and impersonate trustworthy businesses, charities or even government agencies. The best way to avoid these types of scams is by hanging up, looking up the organization’s phone number and calling back to directly speak to a representative.

Visit DoNotCall.gov and join the ‘Do Not Call Registry’ to help lessen the number of calls you receive. Joining the registry will not completely stop scammers, but you should receive fewer calls.

Nomorobo.com offers an app for both landlines and cell phones to block any phone call that comes in as an automated or machine-made call.

2. Puppy Scam: Three different consumers each lost $500 trying to buy a dog from Sunshine Puppies online. One woman from Obetz, Ohio reported that she had sent in the money for a dog but never heard from them again, even after numerous emails and calls.

Puppy scammers build websites using stolen pictures and content from reputable breeders. They promise to send a puppy to you after you wire them money, and will add on additional fees or disappear completely after you have paid them. BBB urges consumers not to pay any money or give personal information to websites like these, because the puppies do not exist.

3. Sweepstakes Scam with a twist: A woman from The Plains, Ohio reported losing $12,000. She was contacted by a “John Brown” who told her she had won money and a car through American Senior Citizens Sweepstakes. Her prize included a brand new car, a briefcase with $50,000 and a check for $9,000,000. He instructed her to pay fees for stamps and updating the check, then she could claim her prize.

This has been going on for over a year, and she has never received her prize. John Brown claims to be from Jamaica, New York, and continues to call and text her. He now tells her that he is in love with her and asks her to come to New York to stay with him and his daughter. She has wired him money to Jamaica through Western Union and MoneyGram. When Western Union and MoneyGram both stopped her, she started using Walmart to Walmart money transfer.

You should never have to pay money in order to receive a prize. Be especially wary of requests to send money via wire, prepaid debit card, gift card or other unusual forms of payment. You also cannot win a contest you did not enter. You need to buy a ticket or complete an application to participate in a contest or lottery. Be very careful if you’ve been selected as a winner for a contest you never entered.

4. Healthcare Scam: A Logan, Ohio woman received a postcard in the mail from the National Pain Relief Center of Amsterdam. The card said “Pre-sorted First Class US 04101. Special Gift. Reward Certificate Worth A Thousand Dollars.” It also had a reservation number and said that representatives were standing by on call at 888-697-6780. It claimed she had been selected to participate in a free marijuana trial for men. She called them and gave the representative her telephone number. They took out $12 for shipping and charged her an extra $184.

Medical marijuana is legal in Ohio, but patients have to get a doctor to sign off on it first. If you receive anything in the mail about a free prescription, talk to your doctor. It is better to go through a medical professional than to follow-through on an unsolicited post card, even if the deal sounds too good to be true. ​

Consumers are encouraged to report scams to BBB Scam Tracker to help protect others in the Central Ohio community.

Monroe County Woman Sentenced to Prison for Scam

WOODSFIELD — Ohio Attorney General Mike DeWine and Monroe County Prosecutor James L. Peters announced that a woman has been sentenced to 18 months in prison and ordered to pay $641,908 in restitution for defrauding people in eastern Ohio and West Virginia.

Darlene Baldwin, 67, of Clarington, was sentenced in the Monroe County Common Pleas Court. She previously pleaded guilty to one count each of aggravated theft, attempted telecommunications fraud, and attempted money laundering.

According to investigators, Baldwin lied to people about needing money for various reasons, such as claiming she had a serious illness or that she was at risk of losing her home. She generally promised to pay people back promptly, but instead of paying them back, she wired the funds to other people, knowing the money would end up overseas with a man she had been communicating with online.

“Our goal was to stop the scam,” Attorney General DeWine said. “The defendant knew she was taking advantage of people, but she kept doing it anyway. We take these cases seriously, and we appreciate the cooperation of our law enforcement partners in stopping these types of crimes.”

“I want to thank the Ohio Attorney General’s Office for responding so quickly after this investigation was referred to them for prosecution,” said Monroe County Prosecutor James L. Peters. “I believe today’s result ensures that Ms. Baldwin will not be able to continue taking financial advantage of those who placed their trust in her.”

The case was investigated by the Attorney General’s Economic Crimes Unit and the Monroe County Sheriff’s Office, with assistance from the Marshall County Sheriff’s Office (in West Virginia) and the Ohio Attorney General’s Bureau of Criminal Investigation.

An attorney from the Attorney General’s Economic Crimes Unit was appointed to handle the case as a special prosecutor by the Monroe County Prosecutor.

Individuals who suspect a scam should contact the Ohio Attorney General’s Office at www.OhioProtects.org or 800-282-0515.

