You are here: Â鶹´«Ã½ Information Technology IT Security Phishing Education and Self-Phishing

Phishing Education & Self-Phishing

OIT is conducting an ongoing self-phishing program to aid the AU community in better recognizing phishing attempts. Since phishing is one of the primary methods malicious actors use to compromise credentials and other sensitive information, it is important that you be able to recognize such attempts and not respond to them. The best way to accomplish this is through training.

You may not realize it, but you are a phishing target at school, at work, and at home. When viewing email messages, texts, or social media posts, keep the following tips in mind in order to prevent stolen passwords, sensitive institutional or personal data, or private information.

Advice and Tips

  • Beware of suspicious messages.
    • Phishing messages may include a formal salutation, overly-friendly tone, grammatical errors, extensive spelling errors, or urgent requests, particularly for money or personal information.
  • Avoid opening links and attachments.
    • Even if you know the sender, don't click on links that could direct you to a bad website.
    • If the email references an AU website, access the site the way you would normally, rather than via the link.
    • Do not open attachments unless you are expecting a file from someone.
    • Wherever possible, utilize tools such as OneDrive, the AU shared drives, and SharePoint sites to exchange documents, rather than email.
  • Verify the source.
    • Check the sender's email address to make sure it is legitimate.
    • If in doubt, delete the message and notify the IT Help Desk.
  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals, asking about employees or other internal information.
    • If an unknown individual claims to be from a legitimate organization, try to verify their identity directly with the company.
  • Do not provide personal information or information about AU, including its structure or networks, unless you are certain of a person's authority to have the information.
    • Where possible, refer requests of this type to public resources. 
  • Do not reveal personal or financial information over email, and do not respond to email solicitations for this information, including following links sent in an email.
  • Do not send sensitive information over the Internet before checking a website's security.
    • Sites that accept personal information and logins should always be encrypted.
  • Pay attention to the URL of a website.
    • Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling, additional subdomains (e.g. yourbank.com.badsite.net), or a different domain (e.g. .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. 
    • Do not use contact information provided on a website connected to the request; instead, check previous statements or public web sites for contact information.
    • Information about known phishing attacks is also available online from groups such as the .
  • Install and maintain anti-virus software, firewalls, and browser ad-blockers to reduce some of this traffic.
    • These are all provided by default on the AU computer image.
  • Take advantage of any additional anti-phishing features offered by your email client and web browser.

  • If you believe you might have revealed sensitive information about AU, please report it to the IT Help Desk at helpdesk@american.edu, and copy Information Security at security@american.edu.
  • Immediately change any passwords you might have revealed.
  • If you used the same password for multiple accounts other than your AU account, make sure to change it for each account, and do not use that password in the future.
  • Watch for any unusual or unexplained charges to your account.
    • If you believe your financial accounts may be compromised, contact your financial institution immediately and work with them to protect any accounts that may have been compromised.