We recently had a problem with a student who had someone hack into his e-mail account to send spam. And it turned out to be pretty easy for the hacker, since the student sent him his login and password.
This is very hard to understand. I&TS will never ask for your password -- we just don't need it. This is true of any IT department or website or bank. No one legitimate will ever ask for your password.
What's even harder to understand was that the e-mail that did the phishing for the password had no connection with Siena. It wasn't sent from a Siena address, and you were supposed to reply to an address outside of Siena. If we did need your password (and, as I said, we never do), wouldn't we have sent it from a Siena address? Wouldn't we have had you reply to a Siena address?
You have to be alert on the Internet, and doubly alert when anything might involve passwords or money. Never trust an e-mail that asks for personal information, especially if you have never contacted anyone about a problem.
If you have questions about an e-mail like this, you can always contact I&TS, or whoever you think is asking for the information. They can confirm that it's fake. No one ever has a legitimate reason to ask for your password, and you should never be fooled.