Now Viewing Information for: Students
Show me information for Employees

In this section:


What is phishing?

Phishing scams are attempts to trick you into releasing your email, bank, credit card, or other private information to an unidentified individual. They are usually carried out via email, but can also occur via phone calls where a scammer claims to be a representative of your school, bank, or some other organization.


How do I recognize phishing attempts?

  The primary hallmarks of a phishing email are:

  • Impersonation: These emails may appear as they are from a reputable source such as Mercer, or your bank.
  • Web links: The linked sites typically ask you to enter personal information, usernames, and passwords.
  • Threats: Phishing often involves threats to disable your account if you don't provide the requested information.
  • Poor spelling and grammar: This helps the emails evade junk mail filters.
  • Malicious QR Codes: Think Before You Scan! As cybercriminals evolve they try to find other ways to trick you in to sharing your personal information by using QR codes. Follow the tips in this document to keep your data safe.

Here is an example of what a typical phishing email looks like. Take this Phishing IQ Test to see how well you can spot a phishing email.phishing example

Here is an example of a typical QR code phishing email. Review this document for more information on spotting a suspicious QR code.

If we receive reports of a malicious email, we post it on our Security Alerts page. If you see an email listed there, you can delete and disregard the message.


How do I report a phishing email?

The best way to report phishing email is to use the Phish Alert Report button. Follow the instructions outlined below.

  1. Open the message you would like to report.

  2. Select the App icon and the Phish Alert button.


Is it ok to move email from my junk folder back in to my inbox?

 It is best to leave email found in your junk or spam folders unless you are 100% certain of the sender.


What are the most common types of phishing?

Phishing attacks come in various forms, from traditional email scams to more sophisticated methods like spear phishing and smishing, all aimed at one goal: stealing your personal information. Below is information on some of the more common forms of phishing.

Spear phishing

Spear phishing is a targeted form of phishing attack in which an attacker customizes their messages for a specific individual or organization. Unlike regular phishing attacks that are more generic and sent to a large number of people, spear phishing emails are tailored to appear more legitimate and are designed to trick specific individuals into revealing confidential information or taking actions that could compromise their organization's security.

Because spear phishing emails are more personalized and targeted, they can be more difficult to detect than traditional phishing emails. To protect against spear phishing attacks, individuals and organizations should be cautious of unsolicited emails, especially those that ask for sensitive information or contain suspicious links or attachments.



Smishing is a type of phishing attack that is conducted via text messages. In a smishing attack, scammers send text messages that appear to be from a legitimate source, such as a bank, government agency, or reputable organization. These messages often contain a sense of urgency or a tempting offer to lure the recipient into clicking on a link or providing sensitive information.

The goal of smishing attacks is typically to trick recipients into divulging personal information, such as account credentials, credit card numbers, or other sensitive data, or to get them to click on malicious links that can lead to the installation of malware on their devices.

To protect yourself from smishing attacks, be wary of unsolicited text messages, especially those that ask for personal or financial information. Verify the sender's identity before clicking on any links or providing any information.



Vishing is a type of social engineering attack where an attacker uses voice communication, typically over the phone, to deceive individuals into providing sensitive information or performing actions that compromise their security. The term "vishing" is a combination of "voice" and "phishing."

To protect yourself from vishing attacks, be cautious of unsolicited calls asking for personal information and verify the identity of the caller before providing any sensitive information.


What should I do if I am the victim of a phishing attempt?

Please note that Mercer’s IT department will not request any sensitive information via e-mail from you. We continue to work toward preventing phishing, virus, and spam messages from reaching your inbox.

If you do respond to a phishing email and provide any information, follow these steps:

Change your password and password security questions.

  • If you provided your password for any Mercer systems, change your password as soon as possible.
  • If your password is used on more than one website, change it everywhere you use it.
  • Most sites have security questions which allow you to reset your password. The scammer may have seen your current answers, so it's a good idea to change them as well.

Contact your bank, credit card company, etc...

  • If you have given the scammer any financial information, contact your, bank or credit card company and report it. Your credit card company can place a fraud alert on your account.
  • Contact the 3 main credit bureaus and have them put a fraud alert on your credit file.
  • If you have provided your driver's license information, contact your DMV.
  • If you provided your Social Security number, visit, or call the Federal Trade Commission at 1-877-IDTHEFT (1-877-438-4338).

Review your account activity.

For the next few weeks, carefully review any accounts that could have been accessed using the information provided to the scammer. The scammer may not use the information provided right away, so it's important to keep an eye on your accounts for any suspicious activity for some time after the phishing took place.

Reduce your future risk.

Using a different password for every website you use is one way to reduce your security risk. Information regarding other ways to protect yourself can be found on our Security Best Practices website.
(478) 301-7000