Phishing
What is Phishing?
Phishing is a fraudulent email based attack disguised as a legitimate communication. The goal of the attacker is to trick the recipient into responding by clicking on a link, opening an attachment, or directly giving up account credentials, i.e. username and password. IT Security recommends users report suspicious emails using the Phishing Reporter button in Outlook, Office 365 and the Outlook mobile app.
To avoid falling victim to email scams, OIT recommends all employees:
- REPORT suspicious emails using the Report Phishing button located on the Outlook toolbar. IT Security will analyze the email and, if found malicious, block the threat.
- If you sense something strange or “phishy” about the email, pick up the phone and call the sender. Do not respond back to the sender in an email because the attacker will direct you to complete the request or download the malicious attachment.
- Never respond to any email asking for information such as your user ID, passwords, Social Security Number, birth date, or other personally identifiable information. Neither the College nor OIT will ever ask you for this information.
- Do NOT click on the links in an email. If you have a business relationship with the sender or an account (MyMC, Amazon.com, your bank, etc.), log in to the account by using the known web address for the account, i.e. montgomerycollege.edu – Access MyMC.
- Check the sending email address and name(s). If you do not know the sender or expect an email with a “shared link” or attachment, do not click on the link or open the attachment.
OIT encourages employees who need assistance in spotting a phishing email to complete (or revisit) the Data Security@MC training module “Phishing” in Workday Learning.
Report a suspicious email using the Outlook application/client
Use the Report Phishing button located on the Outlook toolbar. IT Security will analyze the email and, if
found malicious, block the threat.
Report Phishing / Suspicious emails: Outlook on the Web
Montgomery College IT Security provides employees a quick and easy way to report suspicious emails using a Phishing Reporter button. The Phishing Reporter button captures the suspicious email’s meta data and submits it to IT Security for analysis. Remember – report all suspicious emails. IT Security will analyze the reported email and take action to prevent potential threats.
To access the Phishing Reporter button, click on the Apps icon in the top far right area of the email.
Select the Phishing Reporter button within the Apps box.
Report a suspicious email using a mobile device:
Assessing the legitimacy of an email on a mobile device can be challenging due to the small viewing space and limited options to fully inspect the sending domain, attachment, and link. To report a suspicious email within the Outlook app from your mobile device:
- Click on the three circle dots located in the top right corner of the email message
- This will open a window showing the Report Phishing icon
- Select the Report Phishing button to report
- Click on OK in the Report Phishing window to submit
Having trouble with the Reporter button? Send the suspicious email as an attachment
to phishtrap@montgomerycollege.edu.
What is Phishing?
Phishing is a fraudulent email based attack disguised as a legitimate communication.
The goal of the attacker is to trick the recipient into responding by clicking on
a link, opening an attachment, or directly giving up account credentials, i.e. user
name and password.
How do I report a suspected phishing email?
Select the suspected phish and click on the Report Phishing button in Outlook, Office
365 and the Outlook mobile app to report.
What happens when I report a suspected phishing email using the Phishing Reporter tool in Outlook?
Once the user reports the suspected phishing email, the email is forwarded to IT Security and deleted from the user’s Inbox:
- the email is forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder)
- the PhishMe Reporter dialog box opens with the following message:
Click “OK” to report this e-mail to IT Security and remove the message from your Inbox. This button is for reporting only. If you have questions about the message or have interacted with it (i.e. clicked on links, opened attachments, responded to the sender, etc.) please contact the Service Desk for further assistance
IT Security will analyze the email:
- legitimate emails are returned to the user
- malicious emails are deleted
Is the Outlook Phishing Reporter tool available for Outlook Web Access (OWA) or the
Office 365 portal?
Yes, the Phishing Reporter tool is available for the Outlook mobile app and within the Office 365 portal.
The Phishing Reporter button is not displayed by default. Add the Phishing Reporter buttonnew window when using Outlook on the web. Once added, the button will be displayed for all emails in your inbox.
Note: It is best to use the Reporter tool because the original email headers are included and needed for analysis by IT Security.
Should I report suspected phish to the IT Security Desk?
No, please either use the Phishing Reporter tool or forward the suspected phish to
phishtrap@montgomerycollege.edu.
What if I have questions about the email or interacted with contents of the phish?
Please contact the IT Service Desk. An IT Service Desk ticket will be opened for IT Security to address the issue.
What other phishing and security awareness education resources are available?
Basic safe computing and security awareness e-courses are available in MC Learns. Available topics include:
- Social Engineering
- Spear Phishing Awareness
- Malware
- Malware links
- Password Security
- Data Protection
- Mobile Devices
- Social Networking
- Physical Security
- Security Outside the Office
- Insider Threat
What is a Phish Me simulated phishing email?
PhishMe is a program OIT will use to randomly send simulated phishing email scenarios
to College employees. The purpose is to promote user awareness on how to detect a
phishing email.
What do I do if I receive a Phish Me simulated phishing email?
If you receive a simulated phish, don’t fall for the trick. Do what you would do with
any suspected phish. Report the email using the Outlook Phishing Reporter tool or
email phishtrap@montgomerycollege.edu.
What happens when I report the Phish Me simulated phishing email?
Once the user submits the simulated phishing email, the email is forwarded to IT Security
and deleted from the user’s Inbox just like a real phishing email would be handled
(a copy is placed in the user’s Deleted folder).
What happens if I don't detect the Phish Me email as a phish and click on the link?
If you click on the link in the simulated phishing email:
- You will receive a 30 – 60 second informational video or graphic
- There is no penalty for not detecting the phishing email
- The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing emails
The Office of Information Technology strives to educate the MC community on safe computing habits and security awareness topics in order to safeguard College and user data. OIT randomly sends simulated phishing email scenarios with the purpose of promoting security awareness and help users recognize phishing attempts. If you receive a simulated phish or suspicious email, don’t fall for the trick. Report the email using the Outlook Phishing Reporter button or email phishtrap@montgomerycollege.edu. Emails submitted via the Reporter button are forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder).
If you click on the link in the simulated phishing email:
- You will receive a 30 – 60 second informational video or graphic
- There is no penalty for not detecting the phishing email
- The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing email
The results of the simulated phishing scenarios are provided below with tips on what to look for and additional resources on security awareness:
QR Codes - January 2024 (PDF, )
PDF Document - February 2024 (PDF, )
Office 365 FIX - March 2024 (PDF, )
Tax Documents - April 2024 (PDF, )
MyGov. Message - May 2024 (PDF, )
Office 365 Fix Kit - June 2024 (PDF, )
Restriction of Incoming Messages - July 2024 (PDF, )
PayPal Invoice - August 2024 (PDF, )
Voicemail email - January 2023 (PDF, )
Account Update - February 2023 (PDF, )
eCard Emails - March 2023 (PDF, )
Payroll Scam - April 2023 (PDF, )
Failed Transaction - May 2023 (PDF, )
File Transfer- June 2023 (PDF, )
Update Mail Settings - July 2023 (PDF, )
Account Deactivated - August 2023 (PDF, )
Phishing Pro Tournament Scenarios - October 2023 (PDF, )
Phishing Pro Tournament Winners! (PDF, )
Cyber Monday - November 2023 (PDF, )
August 2024 - Financial Aid Scams
MC continues to experience “Grant” and “Scholarship Money” scam emails. The subject
and content of the email scam indicate the recipient’s “benefit check” has been approved
by the “College Board”.
The notice instructs the student to respond back with personal information such as
full name, personal email address, mobile phone number, and name of university. The
scammer instructs the student to only respond from their personal email address. The
obvious purpose is to remove the communication from the MC email address and MC email
security filters.
For additional tips on recognizable signs of scholarship scams check out this article from the Federal Trade Commission (FTC).
August 2024 - Smishing
Another cyber attack on the rise at MC is Smishing, a text messaging attack. The name is derived from the words SMS and Phishing. Same trick, different method of delivery. The deception tactic is the same as a phishing email except the message is a text to your mobile device. This recent scam consists of a text with the message: “Hello, let me know once you receive my text. Thanks, Dr. Jermaine Williams” implying the text message was sent by our MC President.
IT Security recommends users stay vigilant and avoid engagement with the sender. Best practice is to block the sending number and limit your phone number sharing online. Additional information on smishing attacks may be found in this SANS article.
March 2024 - Direct Deposit Scam
MC employees were recently targeted in a phishing email scam that attempted to steal
the employee’s paycheck.
Read more on this important alert (PDF, ) .
February 2022 - Widespread Phishing Attacks
IT Urgent alerted MC employees to widespread phishing attack that included a message
with an Excel spreadsheet attachment. Any attachment could include malware, particularly
Microsoft Excel, Word, or PowerPoint, where the user may be prompted to “Enable Content”.
Read more about this alert. (PDF, )
February 2022 - USB Devices
The FBI issued a warning of a cybercrime campaign in which attackers mail USB thumb
drives to US organizations with the goal of delivering ransomware into their environments.
When plugged into a computer system, the USB device automatically injects a series
of keystrokes to download ransomware, bypassing common security controls. Read the IT Security Alert for more information. (PDF, )
September 2021 - Gift Card Email Scam
A scammer sends you an email impersonating your boss, making up a story about needing
your help with something — an office surprise party, a company event, even a simple
errand. Whatever the reason, they will ask you to help by paying them with gift cards,
promising to pay you back later. But once you hand over the gift card number and PIN,
the money is gone. Read more about what to look out for and what you can do to protect yourself. (PDF, )
March 2021 - COVID-19 Vaccine Survey
The U.S. Department of Justice has issued a warning about a fraudulent COVID-19 vaccine
survey. This phishing attempt, sent through email and text messages, prompts recipients
to fill out a survey and give their credit card information for shipping and handling,
in exchange for a prize. This survey is designed to steal money and capture personal
information. Stay vigilant and check The U.S. Department of Justice's website for more information on this scam.
March 2021 - Tax Refund Scam
The Internal Revenue Service is warning about a tax refund scam from IRS impersonators
who are targeting those who work at colleges and universities, as well as their students.
Read the Inside Higher Ed articlenew window for more information.
January 2021 - STIMULUS PHISHING SCAMS
As many people await coronavirus economic impact payments—or stimulus payments—it is important to be wary of scams.
Remember, government agencies will not call or email you to verify personal or financial information to release a stimulus payment.
Watch out for fraudulent emails, phone calls, and text messages such as:
- Asking you to verify personal or banking information
- Telling you that some or all of your information is missing
- Promising you can get money faster by sending personal information
- Claiming to offer business-related information on funding, loans, or taxes
- Asking you to sign over your stimulus payment
- Suggesting you qualify for a special government grant and you need to verify your identity to process the request
- Mailing you a fake check with a note that says to call a number or verify information online to cash it
Remember:
- Go to the official government agency website, www.irs.gov for the latest information. Beware of unsolicited messages impersonating government agencies. Report suspicious emails using the Report Phishing button.
- Take extra caution during this time. Stay calm and look closely at the email content before responding. Don’t click links or open attachments in suspicious emails.
- Keep your passwords private. No reputable company will ask for your password over email. If you entered your credentials into a fraudulent website, change it immediately and notify your security team.
November 2020
The holiday season is upon us - inboxes are filled with order confirmations, shipping
notifications, flash sale alerts, and end-of-year promotional offers, as well as eCards
from family and friends.
Cyber criminals are ready to take full advantage of the surge of emails coming into
your inbox during this time and will try and lure you in with a phishing scam.
Don't be a victim! Protect yourself by becoming familiar with these Common Holiday Phishing Scams (PDF, ) .
Contact IT Security if you have any questions or concerns.