Skip to main content

Phishing

raptor getting caught in a phishing scam

What is Phishing?

Phishing is a fraudulent email based attack disguised as a legitimate communication. The goal of the attacker is to trick the recipient into responding by clicking on a link, opening an attachment, or directly giving up account credentials, i.e. username and password. IT Security recommends users report suspicious emails using the Phishing Reporter button in Outlook, Office 365 and the Outlook mobile app.

To avoid falling victim to email scams, OIT recommends all employees:

  • REPORTReport Phishing MC suspicious emails using the Report Phishing button. IT Security will analyze the email and, if found malicious, block the threat.
  • If you sense something strange or “phishy” about the email, pick up the phone and call the sender. Do not respond back to the sender in an email because the attacker will direct you to complete the request or download the malicious attachment.
  • Never respond to any email asking for information such as your user ID, passwords, Social Security Number, birth date, or other personally identifiable information. Neither the College nor OIT will ever ask you for this information. 
  • Do NOT click on the links in an email. If you have a business relationship with the sender or an account (MyMC, Amazon.com, your bank, etc.), log in to the account by using the known web address for the account, i.e. montgomerycollege.edu – Access MyMC.
  • Check the sending email address and name(s). If you do not know the sender or expect an email with a “shared link” or attachment, do not click on the link or open the attachment.

OIT encourages all employees who need assistance in spotting a phishing email to take the Cybersecurity e-courses within MC Learns. The e-courses are short videos that provide employees with the skills needed to detect malicious emails.

 

What is Phishing?
Phishing is a fraudulent email based attack disguised as a legitimate communication. The goal of the attacker is to trick the recipient into responding by clicking on a link, opening an attachment, or directly giving up account credentials, i.e. user name and password.

How do I report a suspected phishing email?
Select the suspected phish and click on the Report Phishing button in Outlook, Office 365 and the Outlook mobile app to report.

What happens when I report a suspected phishing email using the Phishing Reporter tool in Outlook?

Once the user reports the suspected phishing email, the email is forwarded to IT Security and deleted from the user’s Inbox:

  • the email is forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder)
  • the PhishMe Reporter dialog box opens with the following message:
    Click “OK” to report this e-mail to IT Security and remove the message from your Inbox. This button is for reporting only. If you have questions about the message or have interacted with it (i.e. clicked on links, opened attachments, responded to the sender, etc.) please contact the Service Desk for further assistance

IT Security will analyze the email:

  • legitimate emails are returned to the user
  • malicious emails are deleted

Is the Outlook Phishing Reporter tool available for Outlook Web Access (OWA) or the Office 365 portal?

Yes, the Phishing Reporter tool is available for the Outlook mobile app and within the Office 365 portal.

The Phishing Reporter button is not displayed by default. Add the Phishing Reporter buttonnew window when using Outlook on the web. Once added, the button will be displayed for all emails in your inbox.

Note: It is best to use the Reporter tool because the original email headers are included and needed for analysis by IT Security.

Should I report suspected phish to the IT Security Desk?
No, please either use the Phishing Reporter tool or forward the suspected phish to phishtrap@montgomerycollege.edu.

What if I have questions about the email or interacted with contents of the phish?
Please contact the IT Service Desk. An IT Service Desk ticket will be opened for IT Security to address the issue.

What other phishing and security awareness education resources are available?

Basic safe computing and security awareness e-courses are available in MC Learns.  Available topics include:

  • Social Engineering
  • Spear Phishing Awareness
  • Malware
  • Malware links
  • Password Security
  • Data Protection
  • Mobile Devices
  • Social Networking
  • Physical Security
  • Security Outside the Office
  • Insider Threat

What is a Phish Me simulated phishing email?
PhishMe is a program OIT will use to randomly send simulated phishing email scenarios to College employees. The purpose is to promote user awareness on how to detect a phishing email.

What do I do if I receive a Phish Me simulated phishing email?
If you receive a simulated phish, don’t fall for the trick. Do what you would do with any suspected phish. Report the email using the Outlook Phishing Reporter tool or email phishtrap@montgomerycollege.edu.

What happens when I report the Phish Me simulated phishing email?
Once the user submits the simulated phishing email, the email is forwarded to IT Security and deleted from the user’s Inbox just like a real phishing email would be handled (a copy is placed in the user’s Deleted folder).

What happens if I don't detect the Phish Me email as a phish and click on the link?

If you click on the link in the simulated phishing email:

  • You will receive a 30 – 60 second informational video or graphic
  • There is no penalty for not detecting the phishing email
  • The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing emails

 

The Office of Information Technology strives to educate the MC community on safe computing habits and security awareness topics in order to safeguard College and user data. OIT randomly sends simulated phishing email scenarios with the purpose of promoting security awareness and help users recognize phishing attempts. If you receive a simulated phish or suspicious email, don’t fall for the trick. Report the email using the Outlook Phishing Reporter button or email phishtrap@montgomerycollege.edu.   Emails submitted via the Reporter button are forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder).

If you click on the link in the simulated phishing email:

  • You will receive a 30 – 60 second informational video or graphic
  • There is no penalty for not detecting the phishing email
  • The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing email

 The results of the simulated phishing scenarios are provided below with tips on what to look for and additional resources on security awareness:

Montgomery College introduced the Phishing Reporter button to provide employees a quick and easy way to report suspicious emails. The Phishing Reporter button captures the suspicious email’s meta data and submits it to IT Security, providing essential data in preventing and thwarting attacks.
Learn how to access the Phishing Reporter button when using Office 365 at home. 

Report Phishing at MC button

 

March 2021 - COVID-19 Vaccine Survey
The U.S. Department of Justice has issued a warning about a fraudulent COVID-19 vaccine survey. This phishing attempt, sent through email and text messages, prompts recipients to fill out a survey and give their credit card information for shipping and handling, in exchange for a prize. This survey is designed to steal money and capture personal information. Stay vigilant and check The U.S. Department of Justice's website for more information on this scam.

March 2021 - Tax Refund Scam
The Internal Revenue Service is warning about a tax refund scam from IRS impersonators who are targeting those who work at colleges and universities, as well as their students.
Read the Inside Higher Ed articlenew window for more information.


January 2021 - STIMULUS PHISHING SCAMS

As many people await coronavirus economic impact payments—or stimulus payments—it is important to be wary of scams.

Remember, government agencies will not call or email you to verify personal or financial information to release a stimulus payment.

IRS Scam Example

Watch out for fraudulent emails, phone calls, and text messages such as:

  • Asking you to verify personal or banking information
  • Telling you that some or all of your information is missing
  • Promising you can get money faster by sending personal information
  • Claiming to offer business-related information on funding, loans, or taxes
  • Asking you to sign over your stimulus payment
  • Suggesting you qualify for a special government grant and you need to verify your identity to process the request
  • Mailing you a fake check with a note that says to call a number or verify information online to cash it

Remember:

  • Go to the official government agency website, www.irs.gov for the latest information. Beware of unsolicited messages impersonating government agencies. Report suspicious emails using the Report Phishing button.
  • Take extra caution during this time. Stay calm and look closely at the email content before responding. Don’t click links or open attachments in suspicious emails.
  • Keep your passwords private.  No reputable company will ask for your password over email. If you entered your credentials into a fraudulent website, change it immediately and notify your security team.

November 2020

Cyber Crime button on a computer keyboard


The holiday season is upon us - inboxes are filled with order confirmations, shipping notifications, flash sale alerts, and end-of-year promotional offers, as well as eCards from family and friends. 
Cyber criminals are ready to take full advantage of the surge of emails coming into your inbox during this time and will try and lure you in with a phishing scam.

Don't be a victim! Protect yourself by becoming familiar with these Common Holiday Phishing Scams (PDF, Get Adobe Acrobat PDF Reader.-Link opens in new window.) .

Contact IT Security if you have any questions or concerns.

©