K-State has been targeted with a new PayPal scam. Scammers are impersonating PayPal and sending fake invoices. Their goal is to trick you into contacting them using the information provided on the invoice.
If you call the number or send an email, you’ll reach a fake call center. The scammers will claim they can refund the charges but need your credit card or banking information. In some cases, they might convince you to start a remote “help session” to remove nonexistent software from your computer. Once connected, they can blank out your screen and perform malicious activities on your device without your knowledge.
What To Do If You Suspect a Scam
- Do Not Respond: Don’t engage with any unsolicited messages, emails, or phone calls claiming to be from PayPal. If you suspect it is a scam, forward the message to abuse@k-state.edu. K-State’s Security Intelligence and Operations Center (SIOC) will investigate to determine if it is a scam or a legitimate message.
- Stay informed: Read cybersecurity articles in K-State Today to learn best practices and stay updated on threats. Share this information with others and complete annual cybersecurity training tailored to K-State risks.
- Follow K-State policies and procedures: Keeping K-State’s network safe is a team effort. Policies and procedures help us understand what each of us needs to do to work together to keep our environment safe.
- Secure your computer and mobile devices. Keep software and firmware up to date by installing patches the software vendor releases. Don’t operate devices in administrator mode. If an attacker obtains access to your device and you are signed in as a restricted user, the damage they can do is minimized. K-State has taken steps to ensure users are running in “least privileged” mode in case an “accidental click” does happen. You can do the same on your personal devices.
- Don’t store passwords unencrypted. Use password managers to store passwords that are capable of encrypting your password, and make sure the password manager is legitimate. There are scammer ones out there. Don’t store passwords on Post-it notes.
- Use multi-factor authentication. Your password is what you know, and DUO is what you have. If you get unexpected DUO push notifications, don’t accept them—this could mean someone knows your password and is trying to log in as you. Reset your password immediately and report ongoing issues to the IT Service Desk (785-532-7722) or abuse@k-state.edu for investigation.
- Check your security settings and online profiles. Check your security settings on all devices and avoid oversharing personal information online. Details like your pet’s name, hometown, or high school on social media could help attackers guess answers to your security questions and access your accounts.
Stay safe, and remember if something seems suspicious, it’s always better to double-check with abuse@k-state.edu.
