Dear Colleagues,

At the beginning of every new semester, the education sector sees a significant rise in phishing attempts. As a result, ITS requests that you take a few minutes to review the following information, so you are better equipped to identify and report suspicious email messages.

Signs of a Phishing Attempt

• Claims that create urgency, like “your account will be closed,” and “verify immediately”.
• Requests for unusual actions like gift card purchases, payroll changes, or “colleagues” selling personal items.
• Email addresses that don’t match the sender’s name or use domains outside the college.
• Unexpected attachments, links, or QR codes that lead to a sign-in page.
• Messages with an odd tone, grammar issues, or signatures that don’t match the sender.

Recent Tactics Seen in 2025

• QR codes in emails or posters that point to fake login pages.
• Repeated MFA prompts you didn’t initiate. Never approve unexpected login requests.
• Look-alike sign-in pages that capture your password and MFA approval.
• App consent pop-ups that ask you to authorize access to your email or files. Decline all requests unless you’re certain of their legitimacy.

If You Get a Suspicious Message

1. Don’t click, reply, or open attachments.
2. Use the Outlook Report Phishing button (preferred) or forward the original email as an attachment to reportaphish@lbcc.edu.
3. Delete the message after you report it.

If You Already Responded to a Phish

1. Call the ITS Help Desk @ x4357.
2. Change the password to your Viking ID asap by navigating to www.lbcc.edu > Quick Links > Viking Employee Login. Do not reuse that password elsewhere.
3. If you approved an MFA request or entered your credentials on a suspicious page, immediately call the ITS Help Desk @ x4357 so ITS can secure your account.

Good Cyber Habits That Make a Big Difference

• Use authenticator apps or security keys/hardware tokens instead of SMS codes when available.
• Type site addresses directly into your browser or use saved bookmarks. Avoid login links and QR codes in emails.
• If you need to call, call the sender on a known or verified number rather than the one provided in the email.

That said, if you’re ever unsure, just play it safe and report it.  

Quick Reminders

• Cybersecurity is a shared responsibility: Please report all suspicious activity and unauthorized access to computers, software, and websites to the Office of Information Security.
• Protect your password: Administrative Procedure 3720 specifically prohibits the sharing of login credentials. Never provide your password to anyone: not your coworker, not your boss, not even ITS.

 

If you have any questions regarding this or any other previous advisory, please do not hesitate to email the Office of Information Security.