Got Phished! Now What?

Did I Get Phished?

Receiving a phishing message does not mean you have been phished. However, opening files, clicking a link, or interacting with phishing emails is a cause for concern. In some cases, users find themselves on a malicious site and even entering personal or account related information or credentials.

If you did interact with a phishing email, don't panic. You are not alone! Attackers are getting pretty crafty these days and messages can replicate internal communications and can even appear to be coming from a legitimate '@syr.edu' email address. Many people have fallen victim to these emails and have been tricked into giving away their passwords or account information.

To secure your account after interacting with a phishing email follow the steps on this page. They are aimed to assist you in securing your account and to protect yourself, your information and your identity.

Please be sure to report any suspicious emails, activity, or concerns you have been phished to itsecurity@syr.edu.

Steps to Securing Your Account After a Phishing Attack

Step 1: Change Your Passwords

Immediately change your Syracuse University (NetID) password. To do so, visit the NetID self-service page. Additional instructions and details can be found on the Password Change FAQ.

Also immediately change any passwords for any accounts indicated in or associated with the phishing message, if other than your Syracuse University account.

You should not be using the same password you use for your NetID anywhere else. If you do, change any passwords for any other accounts to different and unique passwords.

Step 2: Review Your Two-Factor Authentication

In some cases, a bad actor may have made changes to your account two-factor authentication methods. You should review both your NetID and Microsoft multi-authentication (MFA) methods as these can be different and are managed seperately.

To manage your NetID remediation methods, visit the NetID self-service page and click 'Additional Services'. Log in and select 'Add/Change Cell Phone or Email for Account Recovery'.

To manage your Microsoft, visit mfa.syr.edu and log in. Your account's current authentication methods should be displayed for review.

Contact the Help Desk immediately if you have trouble and report any changes to your information to itsecurity@syr.edu.

Step 3: Check Your Email Rules and Scheduled Outgoing Emails

Attackers may attempt to add email rules to your account in an attempt to hide their activity from you. To do this, they often set up rules to forward and/or delete email entirely or strategically from key individuals or University offices such as ‘ITS’, ‘Bursar” or ‘Payroll’.

Instructions to check inbox rules can be found on the Securing SUMail Account After Security Lock page.

Please take note of what those rules are and provide them to the Information Security Department (see Step 4).

Confirm that no emails have been created to go out at a later time. Scheduled emails may be viewed in the Outbox within Outlook. Delete any unfamiliar emails.

Step 4: Verify MySlice Information

Attackers may attempt to change information related to your account including personal and financial information. Users should verify the following information has not been altered:

Names
Addresses
Any financial records (including verifying refund requests)
Direct deposit information (if applicable)

Step 5: Notify ITS Information Security

The ITS Information Security Department depends on the Syracuse University community to help detect and protect against phishing attacks. Taking a brief moment to send us an email may help protect many others from the attack. Simply forwarding the message to ITSecurity@listserv.syr.edu is helpful, but providing additional information as shown below will help us better protect other individuals and your access.

Have you already changed your password? Letting us know that you’ve already changed your password may prevent us from locking your account if we detect your original password being compromised.
Provide the original email headers. Headers contain detailed mail routing information that we can use to investigate the attack. Instructions on obtaining the headers can be found on the Answers “Sending Email Headers” page.
What information you provided. Did you provide your SSN? Your date of birth? Your name? Your NetID/Password? We don't need the actual information, but letting us know the type of information you entered helps us to understand the scope of the attack.
The content of your inbox rules. If you found malicious rules (rules you did not setup) in your email box, letting us know what those were will help us detect other accounts that have been compromised.

Step 6: Reduce Threats to Your Identity

Several external resources are available to reduce threats to your identity in the event you have provided personal information to attackers or you simply want to be aware of identity related protections. They include but are not limited to:

Government sites. IdentityTheft.gov is the U.S. government’s one-stop resource for identity theft victims. The site provides streamlined checklists and sample letters to guide you through the recovery process. Get help to report and recover from identity theft at: https://www.identitytheft.gov/and https://identitytheft.gov/Info-Lost-or-Stolen
Credit reports. Freeze your credit report to prevent attackers from obtaining credit histories and opening new lines of credit:https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
Protect your SSN. Review the recommendations from the Social security Administration about identity theft and your SSN atwww.ssa.gov/pubs/10064.html
Create your online Social Security account. Regardless of your age or retirement eligibility -- to prevent attackers from doing so: https://www.ssa.gov/myaccount/. If you already have an account, review your statements regularly and be alert for benefits activity you didn’t initiate.

Step 7: Minimize Future Threats

For ongoing account protection, be proactive and aware regarding the following:

Enable two-factor authentication for your online accounts. This will protect you against unauthorized use of your credentials, even if they are stolen. For your University Office 365 , visit NetId.syr.edu and click Two-factor Opt-in.
Be suspicious of any email from senders you don’t know, or that seems out of character for the sender. Verify that the sender is actually who they appear to be before clicking on any links or attachments.
Be cautious of financial requests. Any request for money or goods is bound to be fraudulent. If it claims to be from a campus member, contact them or their office to verify first, or check with Information Security.
Verify links and URLs. You should verify links before clicking them by hovering your cursor over the link and examining the URL. If you don’t recognize the URL, don’t click it.
Never open attachments unless they are from someone you know or are otherwise expected.
Delete any suspicious emails, before opening them if possible.
Don’t enter your username and password (especially your University NetID) to access any website. If you are not 100% sure its a valid site, don't enter your information. In particular, you should be suspicious of email messages that have links to sites that ask you to use your University NetID and password to log in.
Keep your computer software updated and patched. Setting up automatic updates is recommend where possible including for antivirus software.
Make sure your computer’s firewall is installed and running.
Do not give passwords or MFA codes. Remember that nobody at Syracuse University will ever ask for your NetID password or for you to provide them a multi-factor authentication code for any reason, in any form other than when you’re logging in to an SU system. If somebody does, they're not representing the University or any of its offices. Report any occurrences to itsecurity@syr.edu.

Getting Help

For assistance with the information above, contact the ITS Help Desk at 315-443-2677, help@syr.edu, or by stopping into 1-227 CST. Stay up-to-date on the latest phishing activity on the ITS website.