Phishing Casualty: Next Steps

If you have fallen for a phishing email or suspect you have been involved in a scam, then this article will help you identify the next steps needed to limit the impact to your user account and data. A phishing compromise is an unfortunate experience that will catch us by surprise, as difficult as it may seem at first please know that there is light at the end of the tunnel. As a first step, let’s take a deep breath and keep reading.

Quick suggestions based on type of activity

• Did you enter your password on a fake login page and immediately realize you shouldn’t have? Read sections on Report Phishing, Account Recovery, Email Account Cleanup, Security Awareness Training

• Is somebody impersonating your manager, colleague, or an officer of the Institution? Read sections on Report Phishing, Impersonating University Employee, University Data Concerns, Security Awareness Training

• Did you respond to a job offer that was too good to be true? Read sections on Report Phishing, Employment Offer, Security Awareness Training

• Did you divulge sensitive information to a malicious actor? Read sections on Report Phishing, Identity Theft, University Data Concerns, Security Awareness Training


Report Phishing

Reporting phishing emails or attempts to the Information Security Team helps them coordinate more formal steps to protect the Institution. You can forward suspected phishing email to You can also follow the steps on this article to include email headers. 

University employees must report security incidents that they have fallen victim to in their capacity as a DePaul employee (e.g. fell for phishing, divulged sensitive University protected information, etc.). Please provide details of your incident to as soon as possible.

Students are encouraged to report security incidents involving their accounts, so that the Information Security Team can provide further guidance and assistance where possible.


Account Recovery

If you have not already done so, make sure you change the password associated with your DePaul University account as soon possible. Under normal circumstances you should be able to reset your BlueKey password with the self-service portal. As you proceed to change your password, please consider our guide to strong passwords. In some cases, user accounts are locked or further restricted as part of our incident response procedures, in those cases you will not be able to use the self-service portal to rest your password. For further assistance with your password reset the Help Desk can be reached at (312) 362-8765 or email 


E-Mail Account Clean-up

In the majority of cases, a compromised email account will experience changes in configuration to help hide the state of the account. A customer might experience problems receiving new emails, notice sent messages are deleted, find that emails are being forwarded to a suspicious account, or that your signature block is different. The symptoms are a result of the compromise and will require technical assistance to remove the rules configured on the account. For further assistance with account clean-up the Help Desk can be reached at (312) 362-8765 or email 


Impersonating University Employee

In cases where the sender pretends to be a manager or a person in a leadership position, the bad actor will often attempt to have the employee purchase items of value that can be easily transferred, such as iTunes cards or gift cards. If all you have done is exchange messages with the individual, then you can stop all communication and ignore further requests. It is very likely that other members in your immediate team are also being targeted, so feel free to share information with them. If you have already purchased the items and transferred the codes to the bad actor, it may be too late to recover funds, but you can try to contact the card provider (Amazon, Google, etc) to see if it is possible to recover some of the funds. You should also report this fraudulent activity to your bank and/or credit card provider, as these organizations should be made aware, and also may be able to help you recover your funds and provide further guidance. I ProCard transactions, the activity should be reported to the bank as soon as possible, as your department is still liable for the funds. 

Malicious actors may also impersonate University employees to trick employees into performing other actions or divulging other information. If you have performed any action on behalf of a scammer, that affects University resources or data, please immediately report the activity to the Information Security Team at


Employment Offer

Fraudulent job offers are popular and often lead to fraudulent financial transactions. In some cases the offer requires a simple email response, but it may also request that you complete a web form with basic contact information. If you have responded to a suspicious job opportunity, but have not provided any sensitive information, you’ll want to stop all communication immediately and report the phishing incident to the Security Team. 

In cases where basic contact information has been given out, you’ll need to remain vigilant for any checks that might arrive on the mail. Any checks sent to you are unlikely to be cleared and will get rejected by the bank within a couple of days after depositing in your account. As part of the scheme, the bad actor may ask the victim to withdraw a smaller amount to make a deposit on a different account, make gift card purchases, or wire money to a different individual. There has been a new trend of the malicious actors utilizing Zelle or Cash App instead of fraudulent checks, so please be on the lookout for these as well. If you still have the funds or goods, you should try to get a refund on them, otherwise you may have lost the funds in those transactions. The financial institution used to purchase the goods should be contacted to report the fraud and determine if funds can be recovered. 

In most cases the main objective is to take funds from the victim, but depending on the amount and type of personal information shared with the bad actor, you may still be at risk of identity theft. Depending on your risk tolerance, you may consider implementing one or more of the steps described in the Identity Theft section.


Identity Theft

Recovering from identity theft is a challenging experience that will require patience and determination as you work to restore your good name. As you work to recover from the experience, you may find yourself reaching out to multiple organizations and resetting account credentials more than once. Keep in mind that as you work to regain control of your accounts, the bad actors are working to retain them.

The most beneficial and informative resource on identity theft guidance can be found on the FTC’s website. If you believe you are the victim of identity theft, or may soon be one, please review that resource here:

Additionally, some helpful tips can be found below:

• Contact the organizations potentially involved, such as banks, creditors, employer, school, etc. The organizations may have specific instructions for you to follow after you alert them of the identify theft affecting you.
• Reset passwords for accounts involved and enable multi-factor authentication where possible.
• Purchase or subscribe to identity theft protection services
• Place a fraud alert to force credit providers to verify your identity before opening new lines of credit
• Place a credit freeze to prevent you or others from opening new credit accounts
• Request change of credit card or account numbers from financial institution

Take steps to make it more difficult to be targeted in the future:

• Take the security awareness training offered by DePaul University
• Enable multi-factor authentication financial institution’s accounts, email, and social media.
• Dedicate a specific email account for use with banking and credit institutions that is not associated with social media or other uses.
• Be cautious of the information shared on social media. Before sharing, ask yourself if the information posted could be used to reset a password or guess secret questions for account recovery.


University Data Concerns

All University employees have a responsibility to ensure that University protected data is appropriately secured. Any University employee that believes that they may have provided protected information to a malicious actor, or any party that should not have access to that protected information, should immediately report the concerns to the Information Security Team at

Further guidance and information regarding protected information can be found in the Access to and Responsible Use of Data Policy.


Technology Support Scams

Fraudulent technical support scams come in a variety of methods that aim to cause fear and urgency into accepting computer assistance. The fake technical support may arrive in a number of methods, such as e-mail message, web browser pop-up window, computer tray icon, application window, phone call. In all cases, there is sense of urgency being communicated from the scammers that leave users feeling cornered into accepting the support. 
Please remember that DePaul University IS staff will never ask for your password. If you have provided your credentials in any way to a suspicious support technician please follow the Account Recovery and Report Phishing procedures. DePaul University IS staff will never ask you for payment for support services. If you have transferred payment to a support technician, please contact your bank or credit provider to make a fraud claim as soon as possible. In addition to following the Report Phishing procedures, you may consider implementing one or more of the steps described in the Identity Theft section. Although Microsoft Teams and Zoom provide desktop capabilities, DePaul University IS support staff will only use LogMeIn Rescue as a default method for report support. If you have granted remote support permission into your computer from a suspicious support technician, please follow the Report Phishing and Computer Clean-up procedures. Although not always the case, some scammers will change configuration or install malicious software on the system to reestablish control at a later time.


Computer Clean-up

Clean-up of a computer after infection or the suspicion of infection is a technical task requiring experienced individuals to assess the risk and run tools on the system. The tools used to clean and repair a system can cause damage if used incorrectly, which is the reason we recommend you seek help from trained individuals. Based on the account or data risks found, the technical staff may refer your case for further incident response procedures. Depending on the device, problem, and affiliation with DePaul University, you may have different options available for technical support. 

Case 1:
· Support: DePaul University Genius Squad 
· Affiliation: Student
· Device: Personal Computer
Case 2:
· Support: DePaul University Help Desk
· Affiliation: Faculty, Staff
· Device: DePaul University purchase/owned computer
Case 3:
· Support: DePaul University Genius Squad
· Affiliation: Faculty/Staff
· Device: DePaul University purchase/owned computer
Case 4:
· Support: Private consumer support Best Buy, Apple, or other privately owned repair business
· Affiliation: Faculty/Staff
· Device: Personal Computer

The DePaul University Help Desk can be reached at (312) 362-8765 or email. The Genius Squad walk-up service is available at Schmitt Academic Center (SAC), Room 259 or DePaul Center, Room 11029. 


Security Awareness Training

Helpful security training and resources are available to all University community members on our security training page. Both the employee and student offerings provide knowledge on a variety of information security topics, such as phishing, malware, password hygiene, and more, and can help community members familiarize themselves with safe computing practices.