IT Security - DoIT Cybersecurity Assurance and Digital Trust
Institutional Group • 341 people

Don’t Bite on Phishing: Protect Your Financial Aid

Scammers want your login. Don't give them a cent.

IT Security - DoIT Cybersecurity Assurance and Digital Trust
January 15, 2026 at 2:53 PM

Hello UMBC Community!

During the last semester, we observed a steady stream of phishing attacks that attempted to trick users into providing their user IDs, passwords, and multifactor codes on fake login pages. In many cases, the fake login pages looked just like the real thing, and the only clue that something was amiss was the URL in the address bar. Once a user's login credentials have been obtained, an attacker can access the user's account to alter personal or financial information. This change often serves as the initial move in executing a financial scam.

As the winter break is underway and the new semester approaches, now is a great time to perform a cybersecurity check-up on your myUMBC and BankMobile accounts. 

Please follow these general tips to safeguard your accounts and funds:

  1. Periodically Verify Your Personal Information: Log into your accounts and make sure all your information, such as linked financial accounts, billing address, phone number, and email addresses are correct. If you are expecting payments, validate that the bank account where the funds will be deposited looks correct.

  2. Use Strong & Unique Passwords: Never reuse your UMBC password on other platforms — including financial services such as BankMobile. Create unique passwords for each separate account. Changing your passwords periodically can also help safeguard your account if an attacker has gained access to your password.

  3. Check the Link: Look over URLs and ensure you are accessing a trusted service. If you see a login page but the URL does not look legitimate, do not provide your password or MFA codes. It is best practice to bookmark trusted services to navigate to them directly. 

  4. Don't Give Away Your Secrets: UMBC and your financial institutions will never call, email, or text you to ask for your password or Multi-Factor Authentication (MFA) codes. If you receive a Duo push that you did not initiate, do not approve the request and report it as fraudulent.

If you give someone your password and MFA codes, you are handing them the keys to your account. This could result in financial loss or unauthorized activity for which you may be held responsible.

If you see something, say something! Report all phishing emails to security@umbc.edu.


Stay smart, stay safe!

Tagscybersecurityawarenessphishing
#1.20.3.1 - 6506 - production - prod3 - general-public