Information Technology Division
Image of a circle

Phishing Information

Return to Information Security Home

Phishing is a type of cyber scam where attackers try to trick you into giving away personal information—like passwords, credit card numbers, or login credentials—by pretending to be someone you trust, such as your bank, school, or a popular company. It often comes in the form of fake emails, texts, or websites.

Did you hear about the Phish Files? Check out our new site!

It’s the place to be when cyberspace gets a little phishy.

What to Do if You Fell for a Scam

    1. Stop and Stay Calm

      Don’t panic—acting quickly is what matters most.

    2. Change Your Passwords Immediately

      Update any passwords you gave away—starting with your NetID and any accounts that use the same password.

    3. Enable Multi-Factor Authentication (MFA)

      Turn on MFA (like Duo) on your important accounts to add an extra layer of protection.

      • Duo can be used for your personal accounts too!

    4. Save All Evidence

      This information is important in cases where a police report is needed.

      • Keep screenshots of texts and emails you receive from the incident.
      • Do not delete any emails, voicemails, text messages, or other information related to the incident.
      • Write down email addresses, phone numbers or links used in the scam.
      • Note the date, time and what happened.
      • Please note: If you are unable to locate the email within your Montclair inbox our team has most likely removed it in a larger campaign affecting the campus community.

    5. Report It

      Use the Phish Alert Button (PAB) to report the email. If you have any screenshots email them to phishfiles@montclair.edu.

    6. Watch Your Accounts

      Check your email, bank, and other accounts for unusual activity. Set up alerts if possible.

    7. Alert Your Bank or Credit Card Company (if applicable)

      If you gave financial info, contact your bank right away—they can help prevent fraud.

      • Please note: If the scammer provides you with a fake check do not deposit it.
      • Did you provide your Social Security Number (SSN) to a scammer? File a report with the Federal Trade Commission.
      • File a Report (UPD)
        Have you lost money? Are you being stalked? Contact Campus Police.

    8. Additional Resources

      • Stay up to date on all things phishing by visiting the Phish Files!
      • Have more questions about Fraud? Please visit the Federal Trade Commission Report Fraud page.
      • Learn more at cyber.nj.gov
What is PII (Personally Identifiable Information)

PII is any information that can be used to identify you — on its own or when combined with other details.

Examples include:

  • Full name

  • NetID

  • Home address or phone number

  • Date of birth

  • Social Security number

  • Campus email + any personal detail (e.g., major, class schedule)

  • Login credentials (NetID, password, MFA codes)

On campus, protecting PII is critical to avoid identity theft, scams, and privacy violations — especially when using digital tools like email, cloud storage, or AI platforms.

Rule of thumb:
If the info could help someone impersonate you or access your accounts — treat it as PII and handle it with care.

How to Report Phishing?

      1. Use the Phishing Alert Button (PAB)
      2. Forward the email or send screenshots to phishfiles@montclair.edu.
        • If the scam you received was via text (smishing), please send screenshots of your text conversation.
Types of Phishing

  • Email Phishing

    The most common type—fake emails that look like they’re from your school, IT, or a trusted organization asking for login info or clicking suspicious links.

  • Spear Phishing

    Targeted emails that use personal details (like your name, department, or supervisor) to make the message seem more legitimate.

  • Job Scams

    Fake offers for internships, research assistant positions, or flexible work-from-home jobs, often asking you to buy gift cards or share banking info.

    • Remember: All job offers available at Montclair State University are available via Handshake.

  • Tech Support Scams

    Messages pretending to be from IT or Duo Support, claiming there’s a problem with your account or MFA and prompting you to “verify” details.

    • Montclair State University will never request your username/email, password or Duo codes.

  • Credential Harvesting

    Phishing emails that link to fake login pages (like spoofing our portals or asking for credentials via a Google Form) designed to steal your username and password.

    • Use the hover-over technique to check links—if it looks suspicious, don’t click it. Instead, type the official website address directly into your browser.
    • Never enter your login credentials or Duo codes into a Google or Microsoft Form.

  • Smishing (SMS Phishing)

    Text messages that appear urgent—like “Your account will be deactivated!”—with a link to click or a number to call.

  • Vishing (Voice Phishing)

    Phone calls pretending to be from campus services, banks, or even law enforcement, pressuring you to give up personal info or send money.

Want to see some examples of phishing? Visit the Phish Files for some real phish we’ve caught!

Tips for Identifying a Phishing Attack

  • Check the Sender Address

    Does the email come from an unexpected or strange-looking address? Does it seem odd that a random student NetID is emailing you a job? Report it.

  • Look for Spelling and Grammar Mistakes

    Phishing messages often have awkward phrasing, typos, or poor grammar.

  • Watch for Urgent or Threatening Language

    Scammers try to pressure you—“Act now!” or “Your account will be deleted!”

  • Don’t Trust Unexpected Attachments or Links

    Hover over links to see where they really go. Don’t open attachments unless you’re sure they’re safe.

  • Be Wary of Unusual Requests

    Asking for gift cards, Duo codes, passwords, or personal info is a major red flag.

  • Generic Greetings

    “Dear user” or “Student” instead of your name can be a sign it’s not legit.

  • Fake Log-In Pages

    If a link takes you to a login screen, double-check the URL. When in doubt, go to the site by typing it in yourself.

  • Download our How to Spot a Phish guide!

SPAM vs. Phishing - The Big Debate?

Spam = Annoying but mostly harmless. These are unwanted emails, often from marketers or shady senders, trying to sell you something (fake deals, miracle cures, etc.).

Phishing = Dangerous and deceptive. These emails try to trick you into giving up personal info (passwords, credit card details) or clicking malicious links that install malware.

How to Tell the Difference:
Spam → Usually just junk, like excessive ads or sketchy promotions.
⚠️ Phishing → Pretends to be from a trusted source (your bank, school, or a service you use) and pressures you to take action (click, log in, or provide info).

Bottom Line: Spam is annoying; phishing is a scam. If an email asks for sensitive info or seems too urgent, don’t click—report it!

Still unsure about the big debate? Check out the Phish Files for recent active phish that have hit campus!