Report a Security Concern

Security Concerns and Best Practices

We rely on you to follow security best practices—and report issues—to protect the confidential data of students, faculty, and staff and the integrity of our systems and services. Here are the top security concerns and best practices to help you be secure, successful, and productive wherever you work.

Report a Security Concern

If you feel that your data, information, or hardware has been compromised, fill out the form below and the Information Security Office at Maricopa Community Colleges will reach out to you.

Your Name
Potential unauthorized disclosure of personally identifiable information (PII) Note: Disclosure or alteration of MCCCD data sensitive in nature, such as social security numbers, credit card numbers, bank account information, etc.
Information Security
Note: This can include emails asking for personal information such as passwords, credit card information, etc. It can also include emails that include harassment or threats. For more information on how to identify suspicious emails, click here.
Note: When someone gains access to a website, program, server, workstation, or other system using someone else's account or other methods.
Note: This would include issues logging in to Thycotic, or other Information Security tools, or concerns that a password has been compromised.
Note: This may include reporting that an organization device is infected with viruses, malware, or ransomware.

Security Concerns and Best Practices

Email and phishing scams are on the rise. Hackers will attempt to deceive you with emails that appear legitimate. Review emails closely to ensure you are sending to the correct recipient or receiving from legitimate business or company contacts or resources before taking action (for example, clicking a link).

Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a trusted person or company brand with a link that sends you to a malicious website or file. Without proper training, a user will not easily recognize the email as a phishing attempt.

Content That Includes Enticing or Threatening Language

A false promise, a quick reward, or a threat that you will lose something can create a sense of panic, urgency, or curiosity. Emails that have an aggressive tone or claim that immediate action must be taken to avoid repercussions should immediately be considered a potential scam. Two examples of this are phishing emails telling users their critical accounts are locked or that an invoice must be paid to avoid services being suspended.

Email Addresses Can Be Spoofed

Never trust an email-based simply by the sender email address. Hackers have many ways to disguise emails and “spoof” the “from” sender. A common type of spoofing uses a visible alias and cousin domains.

Visible alias spoofing, known as “display name spoofing,” is where the phisher uses a legitimate company name as the email sender, such as, but the email underneath is a random address like This is especially effective on a mobile device because the sender’s email address is hidden.

A cousin domain looks identical to a legitimate email address, but it has been slightly altered. For example, to spoof an email, the hacker might use In other cases, hackers will use confusing extended domains, such as

Links Aren’t Always What They Seem

Every phishing email includes a link, but phishing links are deceptive. While the link text might say “Reset Your Google Password,” the URL takes the user to a phishing page designed to look like Microsoft. Make sure your employees hover over all links before clicking them to see the pop-up that displays the link’s real destination. If it is not the website expected, it is probably a phishing attack.

It is most important to make sure that the core of the URL is correct. Be especially cautious of URLs that end in alternative domain names instead of .com or .org.

Phishing Links Can Be Sent via Attachment

All phishing emails contain a link, but it’s not always in the email. To avoid detection by email security filters, hackers will include a phishing link in an attachment, such as a PDF or Word doc, rather than the body of the email. And because sandboxing technology scans attachments for malware, not links, the email will look clean. The email itself will appear to be from a legitimate business, vendor, or colleague, asking you to open the attachment and click on the link to review or update information.

Hackers Use Real Brand Images and Logos in Phishing Emails

Brand logos and trademarks are no guarantee that an email is real. Brand images are public and can be downloaded from the internet or easily replicated. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source. While most email filters can spot a known phishing URL, they cannot spot a counterfeit image unless they have machine learning and computer vision capabilities.

Attacks Are Becoming More Personal

Spear-phishing attacks can be very personalized from purported colleagues and are designed to evoke fear of consequences at work. A classic example is an urgent email from your manager requesting gift cards or a wire transfer. Receiving such a request from a higher level executive puts pressure on the employee to act quickly—without thinking it through. Another example is the direct deposit spear phishing email, which is designed to pressure an employee into changing direct deposit information.

Being Smart

When you receive an email with links or attachments, before you click, first ask yourself three questions when deciding to click an email link or attachment:

  1. Was I expecting an email from this person or organization? Carefully review the sender’s FROM: and REPLY TO: email addresses.
  2. Was I expecting a link or attachment in this email? Copy the link URL and paste it into a new browser window to verify where the link will take you. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain.
  3. If so, is the link or attachment what I was expecting to receive? If email seems suspicious and you’re unsure, reach out to the sender. Call them by phone or send a new email to them for verification (do not reply to the original email in question).

Other Tips for Avoiding Being a Phishing Victim

Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email. Before sending or entering sensitive information online, check the security of the website at

To avoid compromising data security or being responsible for a system breach, we urge you to follow this guidance when handling confidential information.

Being Smart

  • Do not save sensitive or student data on personal devices. They do not have the same levels of protection as Maricopa Community Colleges-owned devices.
  • Only store student and other confidential data in approved storage locations in the cloud or our data centers. For example, use your Google Drive instead.

Refer to the Information Classification and Handling IT directive for additional guidance.

Refer to the Information Technology Directives on Cloud Services to learn about approved online storage solutions.

Hackers use devious websites to infect unsuspecting visitors’ devices with viruses and malware to gain access to these devices without the user’s consent and steal or ransom confidential data.

While browsing, you must take precautions to protect against compromising cyberthreats.

Being Smart

  • Be careful about clicking unknown links on a website while using any device, whether it’s Maricopa or personally owned
  • Avoid questionable websites
  • Do not click on unknown pop-up windows that appear when visiting websites
  • Only download software from sites you trust
  • Use antivirus, anti-malware, and firewall software on personal devices and make sure it’s up to date—if you don’t have this software, Maricopa Community Colleges offers Sophos Free Antivirus Protection for Home and Work free of charge
  • Increase your browser’s security settings.

You must keep your Maricopa and other accounts secure to guard against data breaches and unauthorized access to business and personal information.

Being Smart

  • Do not share your accounts and passwords
  • Follow password best practices (suitable password length, complexity, special characters, etc.)
  • When not in use, always lock your computing device

When using your personal computing device for work or private use, you must use proper security measures to guard against data breaches and attacks caused by viruses and malware.

Being Smart

  • Use antivirus, anti-malware, and firewall software on personal devices and make sure it’s up to date—if you don’t have this software, Maricopa Community Colleges offers Sophos Free Antivirus Protection for Home and Work free of charge.
  • Ensure your computing device’s operating system (for example, Windows or Mac OS) is current with the latest patches. You can update manually, but we recommend using the built-in update features to make sure your computer is up to date.
  • Lock or shut down devices when not in use.
  • If possible, do not share the device used for work with others.
  • If using VPN, disconnect from the VPN network when done with work.

While convenient, a USB thumb drive is easy to lose, and anyone who finds it can access the stored content unless it is encrypted. Viruses and malware can infect thumb drives, so only use your USBs. Never insert a random USB to see what’s on it. Hackers sometimes drop them in public places for curious individuals to find.

Being Smart

  • Do not store internal or confidential data on USB thumb drives
  • If you find a random USB thumb drive, do not use it

Computer theft is on the rise. Take proper precautions to guard against theft or unauthorized access.

Being Smart

  • Don’t leave your computing device (Maricopa or personally-owned) or cell phone in your vehicle, even if it is locked
  • Keep laptops secured at all times—stored or located in a safe location and locked
  • When not in use, lock the computing device