Report a Phish
To report a phishing email, please forward it directly to firstname.lastname@example.org.
If you receive an email and are unsure of its authenticity, contact the IT Help Desk at 701-231-8685 (option 1) or email@example.com.
Phishing scams are cybercriminal attempts to steal personal and financial information or infect computers and other devices with malware and viruses. Phishing emails can appear to be from a legitimate organization, urging you to act quickly to avoid negative consequences.
These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.1
No one from NDSU will ever ask for your password.
Phishing scams include:
- Mass phishing: The most visible type of phishing, mass phishing involves sending out a large volume of emails to as many end users as possible.2
- Clone Phishing: Spoofed copy of a legitimate and previously delivered email, with original attachments or hyperlinks replaced with malicious versions, which is sent from a forged email address so it appears to come from the original sender or another legitimate source.
- Spear phishing: Spear phishers have specific targets in mind when creating their phishing scams. They will gather information about their targets from social media and other sources to make a personalized attack that is much harder to detect than a standard phishing email.3
- Whaling: Whaling is when a cybercriminal makes a spear phishing attack on a "big fish" such as a celebrity, CEO or employee with a high level of security clearance.4
- Advance-Fee Scam: Advance-fee scams take many different forms. The most common attacks ask the target to send money or bank account information to the cybercriminal.5 6
Hooked by a Phish?
If you suspect you have been hooked by a phishing scam, your best option is to take immediate action.
If you provided the username and/or password associated with your NDSU or N.D. University System accounts, call the IT Help Desk at 701-231-8685 (option 1) immediately.
Your password will need to be changed and your account inspected for any unwanted changes and activity. If you provided information for an account associated with another organization or company (e.g., bank), contact them so they can secure your account and watch for any suspicious activity.
We recommend you change the password for all accounts that utilized the compromised password. This may include accounts external to NDSU, such as your financial institution accounts and social media accounts. Keep in mind that the best practice is to have a unique password for each account, which can help protect your other accounts from being compromised, too.
Consequences of Getting Hooked
If you get hooked by a phishing scam, your accounts may be compromised and your devices at risk of being infected by malware. If you replied with sensitive information via email or entered your username and password into a malicious website, your information can be used by cyber criminals in a variety of ways.
Your email account alone can be used to:
- Make a profit off of your information or it can be made publicly available
- Access private information including your messages, calendar, chats, photos, voice recordings and location
- Harvest banking and credit card information that can be used to break into your financial accounts
- Access associated retail accounts (e.g., Amazon, iTunes, Netflix, Steam)
- Access or make changes to other academic accounts (e.g., Google Apps for Education, Blackboard)
- Hijack your social media and professional networking sites (e.g., LinkedIn)
- Steal your identity
- Send phishing messages to others, including NDSU students, staff and faculty who are then more likely to fall victim to phishing emails
- Harvest student information contained in your email or associated accounts, which is a violation of FERPA
- Harvest research and academic data contained in your email or associated accounts, which may violate international treaties, federal and state laws, and university policies
- Steal scientific works, journals and other resources that are only available to those who have paid for these materials
Access depends on whether you use the same username and/or password for multiple accounts, what information is contained within your compromised accounts, and what personal information is publicly available online through social media and other directories.
Tips and Advice
Never open an email that looks suspicious.
If the sender is someone you don't know, outside of your organization or if the email is not one used by that specific organization, the email can be considered suspicious.
Outlook Web Example
When accessing email from a mobile device, some information will be hidden until you click on "Details." In this example, "Details" was already clicked to verify the sender's authenticity.
Never click on a suspicious link.
When hovering over a hyperlink a link should appear showing where it is directing your page towards. If the link is not going to the page it says it is, if the link is a bunch of random numbers and letters or if the link looks as if it is going to a page on the correct website but has additional text that wouldn't normally be there.
If you are unsure of a link's authenticity, contact the IT Help Desk at 701-231-8685 (option 1) or firstname.lastname@example.org.
Outlook Web Example
Hyperlinks cannot be hovered over in an email delivered through Outlook on its mobile app version. Be wary of links and never click on anything you feel is suspicious.
Spelling and Grammar
Most organizations proof-read their emails before sending. There should be no spelling or grammatical errors in an email from any credible group of people.
Outlook Web Example
Below is an example of a phishing email delivered through Outlook on its mobile app version. The whole message may not appear when you open it up; however, in this example you can still read enough of the message to point out a few spelling and grammatical errors.
Threatening or Rewarding Language
Never do something because you are threatened over the internet or if the sender attempts to entice you with a reward.
This is often the first attempt at grabbing your attention and is usually a clear sign of phishing.
A Nigerian prince is not going to make you extremely wealthy if you give him your information.
You will not get locked out of any of your accounts if you do not give someone your information.
Outlook Web Example
When viewing email in a mobile app, the whole message may not appear when you open it up; however, in this example you can still read enough of the message to point out the threatening language.
Never open anything in a suspicious looking email.
Attachments have the potential to be carrying viruses and or malware which are harmful to your machine.
Outlook Web Example
Below is an example of a phishing email delivered through Outlook on its mobile app version. Attachments are usually still accessible through mobile devices and have the potential to be carrying viruses and or malware which are harmful to your devices.
Q: What should I do if I believe I am victim of a phishing scam?
A: If you provided your NDSU username and password, call the IT Help Desk at 701-231-8685 option 1 immediately – your password will need to be changed and your account inspected for any unwanted changes. If you gave the credentials for another institution, contact them so they can secure your account and watch for any suspicious activity.
Q: Do I need to change my password for other accounts?
A: It is recommended you change the password for all accounts that utilized the compromised password. This may include accounts external to NDSU, such as your NDUS account or financial institution accounts.
Determining Phishing Emails
Q: What should I do if I am not sure an email is a phishing email or legitimate email?
A: Please forward the email to the email@example.com for assistance with determining if the email is a phishing email or not.
Reporting Phishing Emails
Q: Who do I report phishing emails to?
A: If you have received a phishing email, forward it to firstname.lastname@example.org, otherwise if you are unsure of its authenticity, contact the IT Help Desk at 701-231-8685 (option 1) or email@example.com.
Spotting Phishing on Social Media
Q: What to do when someone requests to follow you on social media and you don't know him/her?
A: Keep the following tips in mind to protect yourself against social media phishing scams.
- Don't follow people you don't know.
- Assess their account. Red flags include:
- New account. Spammers are always creating accounts to reach more people. Sometimes social media will shut down accounts when they are reported by users as offensive or spammers. But it’s just as easy to open a new account.
- Few posts or followers. If the account doesn't post much or have many friends or followers, this could mean it is a newer account that was created for spamming, not engaging in relationships online.
- Ensure the social media account is official or verified. Most social media sites allow organizations and public figures to become "verified" or marked official. Look for a small blue circle next to the name with a checkmark inside like the official NDSU Facebook Page.
Training Materials and Additional Resources
- Define phishing and identify various types of phishing scams
- Recognize common baiting tactics used in phishing scams
- Examine real phishing messages
- Understand how to protect yourself from being hooked by a phishing scam
- Watch the Video: Don't Get Hooked By Phishing (Intel)
- View the training slides: Protect Yourself From Phishing Scams (.pptx) or PDF
Test Your Phishing Knowledge
Take an anonymous quiz to test your knowledge. Immediate feedback helps you fine-tune your ability to protect yourself from phishing scams.
Spread the Word
- Download posters to help raise awareness of phishing in your office or residence hall
- Arizona State University: Protecting Yourself from Phishing Scams.Arizona State University. Retrieved July 20, 2016.
- Ball State University: Phishing.Ball State University. Retrieved July 20, 2016.
- Center for Internet Security: Training and Resources.Center For Internet Security. Retrieved August 3, 2016.
- Marquette University: Phishing.Marquette University. Retrieved July 20, 2016.
- Security Tips: Avoiding Social Engineering and Phishing Attacks.United States Computer Emergency Readiness Team. Retrieved July 20, 2016.
- Spam & Phishing.StaySafeOnline. Retrieved July 20, 2016.
- Unifying the Global Response to Cybercrime.Anti-Phishing Work Group. Retrieved July 20, 2016.
- University of California Berkeley: Phishing.UC Regents. Retrieved July 20, 2016.
- University of Southern California: PhishingUniversity of Southern California. Retrieved July 20, 2016.
- US-CERT: Report Phishing.United States Computer Emergency Readiness Team. Retrieved July 20, 2016.
- FTC Consumer Information: Phishing.The Federal Trade Commission. Retrieved July 20, 2016.
- Spear Phishing: Scam, Not Sport.Symantec Corporation. Retrieved July 20, 2016.
- Scamwatch: Whaling & Spear Phishing.Australian Competition & Consumer Commission. Retrieved July 20, 2016.
- The Nigerian Prince: Old Scam, New Twist.BBB of Metropolitan New York. Retrieved July 20, 2016.
- OCC: Advance Fee FraudOffice of the Comptroller of the Currency. Retrieved November 26, 2016.