Don’t take the phisher’s bait

Phishers are continually trying to catch the attention of the NC State campus community with targeted email attacks.

In a July scam, phishers sent to students email purportedly of a job opportunity as an external human resources representative. Fourteen people fell victim to this attack and their university accounts were disabled. The phishing email read: 

We Are In need of a Virtual Administrator Assistant in your location for
only flexible 4 hours per week and get paid $350 weekly. Your duties are to
make; Suppliers payment, Tracking Raw Materials, and supplies (online) to
ensure on-time delivery of Products to Bookstores,Libraries/Customers when
needed. You will be paid in advance for all tasks and purchases to be done
as a Company Representative and Fill orders on Excel Sheet or other
Spreadsheet Packages.

If you are interested in this offer, get back to us with your Full
Name,Personal Email, and phone# to provide you with the JOB DESCRIPTION.

In spear phishing attempts like the one above, phishers pose as a boss or colleague and understand what is important to their targeted audiences — like job openings, citizenship status and student loan payments — to gain sensitive information often in a quick time frame. These sophisticated strategies are designed to get more responses than past tactics, and unfortunately, they are effective.

Phishers may sell the intended target’s information. Worse yet, they may continue the correspondence to get more information or persuade the intended target to perform acts such as purchasing gift cards and then sharing the gift card codes.

To keep from getting lured into their deceptive net, follow these helpful tips:

  • Know your senders
    Phishing emails can look like they come from trusted sources. Before clicking on links or opening attachments, ensure you recognize the sender’s email address. When in doubt, don’t click on links or open attachments.
  • Beware of phishy emails
    Phishing emails may be vague or sound “funny” and can contain multiple spelling or grammar errors. If you receive such an email that appears to come from a person you know, contact the sender by phone for verification. Do not reply to the sender by email, as you may be communicating with someone who has hacked the sender’s account.
  • Don’t forward phishing information to others, especially the active bad links
    You may want to warn your friends, co-workers or customers of a phishing attack by forwarding them a phishing email. With some attacks, you can get your account phished or device compromised just by clicking on the email link that directs you to a fraudulent website or form.
  • Instead, send a summary of the phishing email text and subject line
    You can mention the links or take a screenshot of the original email, but do not include the real one. Never forward a “loaded” phishing email, and tell others not to do so.
  • Don’t share sensitive data
    No matter how “official” an email appears, legitimate companies and organizations will never ask for personal information, such as passwords and account numbers via email. Such phishing emails often contain urgent messages, requesting that you provide sensitive data to avoid an action being taken against you.
  • Recognize phishing in all its forms
    Phishing attacks aren’t limited to just email. They may also come in the form of instant messages or text messages (aka smishing) or even phone calls (aka vishing). Follow the same precautions you would for email when receiving links, attachments or requests for personal information by any of these methods.
  • Ensure your antivirus software scans for malware
    Viruses are only one type of malware, so confirm that your antivirus is also protecting your devices against other malware, such as worms, spyware, nagware, trojans, adware, and a host of malicious codes.  
  • Keep up with phishing trends and tactics
    Pay attention to articles and alerts concerning current phishing scams, especially during certain times of the year, such as the tax season. See IRS Tax Scams / Consumer Alerts.
  • Monitor and report suspicious activity
    • When possible, view university email using Gmail mobile and web clients. Potentially phishy messages will often be flagged in Gmail with a warning. Also, check your Gmail account activity to spot any unusual or unauthorized actions.
    • In your Google email, select Report phishing from the drop-down menu in the upper right corner of your message. See Avoid and report phishing emails.
    • You can also send new phishing emails to Make sure you include the full email headers.
  • Turn on Two-factor Authentication to protect the data in your Google Apps @ NC State account and your personal email address. To view a list of applications that support 2-Step Verification, see Two Factor Auth (2FA).
  • Store sensitive university data in the appropriate storage location
    See Storage Locations for University Data.

As always, contact the NC State Help Desk via the IT Service Portal or call 919.515.HELP (4357) with any concerns or questions about suspicious email, before you click on any links. If you believe you have fallen victim to a phishing scam, contact the help desk immediately for assistance.

For additional information on phishing and computer safety tips, refer to the following resources: