Watch out for email scams - don't get phished!

Phishing is the common name for email scams that try to trick you into giving up your account information.  The scam emails usually try to scare you by saying your account will be deleted, canceled, terminated, or you will lose data if you don't log in to the website.  The scam websites usually look similar to a legitimate website and asks you to login with your Wellesley account.


Information scammers can get if you fall for a scam

If you enter your account information on a scam website, the scammer will gain full access to everything your Wellesley domain account can access:
 
  • Your Workday account, which includes salary info, pay stubs, tax information, and health information.
  • Your Google Apps account, which they can download your email, contacts, and files in Drive and scan them for personal information.
  • Accounts that use your Wellesley email address, such as Amazon, online banking, and online credit cards.
  • If you used the same email address and password on other sites, those sites are now compromised too. 

How to spot a phishing scam and protect yourself

Phishing scams start with an email that looks official, but when you really look at it, you can usually spot a few common errors in them

  • The email signature doesn't include the name and contact information of a staff member from Library & Technology Services (LTS).
    • All emails from LTS will address you by name and have the name and contact information of someone in the department.
       
  • The email is a scary warning about your account unless you login, such as it will be deleted, cancelled, or terminated.
    • Your account will only be disabled if your status at the College changes. 
       
  • The link in the email goes to a website that isn't on wellesley.edu or google.com, and the website doesn't have a secure lock icon.
    • Correct, secure websites will have one of these in the address bar:
      Wellesley computer Wellesley mobile Google computer Google mobile
         

Protect your accounts and information

Here are some tips to help keep your information secure.

  • NEW: Sign up for Duo two-factor authentication to protect your Wellesley Google Apps and Workday accounts.
    • This is a new feature that protects your account by requiring phone authentication when logging in.
       
  • Don't reply directly to emails that ask you for your account information.
    • If you're concerned, open a browser and go to the correct website manually.
       
  • Be cautious about opening attachments or downloading files from emails you receive.
    • If you weren't expecting an attachment or download, ask the person sending it to confirm it's ok.
       
  • Use anti-virus and anti-spyware software and keep them updated.
  • Keep your web browser up to date.
    • Chrome and Firefox are usually quick to flag suspicious websites.
    • Go to Help > About in your browser to check for updates.
  • Monitor your credit card and bank accounts regularly.
    • Visit the FTC website AnnualCreditReport.com to get your free credit report.
    • Some credit cards also provide credit check services.
       
  • Use a different password for every website.
    • Hackers will break into a weak website and try the account info on more secure sites, such as banks.
    • When one website gets hacked, you won't have to worry about all the other websites you used that password on.
    • Use a password manager, such as LastPass, 1Password, or KeePass.
       
  • Visit the following websites for additional security tips:

Report phishing scams

If you think you have received an email phishing scam, here are some things you can do:

Quickly report it to the Help Desk:

  1. Forward the email to helpdesk@wellesley.edu
  2. DO NOT click on any of the links or reply to the email until you get a response from the Help Desk.
  3. The Help Desk will respond during their normal hours.

Report additional details of the email to the Help Desk:

  1. When viewing the phishing scam email, next to the reply button on the left, there is a small button with a triangle on it.  Click on that and select Show Original.
  2. You should now get a new tab with additional information about the email.  Click the Download Original link, which will download an original_msg.txt file.
  3. Attach the file to an email and send it to helpdesk@wellesley.edu.

Report the phishing scam email to Google.

  1. When viewing the phishing email, and click on the down triangle and click Report Phishing.  
  2. You will then be asked if this really is a phishing scam. Click Yes.  
  3. This will report the phishing email to Google and put the email into your Spam folder.

Recent phishing scams

January 2017

This scam copied our login page, even using our Wellesley College images!  What set the scam website apart was that it was not located at wellesley.edu and wasn't a secure website.  Always look for those things when viewing website, both on computers and mobile phones. See the images below where we've circled the differences.

Desktop website
Fake scammer website Official College website

 

Mobile website
Fake scammer website Official College website

Fall 2016

This scam used an email that said your email quota was going to change.  Gmail is unlimited and doesn't have a quota.  If you clicked on the link you'd see that the website is not a secure site (no lock icon next to the website address), does not go to a gmail.com or google.com website, has poor grammar, and the Cancel button is spelled wrong.

Phishing Scam Email Phishing Scam Website

 

 

Campus-wide test phishing scam, February 2017

On February 22nd, 2017, Library & Technology Services sent a test phishing scam to the community, which we announced would be happening in our Fall 2016 news update.  Screenshots of the email and website used in this test are shown below. 
 
Test phishing email Test phishing website