Featured, OIT News

Watch out for phishing lures

By Rhonda Greene

Using Google’s automated spam filters, the Office of Information Technology successfully thwarted more than 279,000 email phishing attacks from Nov. 21 through Dec. 21. 

Cybercriminals known as “phishers,” employ cleverly crafted email, text and instant messages to lure you into a false sense of security to release ultra-sensitive personal information such as your passwords, Social Security number, and bank account and credit card numbers.

In recent on-campus scams, students and employees have been targeted with alarming lures such as job openings that are “too good to be true” or urgent alerts regarding citizenship status or student loans — often demanding responses within 24 hours for sensitive data. When such phishing attempts succeed, the entire Wolfpack community is in jeopardy.

To stay safe from cyber lures, learn and master these security practices:

  • Don’t click just yet
    When in doubt, don’t click any links or open any attachments. Instead, contact the sender using your known and trusted methods and then ask if they sent the message in question. If you have a concern or question about a suspicious message you’ve received, contact the NC State Help Desk at 919.515.4357 (HELP) or via the NC State IT Service Portal.
  • Verify web links
    If a link is suspicious, don’t click on it. Instead, to see the real link address, use your cursor to hover over it or long-press it. The real link address will be displayed at the bottom left of your browser window.
  • Scrutinize the sender’s email address
    Before you click on a link, open an attachment or reply to a message, be absolutely certain that you recognize the sender’s email address and that every part of it is correct. For example, don’t fall prey to an email from unityID-ncsu@my.com when you know it should be from unityID@ncsu.edu. Hint: See who the real sender is by clicking the down arrow under the sender’s name (to the right of the “to me” text).
  • Beware of phishy emails
    In some cases, phishing emails may be vague, sound “funny” or contain grammar errors. Such emails often threaten you with punitive actions, unless you provide sensitive data immediately.
  • Never share sensitive data
    No matter how “official” an email, text or phone call appears, legitimate organizations never ask for sensitive information such as passwords or account numbers via any of these means.
  • Never forward a “loaded” phishing email
    While you may want to warn your friends and co-workers about a phishing attack, don’t forward phishing emails. Instead, send a summary of the phishing email content and subject line. You can take a screenshot of the original email or mention the links, but never include the link addresses or attachments.
  • Use Gmail and report suspicious activity
    Whenever possible, view all university emails using Gmail mobile or mail.google.com. Gmail flags potentially phishy messages with warnings. Also, check your Gmail account activity for any unusual or unauthorized actions. To report phishing:

  • Keep up with phishing trends and tactics
    • Pay attention to articles and alerts concerning current phishing scams, especially during certain times of the year such as tax season. See IRS Tax Scams / Consumer Alerts
    • For news about threats to the campus community, check the “Cybersecurity in the News” section of Cybersecurity at NC State for updates.
  • Use the right antivirus software
    Viruses are only one type of malware, so use an NC State-approved antivirus solution to protect your devices from worms, spyware and adware.  
  • Turn on 2FA
    Wherever two-factor authentication (2FA) is available, use it for such personal accounts as email, banking and social media. You can find out more about other sites and services offering 2FA at Two Factor Auth (2FA).

For additional information on phishing and computer safety, see: