In April 2023, Clarissa Caslli, a second-year business administration major, lost $1,000 because of a scam email she received through her Northeastern Outlook account. 

Awaiting the start of her first semester at Northeastern, Caslli was still a senior in high school when she received an email from a sender who identified themselves as the “Human Resource Unit” of the Ford Foundation. The email, obtained by The News, described a part-time job that offered up to $500 per week. Interested students were instructed to email a “Dr. Walter Brandon” from a personal email account, not their Northeastern one.

“I emailed back, and then there was a thread of emails that went on before anything took place,” Caslli said. “One of them was me sending a picture of my ID.” 

“Dr. Brandon,” who said he was a clinical counselor, mailed fake checks to Caslli, which she deposited into her bank account. Once the money appeared in her account, he asked her to transfer $1,000 to a third party using Zelle. However, when the checks from Brandon bounced a few days later, Caslli realized she had never received real payment from him and lost $1,000 of her own money. 

“I Zelled the contact that he gave me, and then the second time he asked to do it, I was like, something is not right because the second amount was significantly more,” Caslli said. Brandon asked her to transfer over $2,000 the second time, which led her to believe it was a scam. She stopped responding to the scammer when she became suspicious and eventually stopped hearing from him. 

Caslli contacted her bank, but since the transaction was completed through Zelle, they said there was nothing they could do. 

Caslli is not the only student at Northeastern who has been a victim of a phishing scam. 

Phishing, according to the Computer Security Resource Center, is “a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website” where the sender poses as a legitimate business or individual. 

In 2022, The News reported a surge in scam emails sent to students’ Outlook accounts. At that time, Northeastern Information Technology Services announced that additional authentication factors such as Duo Authentication would be added to make Northeastern accounts more secure.

However, in the two years since Duo was implemented, scam emails have prevailed and students still report receiving phishing emails through their school emails. 

Most scam emails have similar characteristics: They offer lucrative pay for little work, request a response from a non-Northeastern email address and send the scams from an outside domain — usually an “@hotmail.com” email address — The News found through a review of scam emails.

However, some recent fraudulent emails sent to students’ Outlook addresses have come from an email ending in “@northeastern.edu,” The News found, making them appear particularly real to students. In October, a reporter for The News received an email supposedly from Marianne Sheldon, a history professor at Northeastern University in Oakland. The email promised high pay for a temporary personal assistant position and contained all the aforementioned characteristics of a scam email. 

“I did not send this email,” Sheldon told The News in a Nov. 4 email. Sheldon could not be reached for further comment. 

Scammers targeting Northeastern students use near-identical processes when corresponding with victims. They deposit a faulty check into the victims’ accounts and then ask them to buy something or return the money. When the checks bounce, the victims are left with none of the pay they were promised and have lost more money through the purchases and payments they were asked to make. Many scammers use similar phishing tactics to access personal or sensitive information from victims. 

Polina Kaidash, a third-year architecture major, also fell victim to a scam during her first year at Northeastern. The email she received, obtained by The News, was from someone who appeared to be a member of Northeastern faculty, as they were using an “@northeastern.edu” email address. 

The email offered a part-time job doing basic tasks for lucrative pay. Kaidash’s first task was to buy check papers from Staples, and when she couldn’t find them, the scammer asked her to order them online. 

Upon completion, the scammer emailed Kaidash two checks — one for $1,500 and the other for $2,000.  

“She said to add it to my bank account and I did, which was really stupid now that I’m thinking about it,” Kaidash said. 

Kaidash’s next task was to go to Target and buy gift cards, which she said made her realize the job was a scam. When she stopped replying to the emails, the scammer allegedly threatened that they would go to the FBI. 

“So I just blocked them, and I didn’t do anything, but I did have $3,500 extra in my account, which was kind of stressful,” she said. 

The checks bounced a few days later and Kaidash did not receive any communication from the scammer afterward. 

Both Caslli and Kaidash said the reason they believed the emails were legitimate job opportunities was because they were sent to their school emails. 

“On my regular [email] account, I understand there’s a lot of weird stuff there,” Kaidash said. “But [on my] school account that I’ve never used before, it was weird.”

While some external emails sent to Northeastern Outlook addresses come with a banner at the top that reads, “Some content in this message has been blocked because the sender isn’t in your Safe Senders list,” that feature is missing from many scam emails, including the ones coming from internal Outlook addresses. 

“If I got this [email] to my personal email I would have 100% not even looked into it,” Caslli said. “But it was the fact that it went to my school email that made me think it was legit.”

After Caslli was scammed, she reached out to Northeastern’s Information Technology, or IT, department. She described the situation to them and they advised her it was a scam. Caslli said she was frustrated by the conversation because she felt if the IT department knew scam emails were ending up in students’ inboxes, they should have been warning students. 

“[The IT representative] did not really care, and also if you knew it was a scam, why wouldn’t you send a disclaimer to students?” Caslli said. “So that also caught me off guard, because obviously she knew it was a scam and she didn’t really care.” 

Caslli said that she Googled the contents of the email before she responded to check if it was a scam and nothing came up. She said that if Northeastern knew this email and others like it were scams, they should have posted more information about it online. 

“There should have been, like, a blog or post on Northeastern’s [website] with a screenshot of it,” Caslli said. 

The Office of Information Security at Northeastern has a page of confirmed phishing emails, and Northeastern IT Services has a page that gives tips on how to identify phishing scams. The page also provides an email address, [email protected], to which students can send suspected phishing emails. 

While these resources are available if searched for, students say they have not received any recent communication from the university warning about email scams or information on how to avoid being scammed. 

A representative from the Office of Information Security canceled a scheduled interview with The News and did not respond to multiple follow-up emails. Renata Nyul, Northeastern’s vice president for communications, said in an emailed statement to The News that Northeastern is “taking the necessary steps” to mitigate email scams.

“The university has extensive protocols to mitigate the risk of phishing scams and other attempts that are designed to compromise email security,” Nyul said.“Northeastern ITS has a large set of resources available to assist the university community, and regularly shares information with the latest updates. This is a useful website with a lot of relevant information: Phishing – Office of Information Security.”

Nyul did not directly address questions about what protections are in place to prevent scam emails from being sent to Northeastern email addresses, whether the university is aware some scam emails are coming from “@northeastern.edu” addresses nor whether it plans to send out an email to the community warning of scams.  

Students like Caslli and Kaidash continue to receive scam emails in their Outlook mailboxes, raising concerns about cyber safety at Northeastern.  

“If people are able to send emails to my school email, these scammers, [it] makes me wonder if my information is being protected,” Caslli said.