Fraudulent emails flood Northeastern Outlook inboxes. Students risk losing thousands.

In April 2023, Clarissa Caslli, a second-year business student, lost $1,000 due to a fraudulent email she received through her Northeastern Outlook account.

While waiting to begin her first semester at Northeastern, Caslli was a senior in high school when she received an email from a sender identifying herself as Northeastern’s Human Resource Unit Ford Foundation. The email obtained by The News described a part-time job that offered up to $500 a week. Interested students were instructed to email “Dr. Walter Brandon” from a personal email account, not her northeastern one.

“I emailed back and then there was an email thread that continued before anything happened,” Caslli said. “One of them was that I sent a photo of my ID.”

“Dr. “Brandon,” who said he was a clinical counselor, sent fake checks to Caslli, which she deposited into her bank account. Once the money was in her account, he asked her to transfer $1,000 to a third party through Zelle. However, when Brandon’s checks arrived a few days later, Caslli realized she had never received a real payment from him and lost $1,000 of her own money.

“I clarified the contact he gave me, and then when he asked for it the second time, I thought: Something is wrong because the second amount was significantly higher,” Caslli said. Brandon asked her to transfer over $2,000 the second time, leading her to believe it was a scam. When she became suspicious, she stopped responding to the scammer and eventually stopped hearing from him.

Caslli contacted their bank, but since the transaction was completed through Zelle, they said there was nothing they could do.

Caslli isn’t the only Northeastern student to fall victim to a phishing scam.

Phishing, according to the Computer Security Resource Centeris “a technique for attempting to obtain sensitive information, such as bank account numbers, through a fraudulent request via email or website” where the sender poses as a legitimate company or individual.

In 2022, The News reported an increase in fraudulent emails sent to students’ Outlook accounts. At that time, Northeastern Information Technology Services announced that additional authentication factors such as Duo authentication would be added to make Northeastern accounts more secure.

However, in the two years since Duo launched, fraudulent emails have predominated and students still report receiving phishing emails through their school emails.

Most scam emails have similar characteristics: they offer lucrative pay for little work, request a response from an email address outside the Northeast, and send the scams from an external domain – usually an @hotmail.com. Email Address – The News found via a review of scam emails.

However, according to The News, some recent fraudulent emails sent to students’ Outlook addresses came from an email ending with “@northeastern.edu,” making them appear particularly genuine to students. In October, a reporter from The News received an email purporting to be from Marianne Sheldon. a history professor at Northeastern University in Oakland. The email promised high pay for a temporary personal assistant position and contained all of the above characteristics of a scam email.

“I did not send that email,” Sheldon told The News in a Nov. 4 email. Sheldon could not be reached for further comment.

Scammers targeting Northeastern students use almost identical procedures when corresponding with victims. They deposit a bad check into victims’ accounts and then demand that they purchase something or return the money. When the checks are cashed, the victims are left with nothing of the promised wages and have lost even more money on the purchases and payments they were asked to make. Many scammers use it similar phishing tactics to access personal or sensitive information of victims.

Polina Kaidash, a third-year architecture student, also fell victim to a scam during her first year at Northeastern. The email obtained by The News was from someone who appeared to be a member of the Northeastern faculty because he used an “@northeastern.edu” email address.

The email offered a part-time job completing basic tasks for a lucrative pay. Kaidash’s first task was to purchase check papers from Staples, and when she couldn’t find them, the scammer told her to order them online.

Once completed, the scammer emailed Kaidash two checks – one for $1,500 and one for $2,000.

“She told me to transfer it to my bank account and I did, which was really stupid now that I think about it,” Kaidash said.

Kaidash’s next task was to go to Target and buy gift cards, which she said made her realize the job was a scam. When she stopped responding to emails, the scammer allegedly threatened to contact the FBI.

“So I just blocked them and didn’t do anything, but I still had $3,500 more in my account, which was pretty stressful,” she said.

The checks were received a few days later and Kaidash received no communication from the scammer after that.

Both Caslli and Kaidash said the reason they believed the emails were legitimate job offers was because they were sent to their school emails.

“I understand that there are a lot of strange things on my regular (email) account,” Kaidash said. “But (on my) school account, which I’ve never used before, it was weird.”

While some external emails sent to Northeast Outlook addresses contain a banner at the top that says “Some content in this message has been blocked because the sender is not in your safe senders list,” many scam emails lack this feature. Emails. including those coming from internal Outlook addresses.

“If I had gotten that (email) to my personal email address, I 100% wouldn’t have even looked at it,” Caslli said. “But it was the fact that it went to my school’s email address that made me believe it was real.”

After Caslli was scammed, she contacted Northeastern’s information technology, or IT, department. She described the situation to them and they informed her that it was a scam. Caslli said she was frustrated by the conversation because she believes the IT department should have warned students if it had known fraudulent emails were ending up in students’ inboxes.

“(The IT officer) “I didn’t really care, and if you knew it was a scam, why wouldn’t you send a disclaimer to the students?” Caslli said. “So that surprised me too because obviously she knew it was a scam and she didn’t really care.”

Caslli said she Googled the contents of the email before responding to check whether it was a scam and came up with nothing. She said if Northeastern had known that this email and others like it were fraudulent, they should have posted more information about it online.

“There should have been a blog or post on Northeastern’s website with a screenshot of it,” Caslli said.

The North East Office of Information Security has a page of confirmed phishing emailsand Northeastern IT Services has one Page Here are tips for identifying phishing scams. The site also provides an email address, (email protected)to which students can send emails with suspected phishing.

Although these resources are available when searching, students say they have not received a recent communication from the university warning them about email scams or information about how to avoid scams.

A representative from the Office of Information Security canceled a scheduled interview with The News and did not respond to several follow-up emails. Renata Nyul, Northeastern’s vice president of communications, said in an emailed statement to The News that Northeastern is “taking the necessary steps” to curb email fraud.

“The university has extensive protocols in place to mitigate the risk of phishing scams and other attempts designed to compromise email security,” Nyul said. “Northeastern ITS has extensive resources to support the university community and regularly shares information with the university.” latest updates. This is a useful website with lots of relevant information: Phishing – Office for Information Security.”

Nyul did not directly address questions about what safeguards are in place to prevent fraudulent emails from being sent to email addresses in the Northeast, whether the university is aware of some fraudulent emails from “@northeastern. edu” addresses, nor whether she plans to send such an email. Email to the community with a warning about fraud.

Students like Caslli and Kaidash continue to receive fraudulent emails in their Outlook inboxes, raising concerns about cybersecurity at Northeastern.

“If people, these scammers, are able to send emails to my school’s email address, then I wonder if my information is protected,” Caslli said.