Recognize phishing scams

This week, the university is bustling as it welcomes students, faculty and staff back for the spring semester. Cybercriminals are also actively looking for clever ways to take advantage of this busy time. As you settle back into your routines, remember not to let your guard down when it comes to recognizing a phishing scam.

Phishing is when cybercriminals attempt to trick email and text users into clicking a malicious link that will download malware or redirect users to a fake website. The intent of a phishing scam is to steal your personal information for the purposes of identity theft and fraud.

Phishing scams reported on campus

  • A relatively common scam is where the phishers share documents, usually through Google Drive, that appear to be from someone important and require that you provide your login credentials to view the files.
  • There is a trend where phishers send fraudulent invoices to staff and faculty members who typically process invoices in hopes they will approve them before taking a closer look. The tricky part is that the invoices are sometimes generated by payment handlers like PayPal and Square and spoof specific supply vendors used by campus departments.
  • Another scam is targeting faculty members who receive customized emails praising their research articles and urging them to look at shared documents related to it.
  • The most prominent phishing scam on campus last semester and into this new year is the job scam targeting students; the phishers pretend to be faculty members who need to verify personal information to confirm a work opportunity.

Common signs to spot a phishing scam

  • Check the sender’s email address
    Before clicking a link, opening an attachment or replying to a message, be absolutely certain you recognize the sender’s email address and that every part of it is correct.
  • Verify links before you click
    When in doubt, don’t click any links or open any attachments. Hover your cursor over a suspicious link to see what the real link address is — you should see it displayed at the bottom-left of your browser window. Often, phishing tactics use fake URLs that look the same initially, but phishers are hoping you won’t notice.
  • Never share sensitive data
    No matter how “official” an email, phone or text message appears, legitimate organizations will never ask for your sensitive personal information such as passwords or account numbers in the message. 

Report phishing scams

Last year, there were 2,652 phishing reports addressed within the Google Alert Center and the NC State IT Service Portal. Reporting potential phishing attacks keeps others from falling victim. 

  • Contact the NC State Help Desk at 919.515.HELP (4357) or via the “Get Help” tab in the NC State IT Service Portal with any concerns or questions about suspicious emails, even before you click on any links. To expedite the support ticket, include a description of the incident (e.g., loss or theft of device or disclosure of sensitive data) in the “short description” field.
  • Use the report phishing feature built-in to Gmail. Open the message you’d like to report. At the top-right corner of the message, click the three vertical dots and select the “Report phishing” option. This helps Google recognize these messages in the future and filter them out of your inbox. The information is also shared with OIT’s cybersecurity team.
  • Forward fraudulent text messages — or smishing — on your phone to the short-code 7726, which spells “SPAM.” You’ll then receive an automated message from your wireless carrier asking you to enter the phone number from which the spam text was sent.

To learn more about suspicious emails and phishing scams, visit Phishing.