At the University of Utah, contact tracing plays a key role in helping to slow the spread of COVID-19—as do the actions of every student, faculty member and staff member. While this effort is a vital part of our community’s coronavirus response, criminals can also take advantage of the contact tracing process to gain access to personal information.
To help protect you and your privacy, the Information Security Office (ISO) wants to remind you how to handle calls and text messages from unknown numbers, seemingly legitimate numbers that aren’t part of your contact list or numbers that have been spoofed (faked) — all of which could be “smishing” (phishing via text messages) or “vishing” (phishing via phone calls) attacks.
To help you differentiate between a scam and legitimate contract tracing efforts, we spoke with Page Checketts, manager of the U’s contact tracing team.
Checketts said her team members follow a very specific outreach protocol. In the event you may have been exposed to someone who has tested positive for COVID-19, they will call you and send an email to your university email address (e.g., uNID@utah.edu). They may also attempt to contact you via text message (SMS). Given concerns about answering calls from unknown or unrecognized numbers, the contact tracing team will always provide details about how to contact them.
Checketts also noted that one of the biggest issues that her team runs into is voice mailboxes that are full. Emptying your voicemail inbox and responding to her team’s messages are two simple ways you can help the university’s contact tracing effort.
If you are unsure whether you have been reached by a university contact tracer and would like to confirm their identity, you can email the contact tracing team at email@example.com.
The Federal Communication Commission (FCC) also offers these tips to avoid smishing/vishing:
- Only answer calls from known numbers. If you answer a call from an unknown number, hang up immediately.
- If you answer the phone and the caller or recording asks you to select a button or number to stop receiving the calls, you should just hang up. Scammers often use this trick to identify potential targets.
- Do not respond to any questions, especially those that can be answered “yes” or “no.” By responding “yes,” you’re informing robocallers that your phone number is active. They then might sell your number to other telemarketers, leading to more unwanted calls. Criminals also may record your answers and use the recordings to impersonate you, such as authorizing charges to your credit card or account.
- Never give out personal information, such as account numbers, Social Security numbers, maiden names, passwords or other identifying information in response to unexpected calls/texts or if you are suspicious of the caller/sender.
- If you get an inquiry from someone who says they represent a company or government agency, hang up and call the organization using the phone number from your account statement, the phone book or its website to verify the authenticity of the request. You will usually receive a statement in the U.S. mail or email before a phone call from a legitimate source, particularly if the caller asks for a payment.
- Use caution if you are being pressured to divulge personal information.
- If you have a voicemail account, be sure to set a password for it. Some voicemail services are preset to allow access if you call from your own phone number. A malicious actor could spoof your phone number and gain access to your voicemail if you do not set a password.
Remember, the University of Utah and University of Utah Health will never ask you for your username or password. If you receive a call or text message requesting this information, do not respond and report it to firstname.lastname@example.org.
For additional tips to help keep you and your personal information safe, please visit security.it.utah.edu/training.
What is phishing, smishing and vishing?
Phishing is a scam designed to steal your information or passwords, compromise your devices or trick you out of money—typically via deceptive emails, text messages, posts on social networking sites, pop-up windows in your browser or phone calls.
Phishers may ask for your name, account information, date of birth, Social Security number, address or other personal information.
Smishing and vishing follow a similar pattern, attempting to use fear or urgency to trick you into giving important information away. Just like email, spoofing (or faking) a phone number is incredibly easy—so even if the number appears legitimate, it may not be.
FCC consumer resources: COVID-19 scams, including text message campaigns and robocalls, prey on virus-related fears. Learn how to avoid them.