Phishing
What is Phishing?
Phishing is a fraudulent email based attack disguised as a legitimate communication. The goal of the attacker is to trick the recipient into responding by clicking on a link, opening an attachment, or directly giving up account credentials, i.e. username and password. IT Security recommends users report suspicious emails using the Phishing Reporter button in Outlook, Office 365 and the Outlook mobile app.
To avoid falling victim to email scams, OIT recommends all employees:
- REPORT suspicious emails using the Report Phishing button located on the Outlook toolbar.
IT Security will analyze the email and, if found malicious, block the threat.
- If using Office 365 on the webnew window, which does not display the Report Phishing button by default, please follow these instructions to pin the Report Phishing button to your message surface. Once added, the button will be displayed for all emails in your inbox.
- Having trouble with the Reporter button? Send the suspicious email as an attachment to phishtrap@montgomerycollege.edu
- If you sense something strange or “phishy” about the email, pick up the phone and call the sender. Do not respond back to the sender in an email because the attacker will direct you to complete the request or download the malicious attachment.
- Never respond to any email asking for information such as your user ID, passwords, Social Security Number, birth date, or other personally identifiable information. Neither the College nor OIT will ever ask you for this information.
- Do NOT click on the links in an email. If you have a business relationship with the sender or an account (MyMC, Amazon.com, your bank, etc.), log in to the account by using the known web address for the account, i.e. montgomerycollege.edu – Access MyMC.
- Check the sending email address and name(s). If you do not know the sender or expect an email with a “shared link” or attachment, do not click on the link or open the attachment.
OIT encourages all employees who need assistance in spotting a phishing email to take the Cybersecurity e-courses within MC Learns. The e-courses are short videos that provide employees with the skills needed to detect malicious emails.
What is Phishing?
Phishing is a fraudulent email based attack disguised as a legitimate communication.
The goal of the attacker is to trick the recipient into responding by clicking on
a link, opening an attachment, or directly giving up account credentials, i.e. user
name and password.
How do I report a suspected phishing email?
Select the suspected phish and click on the Report Phishing button in Outlook, Office
365 and the Outlook mobile app to report.
What happens when I report a suspected phishing email using the Phishing Reporter tool in Outlook?
Once the user reports the suspected phishing email, the email is forwarded to IT Security and deleted from the user’s Inbox:
- the email is forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder)
- the PhishMe Reporter dialog box opens with the following message:
Click “OK” to report this e-mail to IT Security and remove the message from your Inbox. This button is for reporting only. If you have questions about the message or have interacted with it (i.e. clicked on links, opened attachments, responded to the sender, etc.) please contact the Service Desk for further assistance
IT Security will analyze the email:
- legitimate emails are returned to the user
- malicious emails are deleted
Is the Outlook Phishing Reporter tool available for Outlook Web Access (OWA) or the
Office 365 portal?
Yes, the Phishing Reporter tool is available for the Outlook mobile app and within the Office 365 portal.
The Phishing Reporter button is not displayed by default. Add the Phishing Reporter buttonnew window when using Outlook on the web. Once added, the button will be displayed for all emails in your inbox.
Note: It is best to use the Reporter tool because the original email headers are included and needed for analysis by IT Security.
Should I report suspected phish to the IT Security Desk?
No, please either use the Phishing Reporter tool or forward the suspected phish to
phishtrap@montgomerycollege.edu.
What if I have questions about the email or interacted with contents of the phish?
Please contact the IT Service Desk. An IT Service Desk ticket will be opened for IT Security to address the issue.
What other phishing and security awareness education resources are available?
Basic safe computing and security awareness e-courses are available in MC Learns. Available topics include:
- Social Engineering
- Spear Phishing Awareness
- Malware
- Malware links
- Password Security
- Data Protection
- Mobile Devices
- Social Networking
- Physical Security
- Security Outside the Office
- Insider Threat
What is a Phish Me simulated phishing email?
PhishMe is a program OIT will use to randomly send simulated phishing email scenarios
to College employees. The purpose is to promote user awareness on how to detect a
phishing email.
What do I do if I receive a Phish Me simulated phishing email?
If you receive a simulated phish, don’t fall for the trick. Do what you would do with
any suspected phish. Report the email using the Outlook Phishing Reporter tool or
email phishtrap@montgomerycollege.edu.
What happens when I report the Phish Me simulated phishing email?
Once the user submits the simulated phishing email, the email is forwarded to IT Security
and deleted from the user’s Inbox just like a real phishing email would be handled
(a copy is placed in the user’s Deleted folder).
What happens if I don't detect the Phish Me email as a phish and click on the link?
If you click on the link in the simulated phishing email:
- You will receive a 30 – 60 second informational video or graphic
- There is no penalty for not detecting the phishing email
- The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing emails
The Office of Information Technology strives to educate the MC community on safe computing habits and security awareness topics in order to safeguard College and user data. OIT randomly sends simulated phishing email scenarios with the purpose of promoting security awareness and help users recognize phishing attempts. If you receive a simulated phish or suspicious email, don’t fall for the trick. Report the email using the Outlook Phishing Reporter button or email phishtrap@montgomerycollege.edu. Emails submitted via the Reporter button are forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder).
If you click on the link in the simulated phishing email:
- You will receive a 30 – 60 second informational video or graphic
- There is no penalty for not detecting the phishing email
- The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing email
The results of the simulated phishing scenarios are provided below with tips on what to look for and additional resources on security awareness:
Voicemail email - January 2023 (PDF, 
)
Account Update - February 2023 (PDF, )
eCard Emails - March 2023 (PDF, )
Payroll Scam - April 2023 (PDF, )
SharePoint File - January 2022 (PDF, )
Office File Macros - February 2022 (PDF, )
Package Delivery - March 2022 (PDF, )
Payroll Deposit Error - April 2022 (PDF, )
Banking Alert Invoice - May 2022 (PDF, )
Cloud Storage Sharing - June 2022 (PDF, )
Online Shopping - July 2022 (PDF, )
Payroll Deposit Error - August 2022 (PDF, )
Scan to Email Scam - September 2022 (PDF, )
DocuSign Credential Theft Scam - January 2021 (PDF, )
Microsoft Teams - February 2021 (PDF, )
Tax Scam - March 2021 (PDF, )
Zoom Meeting - April 2021 (PDF, )
May 2021 - Microsoft Impersonation (PDF, )
June 2021 - LinkedIn Security Alert (PDF, )
July 2021 - Adobe Sign Document (PDF, )
August 2021 - Voicemail Phishing Emails (PDF, )
September 2021 - eCard Phishing (PDF, )
October 2021 - Incoming Emails Rejected (PDF, )
November 2021 - Delivery Notice (PDF, )
December 2021 - Holiday Schedule (PDF, )
Sending a Scan - January 2020 (PDF, )
Shared Outlook Calendar - February 2020 (PDF, )
Email Phishing Threats Using Fear of the Corona Virus - February 2020 (PDF, )
Vulnerability at Home - April 2020 (PDF, )
Meeting Invitation - May 2020 (PDF, )
New Voice Message - June 2020 (PDF, )
Brand Impersonation Tactics - July 2020 (PDF, )
Zoom Invitation - August 2020 (PDF, )
Shared Dropbox Files - September 2020 (PDF, )
Incoming Emails Rejected - October 2020 (PDF, )
Package delivery/shipping notifications - November 2020 (PDF, )
February 2022 - Widespread Phishing Attacks
IT Urgent alerted MC employees to widespread phishing attack that included a message
with an Excel spreadsheet attachment. Any attachment could include malware, particularly
Microsoft Excel, Word, or PowerPoint, where the user may be prompted to “Enable Content”.
Read more about this alert. (PDF, )
February 2022 - USB Devices
The FBI issued a warning of a cybercrime campaign in which attackers mail USB thumb
drives to US organizations with the goal of delivering ransomware into their environments.
When plugged into a computer system, the USB device automatically injects a series
of keystrokes to download ransomware, bypassing common security controls. Read the IT Security Alert for more information. (PDF, )
September 2021 - Gift Card Email Scam
A scammer sends you an email impersonating your boss, making up a story about needing
your help with something — an office surprise party, a company event, even a simple
errand. Whatever the reason, they will ask you to help by paying them with gift cards,
promising to pay you back later. But once you hand over the gift card number and PIN,
the money is gone. Read more about what to look out for and what you can do to protect yourself. (PDF, )
March 2021 - COVID-19 Vaccine Survey
The U.S. Department of Justice has issued a warning about a fraudulent COVID-19 vaccine
survey. This phishing attempt, sent through email and text messages, prompts recipients
to fill out a survey and give their credit card information for shipping and handling,
in exchange for a prize. This survey is designed to steal money and capture personal
information. Stay vigilant and check The U.S. Department of Justice's website for more information on this scam.
March 2021 - Tax Refund Scam
The Internal Revenue Service is warning about a tax refund scam from IRS impersonators
who are targeting those who work at colleges and universities, as well as their students.
Read the Inside Higher Ed articlenew window for more information.
January 2021 - STIMULUS PHISHING SCAMS
As many people await coronavirus economic impact payments—or stimulus payments—it is important to be wary of scams.
Remember, government agencies will not call or email you to verify personal or financial information to release a stimulus payment.
Watch out for fraudulent emails, phone calls, and text messages such as:
- Asking you to verify personal or banking information
- Telling you that some or all of your information is missing
- Promising you can get money faster by sending personal information
- Claiming to offer business-related information on funding, loans, or taxes
- Asking you to sign over your stimulus payment
- Suggesting you qualify for a special government grant and you need to verify your identity to process the request
- Mailing you a fake check with a note that says to call a number or verify information online to cash it
Remember:
- Go to the official government agency website, www.irs.gov for the latest information. Beware of unsolicited messages impersonating government agencies. Report suspicious emails using the Report Phishing button.
- Take extra caution during this time. Stay calm and look closely at the email content before responding. Don’t click links or open attachments in suspicious emails.
- Keep your passwords private. No reputable company will ask for your password over email. If you entered your credentials into a fraudulent website, change it immediately and notify your security team.
November 2020
The holiday season is upon us - inboxes are filled with order confirmations, shipping
notifications, flash sale alerts, and end-of-year promotional offers, as well as eCards
from family and friends.
Cyber criminals are ready to take full advantage of the surge of emails coming into
your inbox during this time and will try and lure you in with a phishing scam.
Don't be a victim! Protect yourself by becoming familiar with these Common Holiday Phishing Scams (PDF, ) .
Contact IT Security if you have any questions or concerns.