The start of tax season is also the start of phishing season, as bad actors try more vigorously to steal login credentials, a key to obtaining employee W2s online. Sensitive personal data, W2 forms, and bank routing information have been compromised recently at peer institutions. We want to take a moment to remind everyone to be mindful of these risks and to be sure that login requests they receive are legitimate. Some simple rules of thumb include:

  • If you’re not sure, ask. Simply forward any unexpected or unusual requests to AskIT@amherst.edu.
  • There is no circumstance which should ask you to give your Amherst account password to anyone else, ever. If anyone asks for your password via the phone, email, or in person, contact AskIT@amherst.edu.
  • Be wary of emails that are not grammatically correct or express great urgency that you follow embedded links.
  • Always make sure when you’re entering your Amherst username and password on a website that you’re on an amherst.edu site. Always look for the string “amherst.edu” in your browser’s address bar. Even if the login screen looks exactly like the Amherst website, be sure the address ends in “amherst.edu.”
  • Always be sure that the amherst.edu website you log into has an address that starts with https://, not a non-secure http://
  • Look for a small lock icon at the beginning of a web address. The lock indicates a secure site.

Here are the three aspects of a good web address (URL):

Web Address and Security

  1. The lock icon and the https: prefix. If the URL of the login page doesn't have the lock or only uses the “http:” prefix, do not enter your username and password.
  2. You want to examine the text between the double slash marks and the first single slash mark. The text in this area can vary, but what cannot vary is the next section…
  3. It must be ".amherst.edu" and nothing else.

Here are a few other links with more information:

Think Amherst is immune to phishing attempts? Think again! Last spring semester, several hundred faculty, staff and students had their accounts comprised. In the worst cases, some Amherst users had to regain control of their bank accounts. Especially devious efforts, known as spear-phishing attempts, are highly customized to the point that they appear to be from someone you know or someone of authority at the college. As an example, consider our ‘favorite’ attempt from last year, wherein an email arrived purporting to be, and to all appearances seemed to be, from Cullen Murphy, the Chairman of the college’s Board of Trustees. The message was sent to the college’s Controller and Director of Human Resources, claiming that the Board was conducting a compensation review and needed a copy of every employee’s W2 form. The attempt failed at Amherst, but succeeded at other institutions where staff fell for similar carefully crafted messages.

Remember: If a message or call seems suspicious, it probably is. Please contact AskIT@amherst.edu immediately.