Phishing and Spam - What to do with Suspicious Emails
What is phishing? What to do with phishing/spoof emails if one is received.
If you receive an email you are not sure about, do not reply. Follow these instructions on sending the email as an attachment to firstname.lastname@example.org . Do not forward the email otherwise the information needed for analysis will be lost.
Official University entities will NOT ask users for confidential information through email or text.
More about Phishing
Phishing occurs when a person or persons tries to obtain financial or other confidential information (i.e. login id's, passwords, etc) from online users. This is usually accomplished by sending an email that looks like it is from a trusted company or institution, which contains links to fake web addresses created to look the part of trusted addresses. Identity thieves may also call or text as another method of phishing.
Attackers often take advantage of current events and certain times of the year:
- Natural disasters (Hurricane Katrina, Indonesian tsunami)
- Epidemics and health scares (H1N1)
- Economic concerns (IRS scams)
- Major political elections (Presidential election)
- Holidays (Fourth of July and Christmas)
Being prompted for usernames, passwords, and/or PINs- Webpages should not prompt for credentials immediately after clicking the link. Be conscious of web pages that do not provide a landing page that reinforces the message of the email before providing a link to the authentication method.
Urgent/Too good to be true- If an email seems too good to be true, it most likely is. Be cautious with any message offering to place money into your bank account by simply "clicking here". Also, if the content places any kind of urgency as far as "you must click into your account now" it is most likely a scam.
Request for personal information- One tactic that is commonly used by hackers is to alert you that you must provide and/or update your personal information about an account (SSN, bank account details, account password, email). Phishers will use this tactic to drive urgency for someone to click on a malicious URL or download an attachment aiming to infect the user's computer or steal their information.
Visually verify the from address- Probably the easiest way to identify if an email is legitimate or not, is to simply hover your mouse arrow over the name in the from column. By doing so, you will be able to tell if the email is from a recognizable domain that is linked to the actual sender name. For example, an email from Match.com should typically have the from domain of "match.com" not "motch.com" or "humbletemper.com".
URL Legitimacy- You will always want to make sure the link is legitimate and uses encryption (https://). The University spam prevention software modifies some links that are displayed during mouse hovering which prevents further evaluation. However, in order to be extra cautious, it is best practice to always open a new window and go to the site directly by typing the URL instead of clicking the link provided in the email message.
Incorrect grammar/spelling- A common practice of many hackers is to use misspelled words on purpose. While it may seem that this would easily reveal an illegitimate email, it is actually a tactic used to find less savvy users. Spammers have learned that if they get a response from a poorly written email, they are on to an easy target and will focus their efforts to bring that user down.
Plain text/Absence of logos- Most legitimate messages will be written with HTML and will be a mix of text and images. A poorly constructed phishing email may show an absence of images, including the lack of the company's logo. If the email is all plain text and looks different than what you're used to seeing from that sender, it is best to ignore the message.
Message body is an image- This is a common practice of many spammers. Make sure the email is a good mix of text and images. Also, there may be embedded links for you to hover over within the image for an extra step of precaution.
Suspicious attachments- Is the new email in your inbox the first time your bank has sent you an attachment? The majority of financial institutions or retailers will not send out attachments via email. So be careful about opening any from senders or messages that seem suspicious.
My email address is listed as the from address- If you notice that your email address is being identified as the from address, this is a sign of fake email message. Along those same lines, if the to field shows a large list of recipients, you should also be cautious. Legitimate emails will most likely be sent directly to you and you only. You may see "undisclosed recipients" and this is something to keep an eye on as well. It could be a valid sender, but double check by using the other tips identified above.
How to Handle Suspicious Email
Should I open the email?
As long as you are using up-to-date software - including your mail client, browser, and operating system - you should be able to open email messages and view them without fear. Email viruses are real, but computers aren't infected just by opening emails any more. Email attachments require extra caution (see below).
You can delete the email without opening it when:
- Your email address is listed as the "From" address and you know
it's not from you
- The "From" address is unrecognized and the "Subject" looks
suspicious (e.g. written in all capital letters, contains misspellings)
I've opened and read the email. Is it legitimate?
Signs that the email is not legitimate and should be deleted include:
- The "From" address is from an unrecognized company or doesn't match the sender's name. Hover your mouse over sender's name to reveal the email address.
- The body of the email does not contain your name, e.g. the email says "Dear customer" or something similar and does not mention you by name.
- Incorrect grammar or spelling
- The email requests you urgently click a link or take some action,
often followed by threats such as "your account will be deactivated"
- The email requests you provide personal information such as SSN, bank account number, credit card number, or password
- Spoofing popular websites or companies. The email contains
company logos and graphics to look legitmate and fool you into being
Are the links safe to click?
Rest your mouse (but don't click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's web address.
The University spam prevention software modifies some links that are displayed during mouse hovering which prevents further evaluation.
Are the attachments safe to open or preview?
The majority of financial institutions or retailers will not send
attachments via email. Do not open any file attachment you were
not expecting. If the attachment is from an unknown source or
unsolicited email and the email still seems suspicious, use caution and
The University spam prevention software will attempt to strip out
malicious attachments from email for you automatically.
I think I clicked a malicious link or file attachment.
How do I know if my University credentials were compromised?
You may not always know. Scams and malware that steal passwords are designed to be stealthy and unnoticed.
Passwords are most frequently compromised one of three ways:
- Being tricked to giving up your credentials at a real-looking,
but scam website.
- Malware, viruses, and other compromises to your devices which install software designed to run in the background and steal passphrases.
- Re-using University credentials for non-University websites, and the non-University websites credentials are exposed during a hack.
What should I do if there is a chance my University credentials were compromised?
If you believe your University credentials have been compromised you
should immediately visit and change your password at the Identity and
Access Management Password Reset page: IAM
Password Reset Tool. You should also contact your IT support professional immediately.
What if my personal email account, bank account, or other accounts were compromised?
Immediately change your passwords for any potentially compromised accounts. Contact any financial institutions or financial advisors to alert them of the compromised accounts. Last, check all bank statements, credit card statements, and credit reports regularly to identify any false charges or suspicious activity.
What is the University doing to strengthen authentication?
The University is actively piloting and soliciting bids from vendors for multi factor authentication technologies to strengthen the authentication process.
Each campus has additional information on phishing scams, prevention and mitigation:
UIUC Phishing; there is also a campus community site where phishing alerts are posted along with screenshots: http://publish.illinois.edu/phishingalerts