CUNY is aware that compromised Microsoft 365 email accounts are being used in phishing campaigns masquerading as official CUNY or College financial aid office notices. The email subject line and message body suggest urgency or immediate action is required for financial aid grant disbursement or funding offers.

Recent security threat indications/symptoms:

Subject line may suggest that the information is coming from CUNYfirst.

  • Subject line contains text like “Required Action for Grant Funding Eligibility” or “Immediate Response Required for Grant Disbursement.”
  • Subject line or email message suggests immediate action required, such as clicking on a link or replying to the email.

If you think you have already been impacted by this security threat:

If you receive a potential phishing message or if you already responded to a phishing email, immediately contact your campus help desk at 718.982.HELP(4357).

Reminders:

  • DO raise awareness to scams by reviewing the CUNY “How to Protect Yourself against Secret Shopper, Personal Assistant, and other Online Scams!” and Phishing advisories posted at security.cuny.edu under CUNY Issued Security Advisories.
  • DO NOT reply to unexpected or unusual emails from any sender.
  • DO be particularly cautious when an “external source” warning banner is present.
  • DO NOT reply to emails with any personal information or passwords. If you have reason to believe that the request is real, call the institution or company directly.
  • DO NOT click a link or open an attachment in an unsolicited email message. If you have reason to believe the request is real, type the Web address for the company or institution directly into your Web browser.
  • DO NOT use the same password for your work account, bank, Facebook, etc. In the event you do fall victim to a phishing attempt, perpetrators attempt to use your compromised password to access many online services.
  • DO change ALL your passwords if you suspect any account you have access to may be compromised.
  • DO be particularly cautious when reading email on a mobile device. It may be easier to miss the telltale signs of phishing attempts when reading email on a smaller screen.
  • DO remember that official communications should not solicit personal information by email.
  • DO read the CUNY Personal Assistant Scam and Phishing Advisories posted at security.cuny.edu under CUNY Issued Security Advisories.
  • DO complete information security awareness training in Brightspace.

By the Office of Technology Services