Recognizing and Reporting Phishing


Recognizing and Reporting Phishing


Phishing is still a thing!


With all the headlines about "company A got hacked" or "college B had a breach", it is easy to overlook the fact that many breaches begin with a successful phishing attempt.  

A phish is when bad actors send you a message, whether through email, instant message, or otherwise, that appears to be legitimate but is actually tricking you into taking an action that is against your own best interest.  These messages will often spoof the most popular brands that many or most people use such as Amazon, Netflix, Google, Microsoft, and others but may also attempt to spoof you, your friends, classmates, or co-workers in an attempt to leverage the trust they have.

Spotting a phish can sometimes be very easy but is often very difficult. Stay vigilant against phishing attempts involving AI: Remember, legitimate organizations won't ask for sensitive information via AI chatbots or emails. Always verify the source and be cautious when sharing personal data

All but the most expertly crafted phishing emails have a "tell".

For more information, facts, and figures about phishing, please see this Tip Sheet.

Here are some ways to identify a phishing message:

Unfamiliar Greeting
If you receive an email from someone you know or someone in your organization and it appears overly familiar or not familiar enough, depending on the context of your relationship to them, this could be a sign of a phishing attempt.
Grammar and Spelling Errors
We all make grammatical mistakes and misspellings from time-to-time but, if the source of the message appears to be a company, professional organization, or someone with whom you have frequently corresponded, there should be few, if any, unexpected grammatical or spelling mistakes. If the spelling and grammar seem out-of-character for the email, it may be phishing.
Inconsistencies with Email Addresses, Domain Names, and Links
Check the email address of the sender. Does it really come from the person it says it does or does the email address  not match up with the name displayed?  Check the domain names and links in the email.  Do the domain names and links go to the actual site or have they been modified, even just a little, to make it go elsewhere?
Sense of Urgency, Threats, or Call to Action
Is the message asking you to take a specific action?  Are they asking for sensitive information or saying that catastrophe will occur if an action is not taken? Is it saying something must happen right now?  If so, it could be a phishing attempt.
Emotional Reaction
Is the message intended to provoke an emotional reaction? Does it scare you or tug at your heart strings? Is it about some recent calamity or catastrophe that everyone is paying attention to? Is it divisive or emotionally provoking? Phishing attempts will often use emotion to inspire clicking links or opening attachments without validating the rest of the message.
Were you expecting to receive this conversation or message or did it arrive "out of the blue"? Phishing messages are often unexpected.  Treat all unexpected messages with suspicion.

If you see something, say something!


Aside from avoiding phishing and deleting it, the best thing you can do is report it.  This lets others know that the phishing is happening. In the case of reporting buttons, it will also often add to the algorithms that detect spam and phishing and help the email provider recognize this better in the future and catch it before it makes it to you. 


Reporting phishing may be different depending on your email provider.  The majority of the consumer mail providers, however, generally make it simple and straightforward.

Below you will find some links on how to report phishing attempts to some of the major email providers:

  1. Gmail
  2. Outlook.com
  3. Yahoo
  4. Protonmail

Enabling MFA

Multi-Factor Authentication

Password Management

Using Strong Passwords and Password Managers

Software Updates

Keeping your software up to date

Phishing Awareness

Recognizing Phishing and reporting it