Edit page
Information Technology Services

Security Training

Security Training

New Paltz Information Technology Services

The page you visited was not the actual my.newpaltz.edu login page.  That page, as well as the email you received, were setup by Information Technology Services to simulate an actual phishing attack.

Though the email you clicked on, and the page you provided your information to were NOT setup by criminals, they used the same techniques used by criminals to make you believe that their message was legitimate.


To start with, let's look at the actual email.  Below is an example of the email that was sent, with a few key areas highlighted.


Example of message used in phishing simulation from December 2017 


We've taken the email and highlighted a few points that can be used to recognize this message as not being legitimate.  These same techniques can be used for messages sent by actual criminals in the future.  

  1. We've highlighted the from address as '1'.  Note that it is from "my-newpaltz.com" NOT my.newpaltz.edu.  That being said, the from address can be faked.  Seeing it as something like this is a sign that the message is suspicious, but you shouldn't take the from address as a sign the message is legitimate.
  2. The actual destination link is highlighted as well.  If you hover over the link (as you always should before clicking on links in emails) you'll see the actual destination in item 3 below.
  3. The destination link is NOT to my.newpaltz.edu but is to my-newpaltz.com.  This is a domain that we in IT registered for the purpose of this simulation but it is incredibly common for cyber criminals to register similar addresses.  It is something you should be careful about.




When you click on the link, you're brought to a page that looks remarkably like the login page used for the real my.newpaltz.edu.  There's two red flags here:

  • The web address is again, my-newpaltz.com - NOT my.newpaltz.edu
  • Note next to the web address, the explicit "Not secure" message.  This means the website you are going to isn't encrypted.  That doesn't mean that if the site is encrypted that it is legitimate - but if it is not - it is certainly not safe to submit login information to.


Destination page of phishing simulation