Intended Audience: Students, Faculty, and Staff
Summary
Email remains the primary tool cybercriminals use to target universities, faculty, staff, and students. Threats are evolving—ranging from simple phishing emails to highly targeted spear phishing, phone-based scams, text message lures, and advanced techniques like QR-code phishing and deepfake emails. By learning the warning signs and following best practices, you can protect both your personal data and the University’s systems.
Problem
Attackers rely on human error rather than technical weaknesses. They often disguise themselves as trusted colleagues, vendors, or organizations. These scams can result in stolen credentials, unauthorized financial transfers, malware infections, or even identity theft. Because attacks often mimic real University or business communications, spotting them requires vigilance and training.
Solution
You can defend against email attacks by:
-
Recognizing common tactics (urgency, requests for money/PII, poor spelling).
-
Knowing the modern tricks cybercriminals use (QR codes, MFA fatigue, cloud storage lures).
-
Reporting suspicious emails immediately through Outlook.
-
Following PVAMU’s security best practices, such as using strong passphrases, verifying requests, and keeping software updated.
Steps
Reporting a Suspicious Email
Before you report, do not click links, open attachments, or reply to the sender. Follow the instructions below based on the Outlook version you are using.
Outlook Desktop (Windows/Mac)
-
Select the suspicious email in your Inbox.
-
If available, click the Report Message or Report Phishing button on the ribbon.
-
If not available, press Ctrl+Alt+F (Windows) or Forward as Attachment (Mac).
-
Address the new email to informationsecurity@pvamu.edu and send.
Outlook Web (OWA – outlook.office.com)
-
Open the suspicious message.
-
Click … (More actions) → Report → Phishing.
-
Forward the email as an attachment to informationsecurity@pvamu.edu if possible.
Outlook Mobile (iOS/Android)
-
Long-press the suspicious email.
-
Choose Move to Junk or Report Phishing (if available).
-
If you cannot forward as an attachment, screenshot the message and email it to informationsecurity@pvamu.edu.
Types of Email Attacks
Phishing
Generic emails designed to steal usernames, passphrases, or install malware. Clues include urgency, promises (raise, promotion), grammar errors, or odd sender addresses.
Spear Phishing
Personalized, targeted attacks crafted using information about you. Messages often look like they come from your boss, colleague, or vendor. Always confirm unexpected urgent requests through another channel.
Vishing (Voice Phishing)
Phone calls impersonating IT, HR, or banks that request credentials or remote access. Always hang up and verify through the organization’s official number.
Smishing (SMS Phishing)
Text messages pretending to be delivery updates, payment alerts, or account notifications with malicious links.
Business Email Compromise (BEC)
Spoofed or compromised accounts requesting urgent financial transfers, W-9s, or gift cards.
QRishing (QR Code Phishing)
Emails or posters with malicious QR codes that redirect to fake login sites.
MFA Fatigue Attacks
Hackers repeatedly send push authentication requests hoping you’ll approve one by accident. Always deny suspicious prompts.
Spotting a Scam (FAST Method)
-
From: Is the sender real or a look-alike domain?
-
Attachments/Links: Unexpected or suspicious? Hover to preview.
-
Story: Does it demand urgency, secrecy, or money?
-
Tone/Timing: Odd phrasing, poor grammar, or unusual send time?
Prevention Tips
-
Use strong, unique passphrases for all accounts.
-
Keep systems updated with anti-virus and anti-malware.
-
Verify sensitive requests using a different communication channel.
-
Hover links before clicking; avoid QR codes from unknown sources.
-
Deny unfamiliar MFA push notifications.
-
Limit oversharing of job details, travel, or projects online.