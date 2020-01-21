Every Purdue student knows the story: Your email inbox pings, you rush to check your messages and you find a spam message. Either it’s a student asking you to babysit their dog, become a “secret shopper” or work as an assistant. Each promises $300 to $500 in “cool cash” per week, and just about every one is a scam.
These emails are part of a scam trend known as “phishing,” in which a scammer attempts to extract personal information from a victim via email. This can be done through tainted links or attachments, or by having the person enter such information in a mocked-up login portal like the “myPurdue” website.
The emails are commonly sent from legitimate Purdue email accounts, giving an air of authenticity upon first contact. According to Information Technology at Purdue Communications Manager Greg Kline, these are active, compromised Purdue accounts, often those of students who have themselves fallen victim to this scam.
In this way, the scam self-propagates, using the accounts of previous victims to attract more. Kline also said the accounts could have been hijacked if the student had used the same password on multiple accounts, one of which had been compromised.
A recent incident of these attempted scams appeared to include junior men’s basketball center Matt Haarms. In a post to the r/Purdue subreddit, user u/Doubles76 claimed to have received an email from Haarms asking him to become an “errands assistant.” The user claimed to have verified that identity in a comment on the same post, but did not respond to a request for comment.
Purdue could not provide information on the specific incident, citing legal concerns regarding private information.
A common question from students concerns how such emails can be so common if Purdue has an established spam filter in Cisco. According to ITaP’s website, the spam filter doesn’t factor into the problem.
Since all of the emails are coming from internal Purdue accounts — accounts ending in the “purdue.edu” domain name — they don’t pass through Cisco’s protocols and effectively fly under the radar.
Purdue recommends wariness in all cases regarding personal information. The University “will not ask for your credentials by email,” according to ITaP, and any links or attachments provided by unknown emails should be ignored.
ITaP also recommends that students regularly check their Spam Quarantine in addition to their inbox. Legitimate emails from employers or outside sources may get caught in Cisco’s net because they bear incidental resemblance to scam emails.
Suspicious emails can be reported by forwarding to abuse@purdue.edu, according to a Purdue press release.