“A $3500 end-of-the year bonus for students!”
“A part-time job offering hundreds of dollars an hour!”
“Last chance to enroll in SHIP!”
To cash-strapped University of Wisconsin-Madison students, these emails may appear to be a welcome respite from the deluge of academic emails every day. However, these seemingly too good to be true emails are often the work of scammers masquerading as official entities to capitalize on your personal information and make a quick dollar at your expense.
Phishing, a form of fraud where a scammer attempts to reveal your personal financial or confidential information by posing as a reputable entity, is familiar to many students. UW-Madison Information Technology keeps a database of known scams, but these scams change rapidly and have the potential to inflict a huge headache on students and their wallets.
Falling for these schemes can do a lot of damage. Simply providing your NetID and password allows scammers to access your personal information in the MyUW Portal, including your payroll statements, financial aid records, grades, home address and more. Your NetID can even be used to steal your identity — altering your course schedule or stealing your coursework – even offering access to your home computer.
If UW-Madison detects any response by you to a known phishing address, your credentials will be disabled, and you won’t be able to access network resources until you re-establish your credentials.
Though many students may pride themselves on their internet acumen or their sharp eye for spotting fraud, remaining vigilant and determining which emails are legitimate or not can be a tricky task. The Cardinal breaks down how scammers get student emails and how you can protect yourself.
How are scammers getting student emails?
The Family Education Rights and Privacy Act (FERPA) instructs institutions of higher learning to maintain student privacy by designating certain pieces of information as directory (public) or non-directory (private), according to the UW Registrar office.
Currently, UW-Madison's public directory lists student names, phone numbers, enrollment status and email addresses, among other information.
Under FERPA, schools may release directory information — including email addresses — to public entities or anyone who requests the information. Faculty and registered student organizations typically request this information to offer research opportunities or to advertise club activities.
While federal statute grants schools the right to review requests and determine if they want to provide student information to a third party, this isn't the case at UW-Madison.
The Wisconsin Open Records Law outlines that “all persons are entitled to the greatest possible information regarding the affairs of government and the official acts of those officers and employees who represent them.”
Since UW-Madison — a public institution — is considered a government agency, the university is required to release the information without any stipulation or inquiry. This makes it easy for third parties — and particularly scammers — to freely acquire UW-Madison email addresses without any justification or closer investigation.
How can students protect themselves?
The quickest way to determine if an email sent from the university is fake or not is whether it asks for any personal identity information. Because it can be difficult for students to identify counterfeit emails, the university made it a rule to not ask students to disclose personal identity (PID) information over email, according to UW-Madison’s Information Technology department. PID is any type of information that can be used to identify, contact or locate a single person, which can include your Social Security number, driver’s license or usernames and passwords. Unprompted messages that ask for these items are a clear red flag the email is a scam.
Other giveaways include a message with a sense of urgency, an abundance of grammatical and spelling errors and a lack of a digital signature. In addition, if the message has a usual “From” or “Reply-To” address instead of a “@wisc.edu” address, or the website URL doesn’t match the name of the institution it represents is another indication the email is not legitimate.
To combat phishing, it's important to identify these markers, and if you see any of them DO NOT CLICK THE LINK.
The university recommends updating your internet browser and operating system to the latest software, and to err on the side of caution. If the email appears too good to be true, it most likely is, but if you're still unsure, contact the DoIT Help Desk at 608-264-4357 for advice.
Gavin Escott is a senior staff writer and photographer for multiple desks at The Daily Cardinal. Throughout his time at the Cardinal, he's written articles for city, state, campus and breaking news. He is the current host/producer of the Cardinal Call podcast. Follow him on Twitter at @gav_escott.