Skip to Main Content

A Practical Guide to Protect Against Phishing

Email on a fishing hook being stolen from a mobile phone

Phishing remains one of the most common and effective pathways for cyberattacks on universities. Whether the target is a first-year student, a tenured faculty member or an administrative staff member, the consequences can include lost data, disrupted research, financial fraud and reputational harm. Below is a brief, factual and actionable guide to protect every campus community member.

Why this matters (three perspectives)

  • Students: Credentials for campus systems and learning platforms are high-value and frequently reused — exposing personal information and access to services.
  • Faculty: Research data, grant information and intellectual property are attractive targets; a single compromised account can derail projects.
  • Staff: Administrative accounts often have privileges over payroll, procurement and sensitive records — making them prime phishing payoffs.

Practical protections you can adopt today

Assume caution, verify always

  • Pause before clicking. Verify unexpected or urgent requests by contacting the sender through a known channel (not by replying to the suspicious email).
  • Inspect sender addresses carefully — look beyond display names for domain spoofing.

Use strong, unique authentication

  • Enable multi-factor authentication (MFA) on all accounts. Prefer hardware tokens or phishing-resistant methods where available.
  • Avoid password reuse; use a reputable password manager.

Treat links and attachments as potential threats

  • Hover to preview URLs before clicking. If a URL looks unfamiliar, type the institution’s site address manually.
  • Scan attachments with institutionally approved tools; be especially wary of compressed files and macros in documents.

Be aware of social engineering cues

  • Red flags: unexpected urgency, requests for credentials or payments, odd salutations and slightly altered branding or grammar.
  • Watch for conversational phishing delivered via SMS or social platforms.

Keep devices and software current

  • Apply OS and application updates promptly and use institutionally managed endpoint protection where provided.

If you suspect phishing, act quickly

  • Report immediately to your campus IT/security helpdesk using the official reporting channel.
  • Do not forward the suspicious message to others; use the institution’s report mechanism so security teams can analyze and contain threats.
  • Change credentials and review account activity if you clicked a link or provided information. Notify any affected collaborators.

A shared responsibility

Protecting our campus is everyone’s responsibility. Small, consistent actions — verification, MFA, careful handling of links and attachments and prompt reporting — dramatically reduce exposure and keep students, faculty, and staff safe.

Remember to #becybersafeUCLA!

Learn more about Cybersecurity Awareness Month at UCLA — and enter the raffle for a chance to win tickets to the UCLA vs. USC football game — by visiting Cybersecurity Awareness Month 2025.

Tags
2025