Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fixed Video LxW


titleAvoid Phishing Attempts

What is Phishing?
"Phishing" refers to the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. These attempts by cybercriminals, nation states, or hacktivists to lure you into giving away personal information, to gain access to accounts, or to infect your machine with malware & viruses are a form of social engineering.  Like all universities, Appalachian State University is frequently phished for account credentials. Phishing attempts can happen through a variety of channels, including email, social media, or text messages, and can compromise security and lead to the theft of personal and financial data. Highly targeted attacks on groups or individuals are known as “spear phishing.”

What tactics are used in phishing attempts?
Phishing messages can come from hijacked accounts of people you know, making them hard to distinguish from real messages. Additionally, cybercriminals commonly use infected documents or PDF attachments as vectors for their phishing attempts. Another common trick attackers use is trying to get victims to sign in on a fake login page where their usernames and passwords can be stolen.

How do you avoid phishing attempts?
Phishing attempts can often get through spam filters and security software that you may already have in place, so stay vigilant and trust your instincts. Keep an eye out for things like unexpected urgency or a wrong salutation. Think twice about clicking a link or opening a document that seems suspicious. Double-check that every URL where you enter your password looks legitimate. And if anything raises doubt, report the communication to

<iframe width="560" height="315" src="

Widget Connector
embed/3vcLyvoKYZc" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

titleInternal Phishing Program

As part of our ongoing efforts to help defend App State from increasing cybersecurity threats, ITS will be sending out test phishing emails. These internal phishing messages are learning opportunities and employees will not be punished for falling victim to a test phishing attack.

These test phishing messages will simulate real-world attacks that are often observed in our security monitoring practices. These test messages will be sent out at random intervals throughout the year.

Key Takeaways:

  • Phishing test messages will simulate real-world phishing attempts, starting with easily identifiable phishing scenarios and progressing to more advanced scenarios as employees improve their responses.
  • Employees who receive suspicious emails should forward them to, regardless of if they think it is part of the test or not.
  • The results of these phishing tests are only visible to the ITS Office of Information Security.  
  • Reporting on these tests will be anonymous.
  • If you click on a link in one of these messages, you will receive information to help spot and avoid similar phishing messages in the future.  Employees who fall for a phishing attempt will be redirected to an educational webpage comprised of phishing information and training opportunities, including the identification of specific elements within the message that would help to distinguish it as fraudulent.
  • Our goal is to increase employee security awareness and decrease the number of employees who click on malicious emails.

With all suspicious emails, remember these helpful steps:

  1. Look at the sender's email - is it an App State email?  Is this someone you know?
  2. Are they asking for personal information?  Or for you to download an attachment?
  3. Don't click on links if the email seems suspicious or unusual.
  4. You can help us to identify suspicious emails by forwarding them to

A Few Important Things to Remember

  • Always remember that ITS will never ask you to provide your password either via the phone, email, or other communications.
  • Keep in mind that phishing emails can look very legitimate and include the same images, logos, and text associated with the organizations they are attempting to masquerade as. Don't take the appearance of an email or website as a mark of legitimacy. 
  • Be aware that the 'From' field in email messages can easily be fabricated. Don't assume that an email is legitimate based on the apparent sender in the "From" field. 

Employees are strongly encouraged to treat all suspicious emails as potentially dangerous.  While these simulated messages are not malicious, real phishing attacks pose a great threat to our university community. 

Addition Resources

Phishing Examples:

Common Security Threats


Online Quizzes: