To protect your personal information and the security of Johns Hopkins’ systems, please be extremely cautious about any email that asks you to follow a link and enter your login or other personal information.
Before you enter any information on a webpage that you believe is from Johns Hopkins, check the URL, which is the website address found at the top of the page. Johns Hopkins’ login page address starts with login.johnshopkins.edu/ or microsoftonline.com. The URL of a fake page may include the words “Johns Hopkins” or “JHU” or “JHHS,” but if it does not follow the format above, you are not on the actual login site.
For example, this is a real Johns Hopkins web address:
This is not a real Johns Hopkins web address:
If you receive an email message in your Johns Hopkins inbox that you suspect is a phishing scam, please forward it as an attachment to IT and then promptly delete it. The address is the word “spam” followed by @jhu.edu. More information about protecting yourself from phishing scams is on the IT website, which can be accessed by entering it.johnshopkins.edu in your browser and, when you get to the page, clicking on the security link in the navigation bar.
Phishing (pronounced “fishing”) is a form of identity theft that attempts to trick people into revealing personal or financial information online. Phishers use phony Web sites or e-mail messages that appear to be from trusted businesses and brands in order to steal personal information such as usernames, passwords, credit card numbers or Social Security numbers.
Johns Hopkins will never send you an email message asking you to follow embedded links to “verify” information about yourself. Likewise, responsible banks, credit card companies, retailers, social media companies and others who email you will never ask you by email to follow a link and input critical account or personal information.
Please remember: Entering your user ID and password on a page you access from a link in a scam message gives phishers your credentials. They may then use this information to access your Johns Hopkins or personal information. That could result in identity theft, damage to your credit and other serious consequences. It could also result in attacks on other computers on the Johns Hopkins network.
Protect Yourself from Phishing and other Email Scams: Dos and Don’ts:
DON’T send passwords or any sensitive information over email
DON’T click on “verify your account” or “login” links in any email
DON’T reply to, click on links in, or open attachments in spam or suspicious email
DON’T call a phone number in an unsolicited email or give sensitive data to a caller
DO report impersonated or suspect email to firstname.lastname@example.org
DO be cautious about opening attachments, even from trusted senders
Some phishing messages are obvious frauds, full of spelling errors or clearly phony attempts to suggest a previous connection between you and a message sender. Other phishing attempts, however, are quite clever and deceptive. Some might even send you to a phony but real-looking Johns Hopkins login page. So please be careful: Never judge a message simply by how real it looks or who it seems to come from. Think also about what it is asking you to do. Look at the URLs of sites where the message is trying to send you.
Should you receive an email message in your Johns Hopkins inbox that you suspect is a phishing scam, please forward it as an attachment to email@example.com and then promptly delete it.
Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises. These messages usually direct you to a fake website or otherwise get you to divulge private information. The perpetrators may then use this private information to commit identity theft. these messages may also contain malicious files, often Word, Excel or PDF documents. These malicious files may install worms or viruses on your computer.
The messages can be hard to recognize as fake, because they appear to come from known sources. The more familiar a message looks, the more susceptible people may be to performing actions suggested in the message. One type of phishing attempt is an email message stating that you are receiving it due to fraudulent activity on your account, and asking you to “click here” to verify your information.
Recent phishing messages received at Johns Hopkins claim to originate from a “JHU Support Team” or “Webmaster” or from another source inside Johns Hopkins. The subject lines say, “Verify your JHMI EDU account” or “Confirm Your Account” and include a request to respond with information such as username, password and date of birth.
Phishing scams often try to scare or trick the recipient into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.
From: “Johns Hopkins University” <firstname.lastname@example.org>
Date: Mon, Dec 12, 2016 at 12:58 PM -0500
Subject: 2 Important Message.
You have 2 Important message from the school faculty.
Johns Hopkins University
Sent: Wed, June 12, 2015 11:59 pm
Subject: Annual Security Awareness Breifing
In order to comply with the requirement for quarterly security briefings, please read through the following link and familiarize yourself with its content. Upon completion of the briefing please complete the accompanying form confirming that you have done so. Please do so within the next ten business days.
The site has a number of links guiding you to additional security information. It would be a good idea to bookmark this address to keep it handy for future reference.
Security Training Group
Johns Hopkins University
From: email@example.com [firstname.lastname@example.org] On Behalf of Mail Administrator [email@example.com]
Sent: Sunday, October 24, 2010 9:01 AM
Subject: Johns Hopkins Enterprise Messaging
The Johns Hopkins Enterprise wish to inform you that our Account Review Team identified some unusual activity in your Jhmi Webmail Account. Do send us your current login credentials to keep your account active.
Johns Hopkins Enterprise
Online Webmaster Department
Financial institutions and other legitimate businesses — including Johns Hopkins — generally will not send e-mail messages requesting that type of information. Furthermore, legitimate internal Johns Hopkins messages about access to IT resources should provide contact information for you to use to get in touch with someone if you have questions. They would also have specific information regarding access. Information technology departments within Johns Hopkins would provide as much notice as possible about outages or changes to your account.
How to spot a phishing message?
When you receive an email message, please consider these points:
If you’re not sure about the legitimacy of an email message, please report it to us and we’ll gladly take a look. Suspected phishing can be reported to firstname.lastname@example.org or you can simply delete the message from your mailbox.