This documentation aims to provide comprehensive and effective guidance to educate employees and offices on how to recognize and avoid job offer phishing attacks. It seeks to empower employees with knowledge and skills to detect and prevent fake job offerings, thereby ensuring offices do not pass along fake job offers to official sites that could potentially place students in harm's way.
Detailed Information
Disclaimer
Even if an email does not match all of the criteria listed herein, it may still be phishing. The more flags, the more likely that it is a scam; Trust your instincts. If you are still unsure, we are always happy to have a look, just reach out via email to phish@maine.edu and/or any of the contacts listed in the Still Unsure section of this document.
Your Phishing Toolbox
For this article, we have developed a metaphorical toolbox for you to use when you need to discern real from fake job offers and scams. The toolbox functions much like a real toolbox where you have multiple tools at your disposal, but not every tool will be the right fit, and you may need to use several before the job is done. That said, we hope this toolbox makes for easy construction work in your office. Have any questions or suggestions? Please send them along by emailing the Information Security Office at infosecurity@maine.edu.
Reality Check
- Is this offer too good to be true?
- Does the pay seem fair for the workload?
- Is an entry level job above minimum wage by a lot?
- Are their expectations clear and concrete in the description?
- Would a real company have a job this easy or vaguely outlined?
- Is the workload enough to fill the expected hours?
- Is the hiring process too easy or too complex?
- Does it sound like anyone could get the job just by replying?
- Are they asking for too much personal information right away?
- Is there an undue sense of urgency that does not add up?
Company Check
- Is the point of contact able to be reached?
- Call the number found on their website (not in the email)
- Does the phone number in the email match that of the website?
- Do they answer? If not, leave a message and get in touch
Real Person Check
- Look up the person: Do they really work for that company?
- Can you find the person in the company's directory?
- Can you find them on LinkedIn?
- Do they still work for that company?
Sending Domain Check
- Does it match?
- Does the email suffix match the company name?
- Does the email look like a professional email?
- Is it a look-alike domain?
- A look-alike domain is a website domain that is similar to real, legitimate domain names but with slight differences designed to trick you
Professional Check
- Grammar and punctuation
- Are their sentences grammatically correct?
- Does the syntax and sentence structure look right?
- Is the method of contact weird or unprofessional?
- Are they asking for text communication?
- Are they restricting you to email only?
- Are they asking for a personal address other than @maine.edu?
- Do they ask for strange or unusual transfers of money?
- If you take a job, do not make any payments in promise for reimbursement
- Checks from an employer need to clear through the bank before funds are actually available to you
Contact any of the following offices or entities for a second opinion:
- Phish Reporting Inbox (phish@maine.edu)
- Student Employment Office
- Career Center
- Your campus' Human Resources contact
FAQs
What is a domain name?
A domain name is the suffix of an email address which normally looks like "username@domain.com/net/edu/etc." The domain name is right there in the middle and must be registered for an entity on the internet. If the domain name does not match the website or company name, then you should be suspicious of the lack of professionalism of the address. Common personal domains that are easy to create and abuse can be @outlook.com and @gmail.com but it is also possible to fake a domain like @maine.edu. You should always be suspicious of senders that you were not expecting, though it is even more of a red flag when the domain seems fake or hastily created. One real life example would be @engineering.org, which sounds professional at first, but does not actually match any reputable companies.
What do we mean by "professional?"
When we refer to an email or address as being "professional," we intend for you to be on the lookout for common errors and practices that are uncommon or unrealistic in a legitimate communication from a trustworthy company. This could mean that the email has a good layout or that the email is free of spelling and grammatical errors. This also means that logos and pictures are high quality and load correctly. A successful and trustworthy company is not going to send you a distasteful email full of errors and threats. They want your business to continue, therefore they will invest a lot of time and money ensuring that their communications are professional and pleasing in nature.
Environment