News & Events

Imagine this: You receive an email that looks super official. It’s from your bank (or so it says), and it’s warning you about “suspicious activity.” Your heart jumps. Your palms are sweaty. You click the link.  

Boom.  

That is phishing in action.  

Phishing is the 21st-century cousin of the old-school confidence scam. You know, like the smooth-talking trickster who sweet-talked people out of their cash with charm and lies? Same strategy, just digitized.  

It’s Not Just Tech, It’s Psychology Phishers don’t need to hack your computer when they can hack you. These digital con artists exploit your trust, fear, curiosity, urgency, and even greed. It’s not about code; it’s about emotions.  

• Trust: “This looks like it’s from IT, I better take it seriously.”  

• Fear: “If I don’t respond, I might lose access!”  

• Urgency: “They said my account will be locked in 10 minutes?!”  

• Curiosity: “What’s this invoice for? I better open it.”  

• Greed: “Hey! I won a free gift card!”  

Phishing works because it feels personal. It’s designed to make you react before you think. That split second of emotional hijack is all the bad guys need.  

You’re Not Dumb, You’re Human Falling for a phish doesn’t mean you’re gullible. It means you’re human. And guess what? Phishers count on that. The more you care about doing the right thing, staying secure, or responding quickly, the more likely you are to be targeted.  

So, What Can You Do? Start thinking like a skeptic. Treat every unexpected message like a stranger at your front door trying to sell you a deal that’s too good to be real.  

Pause. Breathe. Don’t react emotionally. 

Check the sender. Hover over links.  

Ask: Does this seem just a little too urgent, scary, or good to be true? 

Be the Plot Twist Phishers are counting on you to play your role in their scam. Flip the script. Be the person who doesn’t fall for the trap. Be the plot twist that ruins their day.  

Because when you sniff out a phishing email and report it, you’re not just protecting yourself. You’re protecting everyone around you. That makes you a cybersecurity A-lister that’s building a strong cybersecurity culture on campus.  

Phishing emails continue to be one of the most effective cyberattacks targeting universities. These fraudulent messages often appear to come from trusted sources—professors, IT staff, or campus departments. Still, their goal is to trick you into giving up login credentials, downloading malware, or clicking on malicious links.  

This month’s Information Security Tip focuses on how to spot phishing attempts and what to do if you suspect something suspicious. 
  

Spot a Phish: What to Look For  

• Urgent or time-sensitive language (e.g., “Your account will be locked!”)  

• Strange senders or unfamiliar email domains  

• Unexpected attachments or vague shared documents  

• Links that do not match the sender or stated purpose.  

Tip: Hover over links to preview the URL. Never enter your SU NetID and password unless you are sure the page is legitimate. 
  

Campus Phishing Example 

Recently, ITS ran a phishing simulation, and 36% of recipients clicked the link in the email. While the message appeared to be a Google Sheet shared by a campus leader, there were several signs that it was suspicious: 

1. Misspelled sender domain: The email came from @widnows.net, which is not a legitimate Google domain. 

1. Mismatched link: The document link didn’t direct to a Google service. 

1. Suspicious footer: The email referenced a cyber academy unrelated to Syracuse University, suggesting the sender wasn’t who they claimed to be. 

1. Lack of context: Recipients should have asked themselves, was I expecting this kind of document from this person? 

This simulation highlights the importance of slowing down and checking for small details that can signal a phishing attempt. 

Review SU’s phishing awareness resources: Phishing and Suspicious Email 
  

Report Suspected Phishing Emails  

Use the Report Phishing tool in Microsoft Outlook to report suspected phishing emails or contact the ITS Service Center for assistance, 315-443-2677. 

The Role We All Play in Keeping Syracuse Secure  

At Syracuse University, we pride ourselves on being a community of innovators, educators, and learners. But in today’s connected world, we’re also all stewards of something incredibly valuable: information. Whether you’re a faculty member managing sensitive research data, a staff member handling student records, or a student logging into campus systems—every one of us plays a role in protecting the University’s digital ecosystem.  

Cybersecurity isn’t just a technical issue for IT to handle behind the scenes—it’s a people issue. Most breaches don’t happen because of sophisticated hacking tools, but because of simple, preventable mistakes: clicking a malicious link, reusing a password, or opening an attachment too quickly These small actions can lead to big consequences: data loss, reputational damage, and real financial harm.  

It’s not about blame—it’s about staying aware and looking out for one another. When we understand how our daily habits impact security, we can make better decisions. Using strong, unique passwords. Double-checking unexpected messages. Reporting suspicious activity. These are small steps that, when taken together, build a powerful defense.  

Our dedicated InfoSec team is constantly working to stay ahead of threats—but the truth is, our strongest defense is you. Every safe login, every cautious click, every report of a phish—these are all victories that keep our campus community safer.  

As we take advantage of evolving technologies—like AI and cloud-based collaboration—our ways of teaching, learning, and working continue to change. That’s why your vigilance, your questions, and your care are more important than ever.  

Thank you for being part of the solution.  

— Christopher Croad 
Chief Information Security Officer 
Syracuse University