Phishing

Report a suspicious email using the Outlook application/client
Use the Report Phishing button located on the Outlook toolbar. IT Security will analyze the email and, if found malicious, block the threat.

---

Report Phishing / Suspicious emails: Outlook on the Web

Montgomery College IT Security provides employees a quick and easy way to report suspicious emails using a Phishing Reporter button.  The Phishing Reporter button captures the suspicious email’s meta data and submits it to IT Security for analysis. Remember – report all suspicious emails.  IT Security will analyze the reported email and take action to prevent potential threats.

To access the Phishing Reporter button, click on the Apps icon in the top far right area of the email.

 

 

Select the Phishing Reporter button within the Apps box.

---

Report a suspicious email using a mobile device:

Assessing the legitimacy of an email on a mobile device can be challenging due to the small viewing space and limited options to fully inspect the sending domain, attachment, and link. To report a suspicious email within the Outlook app from your mobile device:

1. Click on the three circle dots located in the top right corner of the email message
2. This will open a window showing the Report Phishing icon
3. Select the Report Phishing button to report
4. Click on OK in the Report Phishing window to submit

Having trouble with the Reporter button? Send the suspicious email as an attachment to phishtrap@montgomerycollege.edu.

What is Phishing?
Phishing is a fraudulent email based attack disguised as a legitimate communication. The goal of the attacker is to trick the recipient into responding by clicking on a link, opening an attachment, or directly giving up account credentials, i.e. user name and password.

How do I report a suspected phishing email?
Select the suspected phish and click on the Report Phishing button in Outlook, Office 365 and the Outlook mobile app to report.

What happens when I report a suspected phishing email using the Phishing Reporter tool in Outlook?

Once the user reports the suspected phishing email, the email is forwarded to IT Security and deleted from the user’s Inbox:

• the email is forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder)
• the PhishMe Reporter dialog box opens with the following message:
  Click “OK” to report this e-mail to IT Security and remove the message from your Inbox. This button is for reporting only. If you have questions about the message or have interacted with it (i.e. clicked on links, opened attachments, responded to the sender, etc.) please contact the Service Desk for further assistance

IT Security will analyze the email:

• legitimate emails are returned to the user
• malicious emails are deleted

Is the Outlook Phishing Reporter tool available for Outlook Web Access (OWA) or the Office 365 portal?

Yes, the Phishing Reporter tool is available for the Outlook mobile app and within the Office 365 portal.

The Phishing Reporter button is not displayed by default. Add the Phishing Reporter buttonnew window when using Outlook on the web. Once added, the button will be displayed for all emails in your inbox.

Note: It is best to use the Reporter tool because the original email headers are included and needed for analysis by IT Security.

Should I report suspected phish to the IT Security Desk?
No, please either use the Phishing Reporter tool or forward the suspected phish to phishtrap@montgomerycollege.edu.

What if I have questions about the email or interacted with contents of the phish?
Please contact the IT Service Desk. An IT Service Desk ticket will be opened for IT Security to address the issue.

What other phishing and security awareness education resources are available?

Basic safe computing and security awareness e-courses are available in MC Learns.  Available topics include:

• Social Engineering
• Spear Phishing Awareness
• Malware
• Malware links
• Password Security
• Data Protection
• Mobile Devices
• Social Networking
• Physical Security
• Security Outside the Office
• Insider Threat

What is a Phish Me simulated phishing email?
PhishMe is a program OIT will use to randomly send simulated phishing email scenarios to College employees. The purpose is to promote user awareness on how to detect a phishing email.

What do I do if I receive a Phish Me simulated phishing email?
If you receive a simulated phish, don’t fall for the trick. Do what you would do with any suspected phish. Report the email using the Outlook Phishing Reporter tool or email phishtrap@montgomerycollege.edu.

What happens when I report the Phish Me simulated phishing email?
Once the user submits the simulated phishing email, the email is forwarded to IT Security and deleted from the user’s Inbox just like a real phishing email would be handled (a copy is placed in the user’s Deleted folder).

What happens if I don't detect the Phish Me email as a phish and click on the link?

If you click on the link in the simulated phishing email:

• You will receive a 30 – 60 second informational video or graphic
• There is no penalty for not detecting the phishing email
• The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing emails

 

The Office of Information Technology strives to educate the MC community on safe computing habits and security awareness topics in order to safeguard College and user data. OIT randomly sends simulated phishing email scenarios with the purpose of promoting security awareness and help users recognize phishing attempts. If you receive a simulated phish or suspicious email, don’t fall for the trick. Report the email using the Outlook Phishing Reporter button or email phishtrap@montgomerycollege.edu.   Emails submitted via the Reporter button are forwarded to IT Security and deleted from the user’s Inbox (a copy is placed in the user’s Deleted folder).

If you click on the link in the simulated phishing email:

• You will receive a 30 – 60 second informational video or graphic
• There is no penalty for not detecting the phishing email
• The purpose of the email is to educate College employees on how to detect the tricks and dangers of phishing email

 The results of the simulated phishing scenarios are provided below with tips on what to look for and additional resources on security awareness:

 

August 2024 - Financial Aid Scams
MC continues to experience “Grant” and “Scholarship Money” scam emails. The subject and content of the email scam indicate the recipient’s “benefit check” has been approved by the “College Board”. 

The notice instructs the student to respond back with personal information such as full name, personal email address, mobile phone number, and name of university. The scammer instructs the student to only respond from their personal email address. The obvious purpose is to remove the communication from the MC email address and MC email security filters.  
For additional tips on recognizable signs of scholarship scams check out this article from the Federal Trade Commission (FTC).

---

August 2024 - Smishing

Another cyber attack on the rise at MC is Smishing, a text messaging attack.  The name is derived from the words SMS and Phishing. Same trick, different method of delivery. The deception tactic is the same as a phishing email except the message is a text to your mobile device. This recent scam consists of a text with the message: “Hello, let me know once you receive my text. Thanks, Dr. Jermaine Williams” implying the text message was sent by our MC President.  

IT Security recommends users stay vigilant and avoid engagement with the sender. Best practice is to block the sending number and limit your phone number sharing online.  Additional information on smishing attacks may be found in this SANS article.

---

March 2024 - Direct Deposit Scam
MC employees were recently targeted in a phishing email scam that attempted to steal the employee’s paycheck.
Read more on this important alert (PDF, ) .

---

February 2022 - Widespread Phishing Attacks
IT Urgent alerted MC employees to widespread phishing attack that included a message with an Excel spreadsheet attachment.  Any attachment could include malware, particularly Microsoft Excel, Word, or PowerPoint, where the user may be prompted to “Enable Content”. Read more about this alert. (PDF, )

---

February 2022 - USB Devices
The FBI issued a warning of a cybercrime campaign in which attackers mail USB thumb drives to US organizations with the goal of delivering ransomware into their environments. When plugged into a computer system, the USB device automatically injects a series of keystrokes to download ransomware, bypassing common security controls. Read the IT Security Alert for more information. (PDF, )

---

September 2021 - Gift Card Email Scam
A scammer sends you an email impersonating your boss, making up a story about needing your help with something — an office surprise party, a company event, even a simple errand. Whatever the reason, they will ask you to help by paying them with gift cards, promising to pay you back later. But once you hand over the gift card number and PIN, the money is gone. Read more about what to look out for and what you can do to protect yourself. (PDF, )

---

March 2021 - COVID-19 Vaccine Survey
The U.S. Department of Justice has issued a warning about a fraudulent COVID-19 vaccine survey. This phishing attempt, sent through email and text messages, prompts recipients to fill out a survey and give their credit card information for shipping and handling, in exchange for a prize. This survey is designed to steal money and capture personal information. Stay vigilant and check The U.S. Department of Justice's website for more information on this scam.

March 2021 - Tax Refund Scam
The Internal Revenue Service is warning about a tax refund scam from IRS impersonators who are targeting those who work at colleges and universities, as well as their students.
Read the Inside Higher Ed articlenew window for more information.

---

January 2021 - STIMULUS PHISHING SCAMS

As many people await coronavirus economic impact payments—or stimulus payments—it is important to be wary of scams.

Remember, government agencies will not call or email you to verify personal or financial information to release a stimulus payment.

Watch out for fraudulent emails, phone calls, and text messages such as:

• Asking you to verify personal or banking information
• Telling you that some or all of your information is missing
• Promising you can get money faster by sending personal information
• Claiming to offer business-related information on funding, loans, or taxes
• Asking you to sign over your stimulus payment
• Suggesting you qualify for a special government grant and you need to verify your identity to process the request
• Mailing you a fake check with a note that says to call a number or verify information online to cash it

Remember:

• Go to the official government agency website, www.irs.gov for the latest information. Beware of unsolicited messages impersonating government agencies. Report suspicious emails using the Report Phishing button.
• Take extra caution during this time. Stay calm and look closely at the email content before responding. Don’t click links or open attachments in suspicious emails.
• Keep your passwords private.  No reputable company will ask for your password over email. If you entered your credentials into a fraudulent website, change it immediately and notify your security team.

---

November 2020

The holiday season is upon us - inboxes are filled with order confirmations, shipping notifications, flash sale alerts, and end-of-year promotional offers, as well as eCards from family and friends. 
Cyber criminals are ready to take full advantage of the surge of emails coming into your inbox during this time and will try and lure you in with a phishing scam.

Don't be a victim! Protect yourself by becoming familiar with these Common Holiday Phishing Scams (PDF, ) .

Contact IT Security if you have any questions or concerns.