Phishing Best Practices

Tips and best practices to identify and report Phishing attacks, with special tips related to securing your academic data.

Examples of Phishing Attempts You May See

• Fake security alerts/urgent password reset requests: Log directly into an application, such as Canvas, to check access and view any notifications on the application. If you’re unable to access the application, please contact Technology Support to manage your password, MFA and account recovery options.
• Ransomware or extortion scams: Do not click any links. Report the scam to the college's Information Security Office using the Phish Alert Button.  As a best practice, do not forward suspicious messages or emails, instead take a screenshot and use that to report any potentially harmful communications.
• Impersonation attempts: Do not respond to anyone (e.g., instructor, Instructure (Canvas’ parent company), etc.) asking for your personal information, account information, or credentials or asking you to click on links. If you are concerned, verify with a reliable resource using a known phone number, website, or known email address.
• Fake assignment links: Log directly into applications like Canvas to review assignments.
• Fake grade notices: Rather thank clicking the link, log directly into the application to review your grades.

To Avoid Being Phished

• Secure your password: Keep your password private.
• Slow down: Don’t let urgency push you into a hasty click. Read carefully. If a message contains an emotional appeal, like a threat intended to scare you or inform you that your account will be disabled, it may be a scam.
• Hover before you click: Hovering over a link reveals the real destination URL (website address). Only click on or download email attachments from people or colleagues you know.
• Don’t click on unfamiliar links: Visit official company websites by typing their URL directly into a browser.
• Don’t reply: Don’t reply directly to a suspicious message or use the contact information it provides. Follow up using a different, trusted means of communication, like calling a verified number, starting a new message thread to a known address or visiting a valid website.
• When in doubt, report it: It’s always safer to report a suspicious message.  This may seem counterintuitive, but messages that have been reported as phishing can always be retrieved if identified as false positives.