Campus Email Phishing Checklist: Scholarship and Account Safety for 2026
A student-focused 2026 checklist for checking scholarship, bursar, internship, and campus account emails without sharing passwords, private documents, or panic-clicking links.
Scholarship, bursar, internship, and campus account messages can arrive when students are tired, worried about deadlines, or moving between classes. That is exactly when phishing works. This 2026 checklist helps students slow down, verify through official channels, and protect private information without ignoring legitimate school messages.

The decision table
| Message clue | Good sign | Pause and verify |
|---|---|---|
| Sender and destination | The request matches a known campus office and points you to the official student portal you already use | A shortened link, new payment page, or urgent reply-to address appears only inside the email |
| Scholarship or aid claim | The message matches published financial-aid timing and asks you to log in through the normal portal | It asks for gift cards, bank credentials, full SSN by email, or a fee to release aid |
| Account security notice | It tells you to use known campus IT channels, MFA, and password-reset pages | It threatens immediate closure unless you click a link or share a code |
| Evidence to keep | Headers, screenshots without passwords, ticket numbers, and the official office response | Forwarding credentials, private documents, or verification codes to a stranger |
Step 1: Build a personal official-channel baseline
Before a scary email arrives, bookmark the student portal, financial-aid office, bursar, campus IT help desk, and scholarship office from the university website. Then suspicious messages can be checked without clicking embedded links. A baseline also helps students notice when a message uses the wrong office name, a strange domain, or a deadline that does not match the academic calendar.

Step 2: Remove the dangerous shortcuts
Do not send passwords, MFA codes, bank logins, full identity documents, or private aid details through email or chat. Do not pay a scholarship release fee with gift cards, wire transfers, crypto, or a payment app because a message says the deadline is urgent. If the request might be real, open the official portal in a fresh browser tab or call the published office number.
Step 3: Build the routine around student behavior
Students check messages between classes and jobs, so the routine must be quick: stop, don’t click, compare the sender/domain, open the official portal separately, and report the message if it still looks wrong. Save a short note with the date, office name, and ticket number. The goal is not to ignore every urgent email; it is to move important decisions back to official channels.

Practical checklist
- Bookmark official campus portals and office contact pages before scholarship season.
- Hover or inspect links, but verify by opening the official site separately.
- Never share passwords, MFA codes, private documents, or bank credentials by email.
- Treat fees, gift cards, crypto, wire requests, and secrecy pressure as high-risk signals.
- Save safe evidence: sender, subject, timestamp, headers, screenshots with sensitive data hidden, and ticket numbers.
- Report suspicious messages to campus IT or the official security mailbox.
- If aid, enrollment, or immigration status could be affected, call the published office number rather than relying on the email thread.

Common mistakes
The first mistake is trying to decide from the email alone. A convincing logo or deadline does not prove authenticity. The second is replying to ask whether the message is real; that confirms your address and keeps the conversation inside the attacker’s channel. The third is forwarding too much private data when reporting. Security teams need the suspicious message details, not your password, ID document, or MFA code.
Reader FAQ
What if the scholarship deadline is today? Use the official portal or published office phone number. A real urgent issue should still be visible through an official channel.
Should I click the link if it looks like my university domain? No. Type the known portal address or use a saved bookmark. Attackers can make links look familiar in the visible text.
What evidence is safe to keep? Keep timestamps, sender details, headers, ticket numbers, and redacted screenshots. Do not store or send passwords, codes, banking details, or full identity documents as proof.

One-week review
After one week, confirm that bookmarks, MFA recovery options, and reporting contacts are easy to find. Ask whether the routine helped you verify messages without missing real deadlines. If a step slowed you down, simplify it; the core behavior is official-channel verification, not a complicated investigation.

Summary
Campus phishing defense works when students move money, scholarship, and account decisions out of the email thread and back to official portals. Build a contact baseline, refuse credential/code requests, keep safe evidence, and report suspicious messages through campus IT. That gives readers practical protection without pretending that a checklist can authenticate every private message.