Phishing

Phishing is an email scam that tries to deceive consumers into disclosing personal information including credit card or bank account info, Social Security numbers or passwords. Phishing emails also typically intend to install malware or cause damage to computer systems.

The Office of Information Security's Engineering and Operations team monitors current trends and scams that could become a cyberthreat to the campus. They also evaluate each email forwarded to phishing@towson.edu for safety.

Phish Tank

See the latest phishing scams so you know what to look for. Launch the TU Phish Tank.

Report a Phish

Forward suspicious email to the OTS Engineering and Operations team team at phishing@towson.edu, then delete.

Report a Cybersecurity Incident

Clicked on or replied to a phish? Learn about what a cybersecurity incident is and how to report it.

Spot a Phish

Can you tell the difference between a legit website and a phishing attempt? Take OpenDNS' quiz.

1 in 99

Emails are a phishing attack. 30% of those are opened.

91%

Of cyberattacks start with a phishing email.

85 million

Malicious, junk or spam emails are sent to TU every year.

Recognizing Phishing

Phishing email scams can convey a sense of urgency, claim to be from a person, business or organization that you may be involved with, and often impersonate TU communications. If you notice these red flags, or are unsure about the legitimacy of an email, forward it to phishing AT_TOWSON then delete.

Be familiar with these red flags

Request for username and passwords-especially for NetIDs. No one at TU will send an email asking for your username and password (or ever ask you for your password).
Fraudulent job postings or announcements. Be wary of job announcements coming from a sender's personal email address. See the Career Center's tips.
Unusual purchase requests. Call the sender and ask if they really need the info or for you to make the purchase they're requesting
References to OTS as the IT department or IT service. The technology office at Towson University never refers to itself in writing as “IT” – always look for "The Office of Technology Services" or "OTS."
Obvious spelling mistakes and bad grammar. Emails sent from TU departments and offices are almost always reviewed and spell-checked prior to distribution.
Unfamiliar links in the body of the email. Don’t click – hover to check the actual web address.
Attachments that are “.exe” or “.zip” files. Opening these can launch and spread malicious software.
Unknown sender or an email from an unsolicited source. If it's not from an @towson.edu address (hover to make sure), call the sender to confirm.
Storage space/account threats or urgent messages waiting. Look up the sender in the TU directory (not a number provided in the email) and call to confirm, or contact OTS at 410-704-5151.

Look for these before logging in

Protect yourself and the campus by avoiding fake login pages. Look for these three items before entering login credentials:

A padlock: Confirm the icon appears in the URL bar.
“s” after http. Make sure the URL starts with: https://, not http://.
edu. Ensure you’re logging into a legit TU service when you see this written out before the third forward slash mark. It might be followed by other characters, and that’s ok. An example is the myTU login page, where the URL is spelled out as https://mytu.towson.edu/mytu/home.

Know about the different types of social engineering scams

Scammers use different mediums to do the same thing: trick you into sharing sensitive info like login credentials, credit card number or account details. Here are current ways scams are delivered:

Phishing scams use email.
Vishing scams use voice/phone call.
Smishing scams use text messaging or SMS.

QR Code scams

Quick response (QR) codes provide easy access to information and can be super helpful. TU's official digital signs, printed resources and event literature have QR codes that direct you to a legitimate TU webpage when scanned. But not all QR codes are legit.

Consider these before launching a webpage through a QR code

Treat a QR code like a link to a webpage: if you scan it, preview the URL before opening it. If you can’t see it, type in and search the name of the company/group/event.
Install and use trusted scanning apps from your device’s store.
Check for physical tampering. Look for a sticker placed on the original code.
Don't give any personal info without double checking the URL and the brand. Avoid entering personal info on sites accessed through scanned codes wherever possible.
If in doubt, don’t scan - confirm with “owner.” Call the office/department or look up private companies online.

Avoiding Spam

Do these things to help avoid getting spam emails

Do use separate accounts for personal use.
Do set anti-spam filters with your mail program-see Outlook Junk Email Filter.

Don't do these things to help avoid getting spam emails

Don't agree to receive postings about products or interests.
Don't reply to unsolicited email with a "remove" request, or click an "unsubscribe" link, as this only validates to a spammer or "list broker" that your address is current.
Don't resend chain letters, requests or dubious virus alerts.
Don't follow links in emails from unknown senders.Don't give personal information to an unprotected online service's member directory.
Don't reply to spam email- simply delete it.