Other ways to search: Events Calendar | UTHSC

Cybersecurity Scam of the Week – Reminder of Auto-Renewal Scams


Based on what was reported to Abuse last week, UTHSC is being hit with phishing attempts advising recipients that specific services from tech companies have been automatically renewed for hundreds of dollars. The only option to dispute the claims is to call a phone number listed on the email or text.

Anti-virus companies are the most prevalent spoofed organizations but are not the only ones. Norton, McAfee, and Kaspersky have been used to make these phishes look real. Best Buy’s Geek Squad tech support is another one, along with Paypal, using the ruse of an automatic payment. 

The idea is that the recipient, in a state of panic over potentially losing hundreds of dollars, immediately does what they are told and call the provided phone number to dispute the charge. The “helpful” customer service representative will need some information such as your credit card number to see if the charge has gone through, or need remote access to your computer to see if software has been installed. 

Either scenario is bad for the caller. You have just given away personal and banking information or you have given control of your device to someone who can then install malware, all under the guise of helping you. 

The best response is no response. If this happens to your UTHSC email account, forward that email to abuse@uthsc.edu so we can stop the attack and remove the phish from others’ inboxes. If this is a personal account, whether text or email, simply delete the email or text and do not engage the scammers. Responding in any way, even if it is to acknowledge they are attempting to phish you, lets the bad actors know that someone is monitoring that account. 

What has been reported to abuse@uthsc.edu this past week?

  • [Ext] Delivery Information :Online Delivery – this phish was attempting to spoof PayPal for an online delivery of Bitcoin
  • [Ext] Invoice K5Y6L0243 from Your Order Confirmation – another PayPal spoof for an online order
  • [Ext] Automated Clearing House-Payment Notification – another one that states payment has already been made. You need to call to dispute it. 
  • [Ext] Take the next step on your Windows device by confirming your Order – this one was an “invoice” for Norton anti-virus
  • [Ext] please review it we have done it for you – this one is from “Mcfe-sys services” that added a physical address to make it look more legitimate. However, they didn’t spell “McAffe” correctly.
  • [Ext] Billing Of McAFee done and update successfully!! – this one did spell it correctly but didn’t capitalize it well
  • [Ext] Auto updation of your account has been Done ( McAfee Security ) ! – this one did spell and capitalize McAfee correctly, but “updation”? 
  • [Ext] _Hello, Your Order Will Arrive Soon. – this one spoofed Norton’s LifeLock protection
  • [Ext] PURCHASED INFO SALES RECEIPT ##47 DVB VN 4 BV RT 34 V BW4T – another Norton one
  • [Ext] order number !2561##has been updated to renew life lock. – and another Norton one
  • [Ext] Get your plan details now #36565-HJSDSH-98435 – and another McAfee one
  • [Ext] Task – we continue to see people’s names spoofed using different Gmail accounts asking coworkers to buy gift cards
  • [Ext] systemmessage@office.com – a phish advising that your Office 365 password is expiring today, and you have to click a link to “Keep Same Password”. UTHSC gives much more notice than the same day for password expiration, and you cannot keep the same password if you are required to change it. 

Keep reporting suspicious emails to abuse@uthsc.edu for examination. If you wish to report an incident to the Office of Cybersecurity, use TechConnect.