What percentage of all emails sent to NC State are phishing or spam? The answer is 10.5%. Using Google’s automated spam filters, OIT successfully thwarted more than 436,000 email phishing attacks during the 30 days leading up to July 22, 2021. While over 300,000 phishing emails never made it to the Inbox, OIT discovered and pulled an additional 134,000 phishing emails from user inboxes.

Cybercriminals known as “phishers” employ cleverly crafted email, text and instant messages to lure you into a false sense of security so that you unwittingly release ultra-sensitive personal information such as your password, social security number, and bank account and credit card numbers. This kind of access provides a window into not only your personal data but also into any university data you might access, modify or store. Once a cybercriminal has a window into any university data, critical university data can be compromised within minutes.

In recent on-campus scams, students and employees have been targeted with alarming lures such as off-campus housing application requests, job openings that are “too good to be true,” and urgent alerts regarding citizenship status or student loans — often requiring responses within 24 hours. When such phishing attempts succeed, the entire Pack ends up at risk.

While email phishing is prevalent within the Wolfpack community, you need to watch out for it everywhere; phishing can happen over any form of communication you might use, including phone calls, texts and social media.  

Common indicators of phishing lures include:

• Urgency
  The message pressures you to ignore NC State policies or instills a sense of urgency by claiming something bad will happen, such as a monetary charge or account closure, if you don’t act immediately; they are designed to make you rush into actions, such as clicking malicious links or sharing sensitive information.
• Sensitivity
  The message blatantly requests sensitive or personal data such as bank account or credit card numbers, additional contact information, or other information you might be uncomfortable sharing.
• Curiosity and Rewards
  The message stirs up your curiosity, provides a shortened URL (such as a bit.ly link), or claims you have won (or could win) a prize too good to be true.
• Spelling and Wording Issues
  The message or profile contains bad grammar or spelling mistakes. If the message is coming from someone you know but has a strange tone or uses different wording from what they normally use, their profile may have been hacked or mimicked.

To stay safe, learn and master these cybersecurity practices:

• Make sure you have a strong password
  OIT implemented a new password checker in May 2021 that ensures password strength and security. Change your password to make sure it meets the strength criteria, which makes it harder for attackers to guess your password. This is also a great time to make sure your recovery questions and answers are up-to-date.
• Update your recovery questions and answers
  • Keeping your security questions and answers up-to-date and highly personalized provides yet another security layer. They serve as your passport in case you ever get locked out of your account or forget your password, and they also help to ensure that no one else can access your account and sensitive information. 
  • Visit the Set Security Questions Authentication Page to edit your recovery questions and answers, and remember that your answers should be impossible to guess, easy for you to remember, and not found anywhere online such as social media. Never share your security questions or answers with anyone.
• Don’t click just yet
  When in doubt, don’t click any links or open any attachments. Instead, contact the sender using known and trusted methods and then ask if they sent the message in question.
  CAUTION: Interacting with phishing lures can result in your NC State account being suspended — requiring you to request NC State Help Desk intervention for account reactivation. If you have a concern or question about a suspicious message you’ve received, contact the help desk at  919.515.4357 (HELP) or visit the NC State IT Service Portal.

• Verify web links
  To see the real link address, move your cursor to hover over it or long press it. The real link address will be displayed at the bottom left of your browser window.
  
• Scrutinize the sender’s email address
  Before you follow a link, open an attachment, or reply to a message, be absolutely certain you recognize the sender’s email address and that every part of it is correct. For example, don’t fall prey to an email from unityID-ncsu@my.com when you know it should be from unityID@ncsu.edu. Hint: See who the real sender is by clicking the down arrow under the sender’s name (to the right of the “to me” text).
  
• Beware of phishy emails
  In many cases, phishing emails use generic greetings and signatures that address you as sir or madam or by your email address, that use non-specific phrases like “dear valued member,” or that have a vague signature block lacking company contact information.
  
• Never share sensitive data
  No matter how “official” an email, text or phone call appears, legitimate organizations never ask for sensitive information such as account numbers via any of these means. No matter what, never tell anyone your passwords.
  
• Never forward a “loaded” phishing email
  While you may want to warn your friends and co-workers about a phishing attack, don’t forward phishing emails. Instead, send a summary of the phishing email content and subject line. You can take a screenshot of the original email or mention the links, but never include the link addresses or attachments.
  
• Use Gmail and report suspicious activity
  Whenever possible, view all university emails using Gmail mobile or mail.google.com. Gmail flags potentially phishy messages with warnings. Also, check your Gmail account activity for any unusual or unauthorized actions.
  To report phishing:
  • In Gmail, select Report phishing from the drop-down menu in the upper right corner of your message. See Avoid and report phishing emails.
  • You can also send new phishing emails to phishing@ncsu.edu. Make sure you include the full email headers.
• Keep up with phishing trends and tactics
  • Pay attention to articles and alerts concerning current phishing scams, especially during certain times of the year such as tax season. See IRS Tax Scams / Consumer Alerts. 
  • For news about threats to the campus community, check the “Cybersecurity in the News” section of Cybersecurity at NC State for updates.
    
• Use approved antivirus software
  Viruses are only one type of malware, so use an NC State-approved antivirus solution to protect your devices from worms, spyware and adware. 
  
• Turn on 2FA
  Wherever two-factor authentication (2FA) is available, use it for such personal accounts as email, banking and social media. You can find out more about other sites and services offering 2FA at Two Factor Auth (2FA).
  

For more information on phishing and computer safety, see:

• Phishing at NC State
• Cybersecurity at NC State
• Safe Computing at NC State
• National Cybersecurity Alliance – Spam and Phishing
• Federal Trade Commission – How to Recognize and Avoid Phishing Scams