As incidents of email phishing increase, you play an important role in keeping Davidson's systems and data safe. Learn to recognize and report suspicious or malicious emails, text messages, or phone calls with these best practices. If you spot a phishing attempt or have concerns about the legitimacy of an email use the red Phish Alert button in your email to report it, or forward it to ti@davidson.edu.
Phishing Basics
Phishing is a cybercrime that relies on deception to influence people into performing an action that compromises personal information or digital security. This could be providing log-in credentials, confidential information, money, or performing an action like inadvertently installing malicious software.
Phishing victims are tricked into performing these actions because they trust the source of the request, or engage with the request without taking a critical look. For additional information about phishing and some examples, see the Cyber Aware Davidson site.
Common Features of Phishing Messages
- Too Good to Be True - Attention-grabbing statements in subject lines or text messages that are designed to attract people’s attention immediately. Remember that if it seems too good to be true, it probably is!
- Sense of Urgency - Cybercriminals will ask you to act fast because the deals or requests for help are urgent. When you come across these emails or texts it is best to ignore them. Most reliable organizations give ample time before they terminate an account and will never ask users to update their account details over the Internet. When in doubt, visit the purported source directly rather than clicking a link in an email.
- Hyperlinks - Remember, cybercriminals want your account credentials. Often, in order to get a password, they will include a link in the email that takes you to a website that appears legitimate but isn’t. When you "sign-in” on a cybercriminals website, your account credentials have been compromised. With that in mind, a link may not be what it appears to be.
Try hovering over the link to display the actual web address of the link. It could be completely different from what it is pretending to be, or very similar but slightly misspelled. Be extra vigilant for these clues before clicking on any links in an email. - Attachments - A cybercriminal may be attempting to distribute malware via a phishing campaign. To do this, they will often include attachments in the phishing email with the hopes that a user will download them onto a device. If you were not expecting an email or don’t recognize the sender, do not open any attachments in the email. These will download onto your device and can contain malware.
- Unusual or Unknown Sender - Whether it looks like it’s from someone you don’t know, or seems out of character from someone you do know, if anything seems unusual, or suspicious in general, don’t click on it! You can always forward a suspicious email to ti@davidson.edu if you aren’t sure.
Some scammers are impersonating the real name of college leaders, professors, and donors. Double-check the email address (not just the first and last name) to make sure a sender is legitimate.
Best Practices
- Never provide personal information. Never provide personally identifiable information, such as passwords, credit card account numbers, social security numbers, usernames, banking account information, or any other confidential information through email.
- Be aware and take the time to recognize phishing emails. Messages with suspicious misspellings or grammatical errors, or that reference generic departments like "support" may be scam emails. Pay attention to generic or unusual greetings email signatures, especially those attempting to pose as one of your known contacts.
- Never reply to unsolicited emails, text messages or phone calls. Messages that ask for personal information including account name, passwords, social security numbers, or credit card information should not be trusted. Davidson College will never ask you for this information over email or text messaging.
- Never purchase gift cards on request from unsolicited emails, text messages or phone calls. Messages that ask you to purchase gift cards should not be trusted. Davidson College policy does not allow for the distribution of gift cards, so this is a good red flag. See the Gifts, Gift Certificates, Gift Cards, Awards and Prizes Policy (Davidson login required.)
- Use caution with links and attachments. If you are uncertain about an email that contains links or one or more attachments, forward the email to T&I and our security team will take a closer look. Or, contact the purported sender directly via phone to confirm before you click on a link or open an attachment.
- Keep your software up to date. Keep your devices updated and use antivirus software.
- Double-Check Your Duo. Duo two-factor authentication greatly improves security. To stay protected, always double-check when confirming your Duo push that you’re logging into legitimate Davidson sites such as https://login.microsoftonline.com, https://sso.davidson.edu, another trusted Davidson.edu site, or your VPN client.
- Report it. If you are unsure or have concerns about the legitimacy of an email, use the red Phish Alert button in your email to report it, or forward it to ti@davidson.edu.