How to Outsmart Phishers Before They Outsmart You
Use National Cybersecurity Month in October to follow the lead of Duke’s IT security experts
Help Duke Win the Cyber Bowl
This October, during National Cybersecurity Month, Duke will face off against seven other North Carolina universities in the Cyber Bowl. Students, staff and faculty can take a quick quiz on phishing, malware and passwords to earn points for Duke and a chance to win prizes.
“The computer landscape is getting worse and worse in terms of our information being out there,” Simmons said. “Taking security seriously is just one way to protect myself. I’d kick myself if something happened, and I hadn’t done everything I could to be protected.”
A recent Pew Research Center study shows that 73% of U.S. adults have been a victim of an online scam or attack with a record $16.6 billion in losses reported to the FBI in 2024.
Duke University Chief Information Security Officer Nick Tripp said online scammers are becoming more sophisticated, making it critical to take steps to protect data. His IT Security Office team works to keep Duke’s online resources safe in an increasingly digital world.
“There are always going to be new attacks and new ways people can get at information they want to get access to,” Tripp said. “We have to be able to move faster and have protections in place to compensate.”
With National Cybersecurity Month in October, Working@Duke asked Duke’s IT security experts for their habits and strategies. Here’s what they said.
Let a Safe Password Manager Help You
Tripp said an ideal way to handle online passwords is to have a long, strong unique password for each account. With a 2024 study by NordPass showing the average American has around 255 passwords, that’s not easy.
“The only way to do that is with a password manager,” Tripp said.
Password managers are software tools that create, store and automatically enter passwords for apps and websites. Duke staff, faculty and students can download the popular password manager 1Password at no charge.
With 1Password, users only need to remember one login. The tool generates and autofills strong, unique passwords for accounts across computers and mobile devices. Duke also offers a family version for up to five users.
Sam Naim, a Security Operations Analyst with Duke’s IT Security Office, uses 1Password and constantly recommends password managers to friends and family.
“I feel like a broken record when I tell people about using a password manager,” Naim said. “It’s just a safer, better practice.”
Add an Extra Layer
Whenever IT Security Program Analyst Catarina Pottle creates a new online account, she enables multi-factor authentication if it’s available.
Multi-factor authentication adds an extra layer of security by requiring more than one for users to verify their identity.
This can be through the use of a code or push notification from an app like Duo, a hardware token such as YubiKey or biometric factors such as finger print recognition.
While it adds a step, multi-factor authentication is considered a hard-to-breach security measure because you can confirm it’s really you logging in, not someone else.
“It’s important to add as many layers of protection as you can,” said Pottle, who develops security policies, communicates risks through advisory reports and supports cybersecurity awareness across Duke.
Stay Up to Date with Software Updates
As an Information Security Analyst with Duke Health Technology Solutions, Gaylynn Fassler designs simulated phishing emails to test the Duke community’s cybersecurity skills. One of the simplest ways she says anyone can protect their data is by keeping software up to date.
The apps, software tools and operating systems on computers and mobile devices require a near constant stream of updates. While some updates may provide improvements to the user experience, most are meant to patch a security weakness.
That’s why Fassler wastes no time installing updates as soon as they become available.
“A lot of times when people see updates that don’t include anything new or shiny, they might be like ‘No, I’m not doing it,’” Fassler said. “But those are often security updates that are important. You shouldn’t wait to install them.”
Check if Your Email Address is in a Data Breach
After hearing FBI cybercrime experts recommend the website HaveIBeenPwned.com to check data security, Naim entered his email address. As an IT security expert at Duke since 2016, Naim was shocked to discover his data had been exposed in breaches.
“When these passwords are leaked, they’re out there,” said Naim, who quickly changed his passwords.
Regularly checking for leaked passwords is a smart security habit. For more ways to protect your data, Tripp recommends Digital Defense’s personal security checklist, which includes 258 practices to strengthen social media, email, web browsing, smart devices and more.
“It really helps you get your house in order in terms of how you’re organizing things and what you need to be aware of,” Tripp said. “Most people will encounter something on the checklist that they didn’t consider before or that they didn’t know they needed to be mindful of.”
Report Scammers
In July 2025, an average of 1,586,176 emails were sent to Duke University and Duke University Health System addresses each day.
Of those, an average of 558,375 emails potentially containing malware, viruses, or phishing attempts were intercepted by Duke’s security systems per day.
But the most important layer of security are savvy users like Vanessa Simmons, who can spot phishing attempts. Tripp said that AI tools now help scammers create phishing emails without the usual red flags like bad grammar or sloppy formatting. That makes it even more important to trust your instincts and, if something feels off, use the “Report” button in your Outlook email toolbar to alert Duke’s IT security team.
“The only guidance I would give is to be skeptical,” Tripp said. “Slow down and really think about what you’re seeing in your inbox.”
Send story ideas, shout-outs and photographs through our story idea form or write working@duke.edu.
Follow Working@Duke on X (Twitter), Facebook and Instagram and subscribe on YouTube.