Phishing is the most common cyberattack in higher education, and it is not close. The reason it works so well is simple. The messages look real. They appear to come from someone you trust and ask you to do something routine, like verify your account or look at a document.
One click on the wrong link can hand over your account, your personal information, and a way into university systems. It does not take a sophisticated attack to do real damage. It just takes one busy moment and one convincing email.
What Phishing Is
Phishing is a cyberattack where someone sends you a fraudulent message, usually an email, designed to trick you into clicking a malicious link, opening a dangerous attachment, or entering your credentials on a fake website. The goal is always the same. Steal your information or get access to your accounts.
How to Spot a Phishing Email
The sender address is the first place to look. The display name might say UW IT Support, but the actual address could be something like support@uw-helpdesk-verify.com. If the domain does not match the official university domain, it is not legitimate.
Hovering over links is one of the most useful habits you can build. Before clicking anything, hover your mouse over the link to see where it actually leads. On a phone, press and hold to preview. If the address does not match the organization the message claims to be from, do not click it.
Urgency and threats are another strong signal. Messages that warn your account will be locked in 24 hours, or that demand immediate action, are designed to push you into acting before you think. Real organizations give reasonable timeframes and do not threaten you into clicking.
Grammar and formatting errors still show up often. Phishing has gotten more polished, but plenty of these emails still have awkward phrasing, odd spacing, or wording that does not match how your university normally communicates. If something feels off, that feeling is usually right.
Protective Steps
A few habits will catch most phishing attempts:
- Slow down before clicking, especially when a message asks you to follow a link or open an attachment.
- Verify the sender by reaching out through a separate channel if a message claims to be from a colleague or department.
- Never enter your credentials through an emailed link. Type the website address into your browser yourself.
- Report suspicious emails by forwarding them as an attachment to the Help Desk so others can be warned.
- Keep your software updated, since updates often include security patches that block known threats.
If You Clicked Something
Disconnect from the network if you think malware might have been installed. Change your password immediately from a different, trusted device. Do not enter any credentials on the page that loaded. Then report the incident to the Help Desk right away.
Reporting
If something feels off, report it to your campus IT help desk as soon as possible. The sooner it’s reported, the easier it is to contain. You can find contact information for your campus help desk here: Universities of Wisconsin (UW System) – IT Help Desks Contact Information.
Bottom Line
Phishing works because it looks ordinary. The fix is not complicated. A few seconds of pause, a quick check of the sender, and a habit of going directly to websites instead of clicking links will block most of what comes your way.