Story By Emily Roden, Photos and Illustration by Emily Roden

On Jan. 21, the University of Florida sent out an email to students with the subject  “Phishing Awareness.” According to this email, the busy nature of a new semester is prime time for cybercriminals and phishing attacks.

The website Imperva defines phishing attacks as “a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.” Before last October, the only phishing experience I had known aboutwas with my grandma and a dangerous link for free cleaning supplies. I never thought something like this could happen to me.  

Like most college students I am broke. Just yesterday my card bounced at Au Bon Pain as I attempted to buy an $8 sandwich. I dreaded the desperate text to my parents asking them to put money in my account, but then again, a job is an intimidating time commitment alongside the rigor of UF classes. 

I got an email on my UF email account last semester from a UF student that seemed like it would answer all of my financial prayers:

I showed my roommate and she instantly dismissed it as a scam. I asked my dad and he agreed, saying that the numerous punctuation, capitalization, and grammatical errors were a bad sign. I thought about it – the risk, the reward, and, most importantly, the potential journalistic or Twitter gains – and decided to apply. The application website (now taken down) only asked for my name, age, and address. These pieces of information hardly pass as job qualifications. 

I felt as if those three pieces of information were something that I could spare for the sake of curiosity. I believed that this was a scam, but I wanted to understand the process of this internet phisherman so that I could tell others what to look out for in this kind of situation. 

On Nov. 10, I got a text from an unknown number, or, as he called himself, my “agent correspondent,” saying that I had been chosen as an employee from a super intensive selection process and that I should continuously check the mail in the following 24 hours as they had sent a time-sensitive package containing my first “assignment.” The next day, I received an email from UF Packcity telling me my package had arrived. 

In the mail, I found an envelope containing two pieces of paper and a check for $1950. At this point I was concerned. The word “CONFIDENTIAL” striped the middle of the page headed with the words “Secret Shopper Agent #______”

My assignment -which was written in a haphazard manner- was as follows:

  1. Cash the check at the bank.
  2. Go to the nearest Walmart and purchase two $400 giftcards. As I do this, I am to monitor the behavior of the cashier. I am not to reveal ANY information of my investigation to the staff of Walmart.
  3. When I leave, with the two $400 giftcards, I am to send a customer report in the mail and text my “agent correspondent” a picture of the front and back of the giftcards with the card/pin number revealed.
  4. I am then to repeat this process at a second Walmart and the remaining $350 is mine to keep.

No matter how glorious $350 sitting in my bank account sounded, I knew I could absolutely not cash that check. I decided to look it up and discovered that this is a massive scam going on right now. When the “agent” cashes the check, it will bounce, but they will be unaware of this for 24 hours. Within these 24 hours they would have already purchased the $1600 worth of giftcards and sent the giftcard information to the scammer. Your bank would contact you the following day to let you know that the check bounced and, if your bank account looked like mine, your account statement would read -$1598.30.

This was my personal and very dignified response to the scammer:

While dabbling in detective work was fun, as I reflect on this scam, it concerns me. This is a major threat to the wellbeing of UF students. It is crucial for people to be aware of the emails they receive and interact with, even if they come from UF students. This could have devastated my finances and risked my credibility at my bank. 

This isn’t only a financial concern. As UF stated in their email, “cybercriminals are looking to get your UF credentials, so they can see (and steal) data from the University.” A notable piece of advice that they give is that if you are sent an email with a link, “hover over the link in the email.” This way, the web address that the link will take you to will appear and you can determine the validity of the site. I think as a rule of thumb, if you are unsure about a sender, content, link, etc., do not interact with it at all and delete the email.

In order to combat these phishing attacks, the University has implemented “two-factor authentication, so it is harder for stolen account credentials to be used.” This means that if anyone attempts to login to your account from an untrusted device, they must have access to your smartphone to get in. This will become mandatory for all students by the end of this semester. To enroll now and get more information, visit here