Do you think you can spot a phishing attack? Cybercriminals called “phishers” cleverly craft email, instant and text messages to mimic the people and organizations you know and trust to trick you into releasing sensitive information such as your login credentials and credit card numbers. They can use that information to steal your money, your identity and other login credentials.
Know a phishing lure when you see one
- In recent on-campus scams, phishers sent targeted emails requesting gift cards, purportedly from a university supervisor or colleague.
- Students and employees are also targeted with lures of job openings and alerts regarding citizenship status and student loans, often demanding urgent responses for passport information, login credentials, Social Security numbers, and account numbers.
- Phishers may also steal login credentials by sharing Google or Microsoft documents that appear to be from someone you know but require you to provide your login credentials to view.
To stay safe from cyber lures, learn and master these security practices:
- Scrutinize the sender’s email address
Before clicking a link, opening an attachment or replying to a message, be absolutely certain you recognize the sender’s email address and that every part of it is correct. For example, don’t fall prey to an email from
when you know it should be from
You can see who the real sender is by clicking the down arrow under the sender’s name (to the right of the “to me” text). You can also verify the sender by contacting them through a trusted method such as a text, phone call or chat message.
- Verify before you click
When in doubt, don’t click any links or open any attachments. Instead, contact the sender using your known and trusted methods and then ask if they sent the message in question. Also, if you have concerns or questions about suspicious messages you’ve received, search the Knowledge Base in the NC State IT Service Portal or call 919.515.4357 (HELP).
- Hover and read carefully
Hover your cursor over a suspicious link to see what the real link address is — you’ll see it displayed at the bottom left of your browser window. Often, phishing tactics use false URLs that look the same initially but have suspicious addendums or small changes. Phishers are hoping you won’t notice. For example, instead of www.lookingforphishing.com/dont-get-phished, it might be one of these slightly different look-alikes:
- Beware of phishy emails
In some cases, phishing emails may be vague or sound “funny” while sometimes containing errors in spelling and grammar. They often threaten you with punitive actions unless you provide sensitive data immediately.
- Never share sensitive data
No matter how “official” an email, phone message or text appears, legitimate organizations never ask for sensitive personal information such as passwords or account numbers via those means.
- Use Gmail and review suspicious activity
Whenever possible, view all university emails using Google email (Gmail mobile or mail.google.com). Google Mail flags potentially phishy messages with warnings. Also, check your Gmail Last account activity for any unusual or unauthorized actions.
- Report phishing emails
While you may want to warn your friends and co-workers about a phishing attack, don’t forward phishing emails to anyone. Instead, report phishing emails:
- In your Gmail message, from the drop-down menu (three dots) in the upper right corner, select Report phishing. See Avoid and report phishing emails.
- Keep up with phishing trends and tactics
Pay attention to articles and alerts concerning current phishing scams, especially during certain times of the year such as tax season. See IRS Tax Scams / Consumer Alerts. For news about threats to the campus community, check the Cybersecurity in the News section of Cybersecurity at NC State for ongoing updates.
- Use the right antivirus software
Viruses are only one type of malware, so use an NC State-recommended antivirus solution to protect your devices from worms, spyware and adware.
- Turn on 2FA
Consider using two-factor authentication (2FA) for your personally owned accounts, including your personal email, banking and social media accounts.
You can take Google and Jigsaw’s interactive phishing quiz to test your ability to identify suspicious emails.
For additional information on phishing and computer safety, refer to the following resources: