Phishing - Don't Take the Bait!

Have you ever received an email claiming your email needs to be moved to a new server and they need your password immediately? If so, you have experienced phishing, the tactic of making false claims to access your account and/or acquire your personal data. Phishing, though not new in terms of the Internet, continues to refine itself by trying to find new ways to trick you.

Phishing for a W&M Username and Password

Phishing scams may take the form of bogus emails that often appear entirely legitimate, perhaps claiming to be from the W&M IT department. They may inform you that IT is performing an upgrade and that you must send your userid and password to prevent your data being lost during the upgrade. While many variations on this theme have been reported, the bottom line is the same: these are not legitimate requests. 

No department or individual at the university has any legitimate reason to know your userid and password. So, just don't do it. If you receive an email of this sort, please forward it to [[abuse]] and the Information Security Office will respond.

We will never ask you to send us your password in an email message!


Identify a Phish

For years, phishers have established credibility by creating email messages that use the same typeface and logos as legitimate organizations. A scam at W&M used a screenshot of the OWA email login page to try to deceive people. 

Phishers are tricky, but there are ways to put a chink in their chain by looking for some warning signs:

  1. Avoid clicking on links within suspicious looking emails. Phishers have devised ways to mask webpages and URLs to look remarkably legitimate.
  2. Often phishing messages contain grammatical or typographical errors.
  3. Phishers tend not to personalize their emails since they don't usually know their recipients' identities and because they don't even know if the recipient has any affiliation to the organization they're trying to spoof.
  4. Prizes galore, but only in exchange for some of your personal or financial data. Hint: there is no prize.
  5. It's urgent! No, it's not. W&M IT is not going to do any upgrades or changes to your account without notifying you in advance first. Look for announcements in the W&M Digest and on the W&M IT homepage. 

If you've been a victim of a phishing scam, immediately change your password to any at-risk accounts. If it came to your W&M inbox, forward the phish to [[abuse]] (for faculty and staff) or report it to Google (students).

Use the Clues - Like a detective, you must find clues to keep your inbox safe from phishing.

Catching a Phish -  Get a behind-the-scenes look at a phishing attack that struck William & Mary in 2013 and advice on how to keep phishing at bay.


Change Your Password

You can change your password any time you wish to do so - but it especially important to do so if you've been a victim of a phishing attack. 

Reset your WMuserid password by going to the IT home page and choosing the Change Your WMuserid Password button. 

Links to sites to change passwords for other W&M accounts (like WMApps) can be found in the Accounts and Passwords section of the W&M IT Services pages.  Please don't reuse the same password on multiple sites.  Students, your WMApps password should be distinct from your WMuserid password even though you have the same userid for both accounts.

Questions? Contact the Technology Support Center (TSC)
757-221-4357 (HELP) | [[support]] | Jones 208, Monday - Friday, 8:00 am - 5:00 pm