I got this one from Tara McCarthy, Melinda Smith, Carol Fate, and Linda Jedrzejek, so it’s definitely making the rounds.

Here are some red flags that this might be a dangerous phishing operation:

1. Lots of different domains. Look at the email address–see how it ends in “iteacherweb.com”? If you hover (DON’T CLICK) your mouse cursor over “Information Request Form,” and look at the bottom of your browser, you should see that it goes to “facultyinfo.org”. Those two shouldn’t be different. To make matters worse, notice that the “unsubscribe” instructions say to go to “serviceemployee.org”. Why so many different domains? Very fishy.

Moreover, the From: address changes every time one of our staff receive this spam! We’ve gotten it from:

2. The “Information Request Form” is an unsecure web page. Don’t go clicking links in suspicious emails, but supposing we did, this is what we would see:

Notice the area at the top by the address. See how it says “Not secure”? By itself it doesn’t mean much, except that whoever these people are, they didn’t bother to apply a TLS certificate to a web form. This means that any information you submit with this form is sent over the Internet in plain text (not scrambled at all), and readable by anybody with the tools to listen in.

Now, the form itself doesn’t ask for a lot of super sensitive info. (Never give your birthdate, SSN, or phone number online unless you know for sure the recipients are legit.) But the fact that they didn’t secure the form is sketchy by itself, and a sign that they are not professionals.

3. There is a real “American Employee Services” with a different website. If this is a scam, it’s a weird one. Notice that they print a lot of information about the company at the bottom. Let’s google it! I found this.

OK, this looks legit. The page is secure, and there’s a real phone number that goes to the company. I called it and left a message requesting a call-back. I’ll update this post with the results!

So what’s the deal with the other form? Are they pretenders using the name of a real company to scam people out of contact info? Probably, but there’s one more thing we can check to make sure.

You can go to https://whois.icann.org/en or https://www.whois.us and type in the domain of a website (the part ending in “.com” or “.org” etc), and usually it will tell you who registered (purchased) that domain.

Here is what I get when I look up “americaneducational.us”

OK, this is a little weird. The website is registered to an “American Education Services” with a Washington, DC address, not a Cincinnati address as their website states. Calling the phone number results in a busy signal.

What do we get when we look up “facultyinfo.org”?

Not only is it a different registrant, but they are actively hiding their identity using a service called “WhoisGuard, Inc”.

Whew! So our spammers appear to be imitating another company that itself appears to be a little on the sketchy side.

Thanks to everybody who sent this one in!