Phishing Attacks
Phishing is an attempt to acquire your personal information such as usernames, passwords, financial information or internal information about Columbia University or the Business School. Phishing is a form of social engineering. It is one of the most common and effective e-mail based attacks.
Why should I care?
- Phishing has the potential to cause personal financial loss, identity theft, or damage to your reputation or the reputation of Columbia University.
Beware of emails that create a sense of urgency, fear, or offer incentive.
- Do not click on suspicious or shortened links without knowing where they lead. Also, examine the address of any link in an email you think is legitimate before clicking on it. For example, if you receive an email from Payroll saying your W2 is ready and the link points you to a website in Russia, you can be certain that the email is invalid (if the link is simply text, such as “”Click here to view your W2”, point your mouse over the link and the actual URL address will appear above the text and/or on the bottom of your screen).
Be suspicious; with any unexpected communication please ask yourself a few questions:
- Does the communication make sense?
- Is it possible ITG, CUIT or some other trusted source is being impersonated?
- Are you expecting this communication? Does it have an attachment? Did you request this information?
- Would a friend, colleague or family member actually ask me for this information for a legitimate purpose?
- Does the email have misspelling sand grammatical errors?
- Does the email asking you for personally identifiable information (e.g. Google or your bank sending you an email stating that your account has been hacked and that you should login with your user-id and password, using the link contained in the email, to verify your account)?
- Does the email use a generic greeting such as “Dear Valuable Customer” or “Greetings”?
- Does the email ask you to view an attached file (this technique embeds an executable program, which is usually in a compressed “Zip” format that is almost impossible to detect with any-virus tools, that contains code which will take control of your computer or record and retransmit all of your keystrokes)?
- If an email communication looks suspicious, or too good to be true, it probably is. Attach the email and send it to your support team as suspected Phishing or block the sender and delete the message.
- Just because you received an email from a friend or colleague doesn’t mean they sent it (their account could be compromised). If it seems strange, call them or ask your support team.
- ITG has SPAM and Phishing filtering technologies in place that catch the majority of these emails before they make it to your inbox. Although nearly 60% of the email we receive is filtered, cleverly crafted or spoofed emails still make it through.
Contact Security Support
You can help us improve detection and elimination by attaching original emails and forwarding to [email protected].
Use common sense, and don't get hooked. ITG will be conducting mock-phishing exercises to improve community awareness of this issue.