Deadline for required cybersecurity training is Dec. 20 The Division of Information Technology encourages all faculty and staff to log in to Litmos and confirm the training has been completed prior to the deadline. Log in to Litmos

Don’t Get Phished: A Quick Guide to Phishing for College Students

Mahanyas Baira, Sienna Arellano – September 12, 2025

Phishing isn’t just “bad emails.” It’s one of the most common cyber threats you’ll face as a student, and it works because it targets people, not computers. Attackers rely on urgency and curiosity to trick you into clicking links, handing over passwords, or downloading malware. The barrier to entry is low, phishing kits and services are cheap and widely available, so this is an entire business model, not a prank. One careless click can have serious consequences for you and for the campus network.

This guide takes two minutes to read and will help you spot the traps before they catch you.

What Does Phishing Look Like on Campus?

You’ll see more than just sketchy emails in your inbox. Common examples include:

Fake school alerts: An email that looks like it’s from Canvas, campus IT, or even a professor, asking you to “confirm your password.”

QR code traps (quishing): Flyers with QR codes promising free pizza or event tickets that actually lead to phishing pages.

Text or voice scams: Messages asking you to share your two-factor authentication code, often pretending to be from your bank, Amazon, or even the university.

The Simple Tricks Behind Phishing

Phishing doesn’t rely on high-tech hacking. Instead, it uses two simple techniques:

Text or link masking – The visible text says, “official site,” but the actual link takes you somewhere malicious. On a computer, hover your mouse over the link. On mobile, long-press to preview where it really goes.

Domain/subdomain tricks – Attackers register lookalike domains such as microscft-login.com or create misleading subdomains like login.amazon.com.badsite.net. Always double-check the actual domain.

Types of Phishing to Watch For

Spear phishing / whaling: Targeted emails aimed at professors or student org leaders.

Smishing / vishing: Fraudulent text messages or phone calls.

Quishing: Malicious QR codes on posters or handouts.

Clone or fake login pages: Sites that mimic university portals or familiar apps to steal credentials.

 

Quick Safety Checklist

Do these and you’ll greatly reduce your risk:

Preview links before clicking.

Avoid scanning random QR codes, type the URL directly or use the official app.

Turn on multi-factor authentication (MFA) for both school and personal accounts.

Verify urgent requests by calling or messaging the sender through a known channel.

Use strong, unique passwords (a password manager makes this easier).

Keep your device, apps, and browser updated. Run antivirus scans regularly.

If You Already Clicked…

If you realize you’ve fallen for a phishing attempt, act fast:

Disconnect from Wi-Fi to stop potential data leaks.

Change the password for the affected account from another device and sign out of all sessions.

Enable or confirm MFA.

Report it: forward the phishing message to your email provider and notify campus IT/security.

Run a malware scan and monitor your accounts for unusual activity.

 

Why This Matters

Even a single set of “low value” credentials can be sold or reused by attackers. Compromised accounts are often used to spread phishing further or move deeper into university systems. What seems small on your end can lead to large-scale breaches.

Final Tip

When in doubt, pause. Attackers rely on you being rushed or curious. A five-second check hovering over a link, calling to verify a request, or thinking twice about a QR code, can save you hours of damage control.