You open up Outlook to find an email in your inbox offering an irresistible amount of money. The catch? All you have to do is click a link, volunteer your information and credentials, and voila! Thinking it would be mighty nice not to have to worry about tuition, you click the link.

Hook, line and sinker.

In less time it would take a skilled bank robber to enter a bank and announce “this is a robbery,” all of your accounts are compromised. Your email, your files, your student accounts – all of it.

Phishing emails are exactly what they sound like. Hackers are going fishing, using email as the bait, and you are the target.

“During New Coug Orientation, I like to ask why phishing is spelled with a ‘ph’ instead of an ‘f,’” WSU Security Operations Manager Jim Walsborn said. “It’s rarely answered correctly, but it’s because phishing is exactly that – fishing for people. The email is the bait, and the recipient is the fish.”

The use of email to trick people into “voluntarily” handing over their information and credentials is a form of social engineering, a manipulation technique that specializes in exploiting human psychology.

“Phishing emails are designed to manipulate human behavior more than technology,” Walsborn said. “They often try to create urgency, fear or curiosity.”

So how do we know which emails to trust? Walsborn said to check the sender address and ask yourself whether you were expecting an email from them. Next, think about whether you are being pushed to do something, such as click a link. Finally, consider the context and whether what the email is claiming makes sense.

It does not matter whether the email is coming from an outside address or an @wsu.edu address, Walsborn said.

“‘Approved WSU account’ sounds very official — and also imaginary. We don’t have a department that stamps emails as approved,” he said. “Emails can come from anywhere, including compromised WSU accounts. That’s actually very common.”

When in doubt, it is best to ignore and delete suspicious emails, Walsborn said. When unsure, suspicious emails should also be reported using the “Report Phishing” button, or if that does not work, by forwarding the email as an attachment to [email protected].

“WSU is frequently targeted by state-sponsored attackers, also known as Advanced Persistent Threats. These are professional attackers – it’s literally their job to break into systems and coerce people,” Walsborn said. “Whether you’re a brand-new undergrad or a PhD candidate writing a thesis on how many cryptominers it takes to melt a university network, your WSU account has value.”

Faculty and students alike can be and often are the targets of phishing attacks. Though a common tactic utilizes email, often already compromised accounts, attacks do not always come from email.

“Attacks don’t always start with an email. They might start with a text message or a fake login page,” Walsborn said. “WSU IT Services will never ask you for your password or MFA codes. If someone does, they’re not WSU – they’re phishing.”

If you think your accounts have been compromised, contact the Crimson Service Desk immediately at (509) 335-4357.

“The sooner we know, the faster we can contain it and prevent thousands of additional phishing emails from being sent from your account,” Walsborn said.