Phishing - Don't Take the Bait!

Have you ever received an email claiming your account is going to be closed or blown to bits unless you respond immediately to the email? If so, you have experienced phishing, the tactic of making sensational claims to acquire personal or financial data from people. Phishing, though not new in terms of the Internet, continues to refine itself by trying to strike the perfect balance between the sensational and the believable.

Phishing for a W&M Username and Password

Phishing scams may take the form of bogus emails that often appear entirely legitimate, perhaps claiming to be from the W&M IT department.  They may inform you that the IT department is performing an upgrade and that you must send your userid and password to prevent your data being lost during the upgrade.  While many variations on this theme have been reported, the bottom line is the same.  These are not legitimate requests. 

No department or individual at the College has any legitimate reason to know your userid and password.  So just don't do it.  If you receive an email of this sort, please forward it to [[abuse]] and the Information Security Office will respond.

We will never ask you to send us your password in an email message!

Identify a Phish

For years, phishers have established credibility by creating email messages that use the same typeface and logos as legitimate organizations. A scam at W&M used a screenshot of the OWA email login page to try to trick people. 

Phishers are tricky, but there are ways to put a chink in their chain by looking for some warning signs:

  1. Avoid clicking on links within suspicious looking emails. Phishers have devised ways to mask webpages and URLs to look remarkably legitimate.
  2. Often phishing messages contain grammatical or typographical errors.
  3. Phishers tend not to personalize their emails since they don't usually know their recipients' identities and because they don't even know if the recipient has any affiliation to the organization they're trying to spoof.
  4. Prizes galore, but only in exchange for some of your personal or financial data. Hint: there is no prize.
  5. It's urgent!  No, it's not.  W&M IT is not going to do any upgrades or changes to your account without notifying you in advance first.  Look for announcements in the W&M Digest and on the W&M IT homepage. 

If you've been a victim of a phishing scam immediately change your password to any at-risk accounts.  If it came to your W&M Inbox, forward the phish to [[abuse]] (for faculty and staff) or report it to Google (students).

Use the Clues - Like a detective, you must find clues to keep your Inbox safe from phishing.

Catching a Phish -  Get a behind-the-scenes look at a phishing attack that struck William & Mary in 2013 and advice on how to keep phishing at bay.

Notifications sent by W&M IT

You can expect to receive a few legitimate email notifications from W&M IT that you do need to act on.  These notifications are for (but not limited to):

  • Your yearly password reset (once annually, based on the date of your previous password reset)
  • The annual network authentication (usually in early August)
  • Verification of phone locations (once annually, based on the date when the phone location was previously verified)

These notifications will direct you to the W&M IT home page.  From there, click the button to access the site for the appropriate update. 

It's best to err on the side of caution when phishing is a possibility.  If in doubt, forward the email to [[support]] for verification of any email you receive claiming to be from W&M IT.

Change Your Password

You can change your password any time you wish to do so - but it especially important to do so if you've been a victim of a phishing attack. 

Reset your WMuserid password by going to the IT home page and choosing the Change Your WMuserid Password button. 

Links to sites to change passwords for other W&M accounts (like WMApps) can be found in the Accounts and Passwords section of the W&M IT Services pages.  Please don't reuse the same password on multiple sites.  Students, your WMApps password should be distinct from your WMuserid password even though you have the same userid for both accounts.

Questions? Contact the Technology Support Center (TSC)
757-221-4357 (HELP) | [[support]] | Jones 208, Monday - Friday, 8:00 am - 5:00 pm