Phishing | Montgomery College, Maryland

raptor getting caught in a phishing scam

What is Phishing?

Phishing is a fraudulent email based attack disguised as a legitimate communication. The goal of the attacker is to trick the recipient into responding by clicking on a link, opening an attachment, or directly giving up account credentials, i.e. username and password. IT Security recommends users report suspicious emails using the Phishing Reporter button in Outlook, Office 365 and the Outlook mobile app.

To avoid falling victim to email scams, OIT recommends all employees:

REPORT suspicious emails using the Report Phishing button located on the Outlook toolbar. IT Security will analyze the email and, if found malicious, block the threat.
Having trouble with the Reporter button? Send the suspicious email as an attachment to phishtrap@montgomerycollege.edu
If you sense something strange or “phishy” about the email, pick up the phone and call the sender. Do not respond back to the sender in an email because the attacker will direct you to complete the request or download the malicious attachment.
Never respond to any email asking for information such as your user ID, passwords, Social Security Number, birth date, or other personally identifiable information. Neither the College nor OIT will ever ask you for this information.
Do NOT click on the links in an email. If you have a business relationship with the sender or an account (MyMC, Amazon.com, your bank, etc.), log in to the account by using the known web address for the account, i.e. montgomerycollege.edu – Access MyMC.
Check the sending email address and name(s). If you do not know the sender or expect an email with a “shared link” or attachment, do not click on the link or open the attachment.

OIT encourages employees who need assistance in spotting a phishing email to complete (or revisit) the Data Security@MC training module “Phishing” in Workday Learning.

Report a suspicious email using the Outlook application/client
Use the Report Phishing button located on the Outlook toolbar. IT Security will analyze the email and, if found malicious, block the threat.

If using Office 365 on the web, which does not display the Report Phishing button by default, please follow these instructions to pin the Report Phishing button to your message surface. Once added, the button will be displayed for all emails in your inbox.

Report a suspicious email using a mobile device:

Assessing the legitimacy of an email on a mobile device can be challenging due to the small viewing space and limited options to fully inspect the sending domain, attachment, and link. To report a suspicious email within the Outlook app from your mobile device:

Click on the three circle dots located in the top right corner of the email message
This will open a window showing the Report Phishing icon
Select the Report Phishing button to report
Click on OK in the Report Phishing window to submit

report phishing on a mobile device example one

report phishing on a mobile device example two

Having trouble with the Reporter button? Send the suspicious email as an attachment to phishtrap@montgomerycollege.edu.

What is Phishing?
Phishing is a fraudulent email based attack disguised as a legitimate communication. The goal of the attacker is to trick the recipient into responding by clicking on a link, opening an attachment, or directly giving up account credentials, i.e. user name and password.

How do I report a suspected phishing email?
Select the suspected phish and click on the Report Phishing button in Outlook, Office 365 and the Outlook mobile app to report.

What happens when I report a suspected phishing email using the Phishing Reporter tool in Outlook?

Once the user reports the suspected phishing email, the email is forwarded to IT Security and deleted from the user’s Inbox:

the email is forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder)
the PhishMe Reporter dialog box opens with the following message:
Click “OK” to report this e-mail to IT Security and remove the message from your Inbox. This button is for reporting only. If you have questions about the message or have interacted with it (i.e. clicked on links, opened attachments, responded to the sender, etc.) please contact the Service Desk for further assistance

IT Security will analyze the email:

legitimate emails are returned to the user
malicious emails are deleted

Is the Outlook Phishing Reporter tool available for Outlook Web Access (OWA) or the Office 365 portal?

Yes, the Phishing Reporter tool is available for the Outlook mobile app and within the Office 365 portal.

The Phishing Reporter button is not displayed by default. Add the Phishing Reporter buttonnew window when using Outlook on the web. Once added, the button will be displayed for all emails in your inbox.

Note: It is best to use the Reporter tool because the original email headers are included and needed for analysis by IT Security.

Should I report suspected phish to the IT Security Desk?
No, please either use the Phishing Reporter tool or forward the suspected phish to phishtrap@montgomerycollege.edu.

What if I have questions about the email or interacted with contents of the phish?
Please contact the IT Service Desk. An IT Service Desk ticket will be opened for IT Security to address the issue.

What other phishing and security awareness education resources are available?

Basic safe computing and security awareness e-courses are available in MC Learns. Available topics include:

Social Engineering
Spear Phishing Awareness
Malware
Malware links
Password Security
Data Protection
Mobile Devices
Social Networking
Physical Security
Security Outside the Office
Insider Threat

What is a Phish Me simulated phishing email?
PhishMe is a program OIT will use to randomly send simulated phishing email scenarios to College employees. The purpose is to promote user awareness on how to detect a phishing email.

What do I do if I receive a Phish Me simulated phishing email?
If you receive a simulated phish, don’t fall for the trick. Do what you would do with any suspected phish. Report the email using the Outlook Phishing Reporter tool or email phishtrap@montgomerycollege.edu.

What happens when I report the Phish Me simulated phishing email?
Once the user submits the simulated phishing email, the email is forwarded to IT Security and deleted from the user’s Inbox just like a real phishing email would be handled (a copy is placed in the user’s Deleted folder).

What happens if I don't detect the Phish Me email as a phish and click on the link?

If you click on the link in the simulated phishing email:

You will receive a 30 – 60 second informational video or graphic
There is no penalty for not detecting the phishing email
The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing emails

The Office of Information Technology strives to educate the MC community on safe computing habits and security awareness topics in order to safeguard College and user data. OIT randomly sends simulated phishing email scenarios with the purpose of promoting security awareness and help users recognize phishing attempts. If you receive a simulated phish or suspicious email, don’t fall for the trick. Report the email using the Outlook Phishing Reporter button or email phishtrap@montgomerycollege.edu. Emails submitted via the Reporter button are forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder).

If you click on the link in the simulated phishing email:

You will receive a 30 – 60 second informational video or graphic
There is no penalty for not detecting the phishing email
The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing email

The results of the simulated phishing scenarios are provided below with tips on what to look for and additional resources on security awareness:

Phishing Scenarios 2024

QR Codes - January 2024 (PDF, )

PDF Document - February 2024 (PDF, )

Phishing Scenarios 2023

Voicemail email - January 2023 (PDF, )

Account Update - February 2023 (PDF, )

eCard Emails - March 2023 (PDF, )

Payroll Scam - April 2023 (PDF, )

Failed Transaction - May 2023 (PDF, )

File Transfer- June 2023 (PDF, )

Update Mail Settings - July 2023 (PDF, )

Account Deactivated - August 2023 (PDF, )

Phishing Pro Tournament Scenarios - October 2023 (PDF, )

Phishing Pro Tournament Winners! (PDF, )

Cyber Monday - November 2023 (PDF, )

No Content and Attachment - December 2023 (PDF, )

March 2024 - Direct Deposit Scam
MC employees were recently targeted in a phishing email scam that attempted to steal the employee’s paycheck.
Read more on this important alert (PDF, ) .

February 2022 - Widespread Phishing Attacks
IT Urgent alerted MC employees to widespread phishing attack that included a message with an Excel spreadsheet attachment. Any attachment could include malware, particularly Microsoft Excel, Word, or PowerPoint, where the user may be prompted to “Enable Content”. Read more about this alert. (PDF, )

February 2022 - USB Devices
The FBI issued a warning of a cybercrime campaign in which attackers mail USB thumb drives to US organizations with the goal of delivering ransomware into their environments. When plugged into a computer system, the USB device automatically injects a series of keystrokes to download ransomware, bypassing common security controls. Read the IT Security Alert for more information. (PDF, )

September 2021 - Gift Card Email Scam
A scammer sends you an email impersonating your boss, making up a story about needing your help with something — an office surprise party, a company event, even a simple errand. Whatever the reason, they will ask you to help by paying them with gift cards, promising to pay you back later. But once you hand over the gift card number and PIN, the money is gone. Read more about what to look out for and what you can do to protect yourself. (PDF, )

March 2021 - COVID-19 Vaccine Survey
The U.S. Department of Justice has issued a warning about a fraudulent COVID-19 vaccine survey. This phishing attempt, sent through email and text messages, prompts recipients to fill out a survey and give their credit card information for shipping and handling, in exchange for a prize. This survey is designed to steal money and capture personal information. Stay vigilant and check The U.S. Department of Justice's website for more information on this scam.

March 2021 - Tax Refund Scam
The Internal Revenue Service is warning about a tax refund scam from IRS impersonators who are targeting those who work at colleges and universities, as well as their students.
Read the Inside Higher Ed articlenew window for more information.

January 2021 - STIMULUS PHISHING SCAMS

As many people await coronavirus economic impact payments—or stimulus payments—it is important to be wary of scams.

Remember, government agencies will not call or email you to verify personal or financial information to release a stimulus payment.

Watch out for fraudulent emails, phone calls, and text messages such as:

Asking you to verify personal or banking information
Telling you that some or all of your information is missing
Promising you can get money faster by sending personal information
Claiming to offer business-related information on funding, loans, or taxes
Asking you to sign over your stimulus payment
Suggesting you qualify for a special government grant and you need to verify your identity to process the request
Mailing you a fake check with a note that says to call a number or verify information online to cash it

Remember:

Go to the official government agency website, www.irs.gov for the latest information. Beware of unsolicited messages impersonating government agencies. Report suspicious emails using the Report Phishing button.
Take extra caution during this time. Stay calm and look closely at the email content before responding. Don’t click links or open attachments in suspicious emails.
Keep your passwords private. No reputable company will ask for your password over email. If you entered your credentials into a fraudulent website, change it immediately and notify your security team.

November 2020

Cyber Crime button on a computer keyboard

The holiday season is upon us - inboxes are filled with order confirmations, shipping notifications, flash sale alerts, and end-of-year promotional offers, as well as eCards from family and friends.
Cyber criminals are ready to take full advantage of the surge of emails coming into your inbox during this time and will try and lure you in with a phishing scam.

Don't be a victim! Protect yourself by becoming familiar with these Common Holiday Phishing Scams (PDF, ) .

Contact IT Security if you have any questions or concerns.

Need Help?

Contact the IT Service Desk

Students

Student Access is available 24/7/365.

Chat Online

Open a web chat with a service desk representative.

Chat Now

Email

itservicedesk@montgomerycollege.edu

Call Us

240-567-7222

Password Resets:

Please call 240-567-7222 for help with your password. Password resets are not available by Web Chat.

Need Help?

Contact the OIT Service Desk

Employees

Employee access is available:
- Monday - Thursday (7:30 a.m. - 8:00 p.m.)
- Friday (7:30 a.m. - 5:00 p.m.)
- Saturday (8:00 a.m. - 4:30 p.m.) Except College holidays and emergency closures.

Open a Service Desk Ticket

Click on the IT Service Desk icon on your desktop.

Email

itservicedesk@montgomerycollege.edu

Chat Online

Open a web chat with a service desk representative.

Call Us

240-567-7222

Password Resets:

Please call 240-567-7222 for help with your password. Password resets are not available by Web Chat.