The Office of Information Technology is conducting an
ongoing self-phishing program in order to aid the AU community in better
recognizing phishing attempts. Since phishing is one of the primary methods
malicious actors use to compromise credentials and other sensitive information,
it is important that you be able to recognize such attempts and not respond to
them. The best way to accomplish this is through training.
You may not realize it, but you are a phishing target at
school, at work, and at home. Ultimately, you are the most effective way to
detect and stop phishing scams. When viewing email messages, texts, or social
media posts, keep the following tips in mind in order to prevent stolen
passwords, sensitive institutional or personal data, or private information.
How do I Avoid Being a Victim of Phishing?
Beware of suspicious messages. Phishing messages
may include a formal salutation, overly-friendly tone, grammatical errors,
extensive spelling errors, or urgent requests, particularly for money or
Avoid opening links and attachments.
Even if you know the sender, don't click on
links that could direct you to a bad website. If the email references an AU
website, access the site the way you would normally, rather than via the link.
Do not open attachments unless you are expecting
a file from someone. Wherever possible, utilize tools such as the AU shared
drives and SharePoint sites to exchange documents rather than email.
Verify the source. Check the sender's email
address to make sure it is legitimate. If in doubt, delete the message and
notify the IT Help Desk.
Be suspicious of unsolicited phone calls,
visits, or email messages from individuals asking about employees or other
internal information. If an unknown individual claims to be from a legitimate
organization, try to verify their identity directly with the company.
Do not provide personal information or
information about AU, including its structure or networks, unless you are
certain of a person's authority to have the information. Where possible, refer
requests of this type to public resources.
Do not reveal personal or financial information over email, and do not respond to email solicitations for this information. This
includes following links sent in an email.
Do not send sensitive information over the
Internet before checking a website's security. Sites that accept personal
information and logins should always be encrypted.
Pay attention to the URL of a website. Malicious
websites may look identical to a legitimate site, but the URL may use a
variation in spelling, additional subdomains (e.g. yourbank.com.badsite.net),
or a different domain (e.g. .com vs. .net).
If you are unsure whether an email request is
legitimate, try to verify it by contacting the company directly. Do not use
contact information provided on a website connected to the request; instead,
check previous statements or public web sites for contact information.
Information about known phishing attacks is also available online from groups
such as the Anti-Phishing Working Group (https://www.apwg.org/).
Install and maintain anti-virus software,
firewalls, and browser ad-blockers to reduce some of this traffic. These are
all provided by default on the default AU computer image.
Take advantage of any additional anti-phishing
features offered by your email client and web browser.
What do I do if I Think I Have Been Phished?
If you believe you might have revealed sensitive
information about AU, please report it to the IT Help Desk at firstname.lastname@example.org,
and copy Information Security at email@example.com.
Immediately change any passwords you might have
revealed. If you used the same password for multiple accounts other than your AU account, make sure to
change it for each account, and do not use that password in the future.
Watch for any unusual or unexplained charges to your
If you believe your financial accounts may be
compromised, contact your financial institution immediately and work with them
to protect any accounts that may have been compromised.