Don't Get Phished

Cybercriminals like phish. Don’t take the bait.

Phishing is a type of electronic scam. Cybercriminals try to trick you so they can steal money or information. Sometimes you can identify phishing emails and texts by looking for typos, poor graphics, files to download, links to click, odd or unusual requests, and messages that urge you to act immediately. Phishing attacks can also come through phone calls, so be on guard for calls from people you don't know.

However, cybercriminals are getting more sophisticated. Be alert for the following tactics used in phishing scams.

Scammers play on your emotions.

Fraudsters don’t want you to take time to consider the message’s legitimacy. They try to inspire fear and urgency. Or they try to make you happy about some offer, prize, or good fortune that requires you to act now.

Some real examples:

  • "Your email account will be locked."
  • "Your computer is infected or compromised."
  • "You’re a cash prize winner" for a drawing you never entered. "To receive the prize, you must prepay the taxes through a wire transfer."
  • You’re threatened with legal action by a government agency unless payment is promptly made with gift cards.

Scammers want you to click on malicious links and download attachments.

Cybercriminals can use links and attachments to deliver malicious software in order to infect your computer, steal sensitive work information, and gain access to New York Tech networks.

These bad links can be disguised to look like trusted links and take you to fake or infected websites. Attachments can appear to come from a known source, but one whose account has been also compromised.

Some real examples:

  • You receive an email that appears to come from Microsoft citing, “issues with your account” and includes a link titled “Secure Account Here.” When you hover over the link, you see the URL is “microsoft-support.com.” Microsoft has no such link.
  • You are urged to open an unexpected attachment from the university. You are asked to review and confirm your acceptance of changes to payroll information.

Scammers impersonate people and organizations.

Cybercriminals can send phishing messages that look legitimate. They use compromised email accounts and addresses to send their message. To appear more authentic, business logos are often copied from the Internet and added to the message.

Be aware: cybercriminals may send email that appears to come from a New York Tech address, such as @nyit.edu, or from an email service such as Gmail, or the name may be someone you are familiar with or a university leader.

Some real examples:

  • Staples sends you an email notification that there are delivery issues with your office supply order. You are instructed to click on the link to resolve the issue and schedule another delivery. The logo and formatting look like a Staples email; however, when you hover the cursor over the link, it indicates the URL is "staples-delivery-876976.com," which is not a legitimate address for the site.
  • Phishing emails appearing to come from Microsoft Teams have targeted as many as 50,000 Teams users with the goal of obtaining Office 365 logins.

Scammers are getting more clever.

A phishing message may have no link or attachment. Instead, recent phishing scams appear to come from your supervisor, campus leaders, or departments.

A real example:

One common phishing email is the gift-card scam. The scam typically starts with a brief email exchange, such as “Are you in the office?” or “I have a special favor to ask.” If you respond, appearing to fall for the impersonation, you will be asked to purchase several gift cards and email the card numbers to them.

How can I avoid getting scammed?

  • Don't react to scare tactics and calls to act immediately, including threats of a lawsuit, computer viruses, locked accounts, or opportunities to earn or save money now.
  • Don’t reveal personal or financial information in an email or text message. (New York Tech will never ask you for your username or password.)
  • Don’t open any email attachment you are not expecting, even if it appears to come from someone you know. Their account may have been compromised.
  • Be cautious of links provided in an email. Hover the cursor over the link to verify that the URL leads to a site you recognize. (Verifying links on mobile devices will depend on the device.)
  • Verify the legitimacy of charities and crowdfunding sites before making donations. Never provide donations in cash, gift cards, or money wires.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the sender or company directly by an alternate known communication method.
  • When in doubt, throw it out. If it looks suspicious, even if you know the source, it’s best to delete it or, if appropriate, mark it as junk.
  • Think before you respond:
    • University leaders will not ask you to make an urgent wire transfer or buy gift cards.
    • No one from the New York ITS department will call to inform you about a computer virus and ask for your passwords.
    • Government agencies will not call and threaten you, or make demands for payment in the form of gift cards.

I’m still not sure if it’s a legitimate message or a phish. What should I do?

You don't have to be an expert. If something seems suspicious, it probably is. For university-related messages, forward emails to the Information Security office at infosec@nyit.edu, and we’ll look into it for you.

For suspicious messages sent to your personal account, do your research to see if the message is legitimate.

  • Contact known persons or companies directly.
  • If the sender is unknown, see if the organization exists and call them directly.
  • Consider ignoring and deleting the message.