Imposter scams take various forms, but what they all have in common is that a scammer poses as someone you know and attempts to obtain personal or sensitive information from you. Scammers may pose as someone you know personally or someone in a shared group or organization, such as your place of employment, or someone from a known and trusted organization such as your bank or the IRS. To learn more about different types of imposter scams, please visit www.ftc.gov/imposters, which is an FTC web page containing videos and other resources detailing many common imposter scams.
Accordingly, University employees may receive forged communications purporting to come from an NYU executive or higher up seeking access to resources or sensitive information. These types of communications may arrive via email, text, social media or a phone call. Please be mindful that phone numbers and email addresses may be spoofed, so a communication may appear to be legitimate when it’s not. You may wonder how a scammer would know to target you for certain types of information and what security recommendations can be offered for requests you may receive – please read on!
Social engineers review and harvest information from social media and public facing websites to use in targeted attacks. This is why it’s always advisable to limit what you post online about yourself, others and your employer. It is also always advisable to call the requester at a trusted phone number, such as their NYU Directory phone number, to confirm the request received.
Please take note of the following additional recommendations:
- Take the time needed to examine all requests received and do not let a sense of urgency, which may accompany a request, speed your review.
- Be on the lookout for anything unfamiliar, such as a salutation, closing, or language that the requester world not use.
- Be wary of requests which ask you to bypass established processes/procedures.
- Scammers may spoof an email address or use an email address that is similar to the sender’s email address. With spoofed email addresses, the address looks correct, but another email address displays when you hover over it.
- Scammers may also use an email address that does not exist. For example, HR@nyu.edu is not an actual NYU email address.
- Be suspicious of any request for information or access to resources that purports to be from an NYU executive or higher up that is received via social media.
- Report imposter scams to firstname.lastname@example.org.
- Please see the following KBase article for tips on identifying phishing generally: Recognizing phishing scams and protecting yourself online.