Spot the bait: Don’t get phished!

One of the most direct methods cybercriminals use to access your personal data is through phishing. Phishing often comes in the form of emails designed to fool you into releasing sensitive data, such as passwords, account or social security numbers, birth dates, and other identifying information. These bad actors have become adept at making emails appear to come from trusted institutions, such as banks, retail stores, package delivery services, or even from friends, family and co-workers.

Phishing emails may contain links to harmful URLs or attachments that will download hacking programs or other malicious malware onto your devices. Or a link may take you to an online form that requires you to provide sensitive data, under the premise of unlocking or verifying an account or to claim a prize. Once you click on a link or open an attachment in a phishing email, you have taken the bait.

To protect yourself and your data, follow these recommendations:

  • Know your senders
    Phishing emails can look like they come from trusted sources. Before clicking on links or opening attachments, ensure you recognize the sender’s email address. When in doubt, don’t click on links or open attachments.
  • Beware of phishy emails
    Phishing emails may be vague or sound “funny” and often contain multiple spelling or grammar errors. If you receive such an email, contact the sender by phone for verification. Do not reply to the sender by email, as you may be communicating with someone who has hacked the sender’s account.
  • Don’t forward phishing information to others, especially the active bad links
    You may want to warn your friends, co-workers or end users of a phishing attack by forwarding them a phishing email. With some attacks, you can get your account phished just by clicking on the email link that directs you to a fraudulent website or form.
  • Instead, send a summary of the phishing email text and subject line
    You can mention the links or take a screenshot of the original email, but do not include the real one. Never forward a “loaded” phishing email, and tell others not to do so.
  • Don’t share sensitive data
    No matter how “official” an email appears, legitimate companies and organizations will never ask for personal information such as passwords and account numbers via email. Such phishing emails often contain urgent messages, requesting you provide sensitive data to avoid an action being taken against you.
  • Recognize phishing in all its forms
    Phishing attacks aren’t just limited to just email. They may also come in the form of instant messages or text messages (aka smishing) or even phone calls (aka vishing). Follow the same precautions you would for email when receiving links, attachments or requests for personal information by any of these methods.
  • Keep up with phishing trends and tactics
    Pay attention to articles and alerts concerning current phishing scams, especially during certain times of the year, such as holiday shopping seasons. The IRS recently released an alert, detailing a scam targeting payroll and human resource departments this tax season. There has been at least one report of this email scam on NC State’s campus.
  • Report suspicious activity
  • In your Google email, select Report phishing from the drop-down menu in the upper right corner of your message.
  • You can also send new phishing emails to Make sure you include the full email headers.
  • As always, contact the NC State Help Desk at or 919.515.4357 (HELP) with any concerns or questions about suspicious emails, even before you click on any links.

For additional information on phishing and computer safety tips, refer to the following resources: