The "Dos, Don'ts and Nevers" of Phishing:
Does this mean I'm in trouble? No! This isn't meant to be punitive, but we hope that you will now be more aware of phishing in the future when you see it.
What is this "phishing" that you speak of? Unfortunately, phishing does not involve sitting at the edge of a pier while on vacation, and it's more than just a bad pun. Phishing (phony+fishing) is when someone tries to fish information out of you. Types of information that they could be after might include your username and password, personal financial information, like your debit card number, or anything else that might be useful to someone who wants to assume your identity. In this case, someone really wanted your Emory ID and password.
There's nothing interesting in my email, why would someone want my password? This may or may not be true. Often phishers will ask for your ID and password because they want to use your e-mail account to send more spam and phishing messages. But consider this for a moment, do you have any private information (patient data, social security numbers, bank account numbers, etc) in email messages that an identity thief might want to get their hands on? If so they might find your email very interesting. Additionally, having your username and password gives them access to everything that you have access to, PeopleSoft, VPN, email, etc.
How could I have known that this message was fake? First and foremost, and we can't emphasize this enough, no legitimate representative of Emory will EVER ask you for your password, period. Secondly, this isn't the most well written message. Odd word choices and bad grammar can often be a sign of phishing, but not always. Some phishing messages are very well written and look quite authentic.
Did you notice the address that the email came from? It wouldn't make sense for Emory to send you a message from firstname.lastname@example.org.
Also, did you know that you can look at the address of a link in your email before you click on it? Most email programs will display the address if you just hover your mouse over the link. If you do this, you'll notice that the link would send you to http://password.webaccess-email.com. Emory would have no need to link you to a non-Emory website for this type of request.
When you clicked on the link, did you notice that the website address was not an Emory address?
Where can I get more information about phishing?: Here are some websites with more information about phishing scamming and how not to fall victim.