This Was a Phish

Ohio State regularly runs phishing training exercises to the university community. By clicking the link that brought you to this page, you succumbed to a university phishing simulation. Read on to learn how to spot phishing messages and protect yourself and the university from malicious attacks.

Spotting the Phish

You received this email:

Email suggested a password expiration notice with a button labeled "keep my password"

 

Sender Addresses: The sender address, support@password-update.com, is very generic, not the correct method for updating your password at Ohio State, and should raise red flags. The domain (everything after the @ symbol) is the first indication that this might be a phishing attack. 

Confusing Language: Periodic password resets are necessary to protect accounts from compromise. If you are prompted by Ohio State to change your password, you will not be offered an opportunity to "keep my password". 

When you engage with the email, you are sent to a fake log in page.

Web page asking for user to submit their email address to the attacker

 

Review the URL of web page before engaging with it: When you clicked from the email, a website was loaded with a URL of login.password-update.com, which is not a legitimate site for updating an Ohio State password (my.osu.edu). Attempt to confirm the legitimacy of a site before you enter login credentials or personal information like name, email address or phone number.

 

Report Phishing Attempts

Image of the 'report suspicious' banner displayed at the top of every external email you receive. Click this banner to report suspected phish.

If you ever suspect an email to be a phishing attempt, please report it immediately by clicking the "Report Suspicious" button in the warning banner which appears at the top of that external email.