Employee Impersonation Scams
What You Need to Know
With the rise of generative artificial intelligence, threat actors are creating more sophisticated phishing campaigns than ever before. When paired with impersonating an employee, it can make the email seem credible. However, by following impersonation best practices, it can help SJSU employees and students avoid falling prey to them. Below are some tips to confirm whether an SJSU community member is being impersonated.
What You Need to Do
If the sender falls into any of the categories below, your best options are to:
- Not reply. Feel free to delete the email and move on!
- Verify and Contact. If there are no obvious signs of phishing but email content is suspicious, look up that sender's contact information in the SJSU Directory and email or call them yourself instead of using the reply-in email or the information provided in the email.
- Report the fraudulent emails. This can be done at one of the following websites or campus contacts:
- Federal Trade Commission
- FBI Internet Crime Complaint Center
- Better Business Bureau
- University Police Department
- via campus phone: 4-2222
- via any phone: 408-924-2222
- IT Information Security
Confirm whether the sender address is from an @sjsu.edu email account
Emails about SJSU business should come from a SJSU email account: one that ends with @sjsu.edu. Scammers will sometimes embed sjsu.edu in the middle of the address to trick recipients, so look carefully.
Confirm whether the address matches the display name
Scammers will sometimes sign up for free email accounts (Gmail, Yahoo, Outlook, etc.) that are similar to someone else's name, and set the display name as whatever they want. For example: you might see a forged email where the sender's name is the name of your unit's dean, but the actual sending email address is clearly not the dean's address.
Check for spoofed email addresses
A threat actor will sometimes send a phish where the From email address is clearly a @sjsu.edu address, but the Reply-to is not. Be suspicious if both do not match.
Be on the lookout for requests containing red flags
Scammers may request the recipient's assistance in a way that asks for either personal information or financial remittances, or both. Here are some examples of commonly-used red flags:
Requests to deposit checks and spend or send back some or all money.
In this version of the scam, the sender provides what is seemingly a real check; your bank will credit you for some or all of the check, but when the check proves to be fake, you are stuck with the loss of whatever you spent. Do not respond to requests to print cash checks and then purchase gift cards or other items of value for a sender
Requests for payment, particularly pre-paid cards or gift cards.
A real offer of employment or request for assistance from a SJSU employee should not ask you to spend money, particular in the form of providing gift cards or pre-paid credit cards to the person contacting you.
Unusual requests to meet in person, or continue a conversation over text.
In at least one case, scammers have reportedly asked someone to meet them in person or to move their conversation to a phone chat. If you receive a request to meet someone you do not know or to move a conversation to a phone chat, particularly to exchange anything of value, be extremely cautious.