What Is Phishing?

Phishing is when someone pretends to be a trusted person or company to trick you into giving them information or clicking something harmful.

Most phishing attacks happen through:

• Email

• Text messages

• Fake login pages

• Phone calls

The goal is usually to:

• Steal your password

• Get you to approve something (like a login request)

• Trick you into sending money

• Install malware on your device

If you unintentionally fall victim to a phishing scam, see Recover from a Phishing Scam.

How Phishing Works

Most phishing attacks follow the same pattern:

1. You receive a message
   It looks urgent, important, or even normal — like a password reset, shared document, invoice, or voicemail notification.

2. You’re asked to click, download or respond
   The message creates urgency:

   • “Your account will be locked.”

   • “Unusual login detected.”

   • “Payment required immediately.”

   • “Review this document.”

   • “Download and open this message”

3. You’re sent to a fake login page
   It looks real — maybe like Microsoft, Google, or your company login page.

4. You enter your username and password
   The attacker now has your credentials.

And sometimes… that’s not even the end of it.

If You Receive a Phishing Message

While most troubled email messages are filtered out by Gmail before reaching your inbox, a few items will reach you. 

Report the message as phishing within Gmail so that it is filtered out of others’ inboxes. While viewing the message in your web browser, click the three buttons in the upper right corner of the message, and select the “Report phishing” option.

Open

Phishing Awareness Checklist

Before You Click, Ask Yourself:

☐ Was I expecting this email?

• I requested this password reset.

• I was told a document would be shared.

• I was expecting this invoice or message.

☐ Is it creating urgency or pressure?

• “Immediate action required”

• “Account will be locked”

• “Respond within 1 hour”

• “Payment needed today”

Urgency is one of the biggest red flags.

☐ Does the sender’s email address look correct?

• Not just the display name, check the full email

• Check for misspellings

• Check the full domain name(i.e. john.valpo@va1po.edu)

• Watch for personal email accounts (Anything from outside the organization)

• Phishing can come from inside the organization by another stolen account , You are more likely to click an email from a colleague than a stranger.

☐ Does the link look suspicious?

Hover your mouse over it — DONT click it. A link will show up on your screen at the bottom showing you where the link is sending you.

• Misspelled company names

• Extra words or numbers

• Strange domain endings

• Random strings of letters

• Random sites that don't mean anything.

☐ Is it asking for sensitive information?

• Passwords

• MFA codes

• Downloading items

• Cell phone numbers

☐ Did I receive an MFA/login approval I didn’t initiate?

• Unexpected push notification

• Repeated login approval requests

• A code you didn’t request

Do NOT approve it.
Change your password immediately if you start to receive them .

☐ Does something feel “slightly off”?

• Grammar errors

• Odd tone

• Unusual formatting

• Different writing style than normal

Trust your instincts, attackers will try anything to get your data.

Quick Reminder

Even with strong passwords and MFA, attackers can gain access if you:

• Enter credentials into a fake site

• Approve a login request you didn’t start

Think before you click.
Verify before you approve.
Report anything suspicious. Let IT take a look at something if it feels off.

Related articles