Security Awareness:

Phishing message with a photo of a fish on paper

If this were real, you would have just fallen for a phishing scam!

The "Dos, Don'ts and Nevers" of Phishing:

  1. DO NOT open unexpected email attachments.

  2. DO check the web address in your web browser after clicking links in email. If it isn't an address you know, don't enter your password or other personal information into the website.

  3. DO enter website addresses by typing them in yourself or using your own bookmarks.

  4. NEVER respond to an email with your password or other requested personal information even if the message looks real. No legitimate organization will request your password or other types of sensitive information via an email message.

Does this mean I'm in trouble? No! This isn't meant to be punitive, but we hope that you will now be more aware of phishing in the future when you see it.

What is this "phishing" that you speak of? Unfortunately, phishing does not involve sitting at the edge of a pier while on vacation, and it's more than just a bad pun. Phishing (phony+fishing) is when someone tries to fish information out of you. Types of information that they could be after might include your username and password, personal financial information, like your debit card number, or anything else that might be useful to someone who wants to assume your identity. In this case, someone really wanted your Emory ID and password.

There's nothing interesting in my email, why would someone want my password? This may or may not be true. Often phishers will ask for your ID and password because they want to use your e-mail account to send more spam and phishing messages. But consider this for a moment, do you have any private information (patient data, social security numbers, bank account numbers, etc) in email messages that an identity thief might want to get their hands on? If so they might find your email very interesting. Additionally, having your username and password gives them access to everything that you have access to, PeopleSoft, VPN, email, etc.

How could I have known that this message was fake? First and foremost, and we can't emphasize this enough, no legitimate representative of Emory will EVER ask you for your password, period. Secondly, this isn't the most well written message. Odd word choices and bad grammar can often be a sign of phishing, but not always. Some phishing messages are very well written and look quite authentic.

Did you notice the address that the email came from? It wouldn't make sense for Emory to send you a message from

Image of a Gmail email address

Also, did you know that you can look at the address of a link in your email before you click on it? Most email programs will display the address if you just hover your mouse over the link. If you do this, you'll notice that the link would send you to Emory would have no need to link you to a non-Emory website for this type of request.

Link highlighted to emphasize point

When you clicked on the link, did you notice that the website address was not an Emory address?

Image of web address

Where can I get more information about phishing?: Here are some websites with more information about phishing scamming and how not to fall victim.

Sophos Best Practices - Phishing

Federal Trade Commission - How not to get hooked by phishing

US CERT - Avoiding social engineering and phishing attacks

Anti-phishing Working Group education page