Recognizing and Reporting Phishing


Recognizing and Reporting Phishing


Phishing is still a thing!


With all the headlines about "company A got hacked" or "college B had a breach", it is easy to overlook the fact that many breaches begin with a successful phishing attempt.  

A phish is when bad actors send you a message, whether through email, instant message, or otherwise, that appears to be legitimate but is actually tricking you into taking an action that is against your own best interest.  These messages will often spoof the most popular brands that many or most people use such as Amazon, Netflix, Google, Microsoft, and others but may also attempt to spoof you, your friends, classmates, or co-workers in an attempt to leverage the trust they have.

Spotting a phish can sometimes be very easy but is often very difficult.  Bad actors have been at this a long time and have taken steps to perfect their craft. It is for this reason we must be extra vigilant and question every message we get, especially if it is unexpected, is asking us to do something, sounds urgent, or has an attachment.  


All but the most expertly-crafted phishing emails have a "tell".

Here are some ways to identify a phishing message:

Unfamiliar Greeting
If you receive an email from someone you know or someone in your organization and it appears overly familiar or not familiar enough, depending on the context of your relationship to them, this could be a sign of a phishing attempt.
Grammar and Spelling Errors
We all make grammatical mistakes and misspellings from time-to-time but, if the source of the message appears to be a company, professional organization, or someone with whom you have frequently corresponded, there should be few, if any, unexpected grammatical or spelling mistakes. If the spelling and grammar seem out-of-character for the email, it may be phishing.
Inconsistencies with Email Addresses, Domain Names, and Links
Check the email address of the sender. Does it really come from the person it says it does or does the email address  not match up with the name displayed?  Check the domain names and links in the email.  Do the domain names and links go to the actual site or have they been modified, even just a little, to make it go elsewhere?
Sense of Urgency, Threats, or Call to Action
Is the message asking you to take a specific action?  Are they asking for sensitive information or saying that catastrophe will occur if an action is not taken? Is it saying something must happen right now?  If so, it could be a phishing attempt.
Emotional Reaction
Is the message intended to provoke an emotional reaction? Does it scare you or tug at your heart strings? Is it about some recent calamity or catastrophe that everyone is paying attention to? Is it divisive or emotionally provoking? Phishing attempts will often use emotion to inspire clicking links or opening attachments without validating the rest of the message.
Were you expecting to receive this conversation or message or did it arrive "out of the blue"? Phishing messages are often unexpected.  Treat all unexpected messages with suspicion.

If you see something, say something!


Aside from avoiding phishing and deleting it, the best thing you can do is report it.  This lets others know that the phishing is happening. In the case of reporting buttons, it will also often add to the algorithms that detect spam and phishing and help the email provider recognize this better in the future and catch it before it makes it to you. 


Reporting phishing may be different depending on your email provider.  The majority of the consumer mail providers, however, generally make it simple and straightforward.

Below you will find some links on how to report phishing attempts to some of the major email providers:

  1. Gmail
  3. Yahoo
  4. Protonmail


For more information, facts, and figures about phishing, please see this Infographic and this Tip Sheet.

Enabling MFA

Multi-Factor Authentication

Password Management

Using Strong Passwords and Password Managers

Software Updates

Keeping your software up to date

Phishing Awareness

Recognizing Phishing and reporting it