The following was one of two phishing emails that together compromised the accounts of over 80 Amherst users, making a total of over 100 accounts compromised in the past week.

screenshot of may 22 phishing email

Even without examining the link, this email should have raised suspicions. Note the odd From address that uses zeros instead of the letter 'o' in the name, and--more importantly--that doesn't come from an Amherst College email address. And the poorly worded message in the body is another clue--as yet there are no great novelists in the IT department, but we do know how to construct a sentence. And extra points if you know that the IT department isn't located at 220 South Pleasant Street!

While these irregularities should have raised suspicions, the definitive answer as to whether this message is legitimate is the web address--the URL--of the login page that comes up once you click the "kindly do so here" link. 

The login page that apears when you click the link is identical to the web interface of the college's email server. (It should be: the phishers "scraped" it from our site.) Whenever you land on ANY login page, it is your responsibility to make sure that it is a legitimate Amherst login page. To determine that you need to see its URL.

On an iPhone and many other smart phones you have to drag down the login page until you see its URL at the top. You may even need to turn your phone sideways to see the full URL. If the URL isn't that of a legitimate Amherst login page--and this one certainly wasn't--then don't enter your Amherst login credentials. Close the login screen and delete the message from your mailbox.

So the big questions is: How do you tell if the URL of a login page is legitimate? By committing the information in the following link to memory:

Don't Get Phished: Know Where You Are Logging In.