/
So You've Been Phished - Now What?

So You've Been Phished - Now What?

If your account has been compromised, or you suspect you have been phished, always change your password! Then.. What next?

Phase 1: First steps immediately after the compromise

Step 1: Credential Reset & Session Revocation

  • The "Clean Device" Rule: Do not reset your password on a device that may be infected. Switch to a smartphone or a colleague’s computer.

  • After you change your password, you should also stop Active Sessions - log out of everywhere, and check for unauthorized changes to your account.

    • In Google Workplace, click the account menu in the upper-right, and choose “Sign out of all accounts.”

    • For Microsoft 365, visit the Security info page, and click the link at the bottom labeled “Sign out everywhere”.

    • Read Protect your Gmail and Payroll Settings and follow the instructions carefully.

Step 2: The "Twin" Reset

  • Was your password used anywhere else like your personal bank, Amazon, or personal Gmail? Change those immediately too. Attackers will usually try your password on other sites within minutes.

Phase 2: Checking for other problems

Step 1: Check for Persistent Threats

  • In Gmail, check your email filters for any that look unfamiliar. To find your Gmail filters, click the Gear icon (Settings) in the top right, select "See all settings," and click the "Filters and Blocked Addresses" tab. This page lists all active filters, allowing you to edit, delete, or create new ones to manage incoming emails.

  • Check for other logged in apps on your account:

    • Did you click "Allow" on a pop-up? Check your "Connected Apps" or "Third-Party Applications" list.

    • Action: Revoke access to any app you don't recognize (e.g., "Mail Reader Pro," "University PDF Scanner").

    • Google Account Security has info about devices and sessions.

  • Browser Extensions: Check your browser for new, unknown extensions that might be screen-scraping your data or redirecting traffic.

Step 2: Check where you may be logged in elsewhere

  • The "High Stakes" Questions:

    • "Was I logged into the HR/Payroll portal?"

    • "Do I have access to student grades (FERPA) or patient data (HIPAA)?"

    • "Was my Google Drive/OneDrive mapped to my computer?"

  • If YES: Contact the LTS Help Desk.

Phase 3: Reporting & Recovery

Who to Tell (and Who NOT to)

  • DO: Use the "Report Phishing" button in your email client (sends headers automatically).

  • DO: Email spam@lehigh.edu or Call the Help Desk (84357).

  • DON'T: Forward the email to your entire department asking "Is this real?" (This spreads the malicious link).

If You Entered Personal Financial Info:

  • Freeze Your Credit: Immediately freeze credit with Equifax, Experian, and TransUnion.

  • Fraud Alert: Place a "Fraud Alert" on your file (free and lasts 1 year).

Contact Us

 

For immediate help, contact the LTS Help Desk (Hours)
EWFM Library | Call: 610-758-4357 (8-HELP) | Text: 610-616-5910 | Chat | helpdesk@lehigh.edu
Submit a help request (login required)