Phishing emails continue to be one of the most effective cyberattacks targeting universities. These fraudulent messages often appear to come from trusted sources—professors, IT staff, or campus departments. Still, their goal is to trick you into giving up login credentials, downloading malware, or clicking on malicious links.
This month’s Information Security Tip focuses on how to spot phishing attempts and what to do if you suspect something suspicious.
Spot a Phish: What to Look For
- Urgent or time-sensitive language (e.g., “Your account will be locked!”)
- Strange senders or unfamiliar email domains
- Unexpected attachments or vague shared documents
- Links that do not match the sender or stated purpose.
Tip: Hover over links to preview the URL. Never enter your SU NetID and password unless you are sure the page is legitimate.
Campus Phishing Example
Recently, ITS ran a phishing simulation, and 36% of recipients clicked the link in the email. While the message appeared to be a Google Sheet shared by a campus leader, there were several signs that it was suspicious:
- Misspelled sender domain: The email came from @widnows.net, which is not a legitimate Google domain.
- Mismatched link: The document link didn’t direct to a Google service.
- Suspicious footer: The email referenced a cyber academy unrelated to Syracuse University, suggesting the sender wasn’t who they claimed to be.
- Lack of context: Recipients should have asked themselves, was I expecting this kind of document from this person?
This simulation highlights the importance of slowing down and checking for small details that can signal a phishing attempt.
Review SU’s phishing awareness resources: Phishing and Suspicious Email
Report Suspected Phishing Emails
Use the Report Phishing tool in Microsoft Outlook to report suspected phishing emails or contact the ITS Service Center for assistance, 315-443-2677.