skip to main content
Security Homepage  /  Announcements Listing  /  Caltech Security Bulletin: Spear Phishing Scams

Caltech Security Bulletin: Spear Phishing Scams

August 30, 2024

On Thursday, August 29, 2024, a graduate student received a call from an unknown male caller who claimed to be a member of Caltech Security. During the call, which appeared in the Caller ID as coming from a 1-800 number, the caller told the graduate student that they had information about their American Express card. The graduate student recognized the call as a scam, did not engage further, and notified Caltech Security immediately.

We write to alert the community of this type of activity, which is known as a spear phishing scam. A spear phishing scam is one in which a caller, text message, or email will provide specific details about you first and then ask you to verify the information in full, including but not limited to such details as your social security number, credit card number, or address.

We urge all members of the community to exercise caution when asked to disclose personal information and to be alert to the potential for such scams by phone, email, and text.

If you receive a phone call, text, or email from someone asking for your personal information, do not respond. You can capture their information and request; if you think the request may be legitimate, you can use that information to independently corroborate the request using verified contact information from the organization they say they are representing; in this case, that would have entailed contacting American Express via the phone number on the back of the card. You may also reach out to Caltech Security or another campus office (such as the Deans' Offices, Human Resources, or International Services) or another trusted individual to discuss the request and consider appropriate next steps.

To assist members of the community in identifying potential spear phishing phone scams, such as the one reported, we offer the following example of how the phone call may start:

"I'm calling from [pick any bank]. Someone's been using your debit card ending in 2345 at [pick any retailer]. I'll need to verify your Social Security number — which ends in 8190, right? — and full debit card information so we can stop this unauthorized activity…"

Spear phishing scams may also be combined with another scamming technique known as Caller ID spoofing, in which the scammers are able to falsely represent where the call is coming from. With Caller ID spoofing, the originating Caller ID may appear to come from someone you know or will display as the name of your bank or credit card company. It is important to know that even if the Caller ID appears to be from a credible company and the caller knows some of your personal details (such as your Social Security number, home address, or the last four digits of your credit card), the call may still be a scam. You should not share any information with the caller and should hang up the phone to connect with a representative from the organization the caller was representing to confirm if something with your account needs to be addressed. Similarly, please review any provided links in an email or text before clicking on them or entering any requested information into provided fields; when possible, type in a known entity's URL rather than clicking on a link. Caltech IMSS also provides helpful tips on how to avoid digital scams and phishing emails on its website.

Here are some additional tips and best practices:

  • Caltech Security (or any other official office or individual representing Caltech) will not contact you to obtain information regarding credit cards, bank accounts, or other personal financial information.
  • Calls from Caltech Security will come from a recognized Caltech extension; this will always begin with 626-395 and then a four-digit extension.
  • Don't assume your caller ID accurately represents who you're dealing with. Scammers can make it look like they're calling from a company or number you trust.
  • If you get a phone call, email, or text from someone asking for your personal information, do not respond. Instead, check out the request using independently verified contact information you know is correct.
  • Do not trust someone just because they have personal information about you. Scammers have ways of accessing that information.
  • If you do give a scammer your information, go to the U.S. Federal Trade Commission's official Identity Theft website at identitytheft.gov. You will be able find answers to many questions on the site, including what to do if the scammer made charges on your accounts. Once the incident is reported to the Federal Trade Commission (FTC), please report it to Caltech Security (626-395-4701).

If you have received what you think may have been a scam attempt, even if you did not give personal information to the scammer, please report the scam to the FTC and to Caltech Security (626-395-4701). Your reports help us understand what's happening and can lead to investigations and legal actions to shut scammers down.

Thank you for your vigilance.