Cyber attackers frequently target college communities through email phishing, malware, and social engineering. This guide covers the most common attack types we see at Emerson and explains how to protect yourself—on both Emerson systems and personal accounts.
Password Harvesting & Social Engineering
The most common attack we see involves tricking you into entering your password on a fake website. Here's how it typically works:
- You receive a message—often through a legitimate platform like Google Docs—that appears to come from someone you know or an organization you trust.
- The message urges you to click a link, which leads to a document containing another link.
- That second link takes you to a fraudulent login page designed to look like Microsoft, Duo, Workday, or another trusted service.
- If you enter your credentials, the attacker captures them and attempts to log in as you.
- To complete the login, they need you to approve a Duo push or phone call. If you approve it without recognizing that you didn't initiate it, they gain full access.
What Attackers Do Once They're In
Attackers typically need only a few minutes of access to cause significant damage:
- Send phishing emails as you – Messages from your account bypass many security filters and appear trustworthy to your colleagues.
- Access sensitive data – Attackers may download emails, view Workday information, or access other connected systems.
- Change direct deposit information – Attackers have changed Workday direct deposit details and set up Gmail filters to hide the confirmation emails, so victims don't notice until payday.
How to Spot Fake Login Pages
microsoft.com or microsoftonline.com—not from random domains.Attackers use deceptive URLs that may look official at first glance. Here are some examples:
Real: login.microsoftonline.com
Real: accounts.google.com
Real: www.google.com
Real: emerson.edu
Key Rules to Follow
- Never enter credentials into a form. Google Forms, Qualtrics, Microsoft Forms, and similar tools are survey platforms, not login systems. Any "login" built on these tools is a scam—your password would be sent directly to the form owner in plain text.
- Never approve a Duo push or call you didn't initiate. If you receive an unexpected Duo request, someone else is trying to log in as you. Deny it and change your password.
- Be suspicious of documents that only contain links. A Google Doc or shared file that exists only to redirect you elsewhere is a common way attackers avoid email security filters.
- Verify unexpected requests. If you receive an unusual email from a non-Emerson address claiming to be a colleague, verify their identity through a known phone number or in person—not by replying to the suspicious email.
Malware & Remote Access Attacks
Some attacks skip password theft entirely. Instead, attackers trick you into installing software that lets them control your computer remotely.
How This Attack Works
We've recently seen phishing emails disguised as invitations to academic conferences, faculty dinners, or campus events. These messages include what appears to be an e-invite or event details that require downloading a file.
If you download and run the file, it installs remote access software on your computer. This gives the attacker the ability to:
- See your screen and control your mouse and keyboard
- Access any website or application you're already logged into
- Browse your files and documents
- Use your saved passwords and active sessions
How to Protect Yourself
-
Never download program files from unexpected sources. Be especially cautious with
.exe,.msi, and.dmgfiles from email links or unfamiliar websites. - Verify event invitations through official channels. If you receive an unexpected invitation, confirm it through the department's official website or by contacting the organizer directly.
- When in doubt, don't download. Legitimate event invitations rarely require you to install software.
Job Offer & Payment Scams
This scam often targets students but can affect anyone. It typically bypasses Emerson systems entirely, going directly to personal email addresses or phone numbers.
How This Attack Works
- You receive an email to your personal account from someone claiming to be a professor, department head, or campus administrator.
- They offer a remote job or research assistant position with attractive pay—often several hundred dollars per week for minimal work.
- They ask you to text them at a personal phone number to discuss details.
- Over text, they build rapport and trust over days or weeks.
- Eventually, they ask you to send money for "supplies," "software," or "equipment," promising reimbursement or deduction from your first paycheck.
- After receiving payment (sometimes multiple payments), they disappear.
Warning Signs
- Initial contact comes to your personal email, not your Emerson account
- They quickly move communication to text messages
- The job offer sounds too good to be true
- You never meet in person or have a video call
- They ask you to pay for anything upfront
How to Protect Yourself
- Verify through official channels. If someone claims to be an Emerson employee, look up their contact information on the Emerson website and reach out directly.
- Never pay money for a job. Legitimate employers do not ask employees to front money for supplies or equipment.
- Be skeptical of text-only relationships. Scammers avoid video calls and in-person meetings because they can't maintain their false identity.
Reporting Suspicious Activity
If you see a suspicious email: Forward it to helpdesk@emerson.edu. This helps us identify ongoing attacks and protect others in the community.
If you think you've been compromised: Contact helpdesk@emerson.edu immediately. Quick action can limit the damage and help us secure your account.
While Emerson maintains security controls to detect and block many attacks, determined attackers look for ways around these protections—including targeting personal accounts and devices. Staying informed and cautious is your best defense.