Identifying Phishing Red Flags and Reporting Phishing
Identifying Phishing Red Flags
General Info
Phishing is a type of social engineering scam in which an imposter tries to fool people into giving away their personal information, such as passwords or credit card numbers. Sometimes this is done by simply posing as an important figure such as a CEO or chancellor and asking for it. Often this is done by making a fake website designed to look like one of our login pages, then sending the link out to everyone they can with messages that indicate that clicking it and logging in is urgent.
These sorts of messages often have tells that give them away. We call these red flags. This document will cover what to look out for when it comes to identifying these red flags so that you can keep yourself safe from phishing scams.
Identifying Red Flags
Here is one example of a phishing email:
- The email address that the message comes from is a generic one that the scammer is spoofing. When a message asks you to click a link or open an attachment or even scan a QR code, always consider who the sender is. Ask yourself: Does HR typically send out mass emails from a generic address like this?
- Note the ambiguous salutation. Lazy phishing scams will often use these as they are simply sending a template email to as many people as possible.
- The call to immediate action is perhaps one of the biggest red flags. Scammers don't want to give you time to think about what you're reading. They will ask you to complete it today, ASAP, urgently, etc. so as to put you into a panic and get you to click before you can consider that the email may not be legitimate. If an email gives you a very tight deadline and asks you to open a link or an attachment, be suspicious of it.
- The link itself is another one of the biggest red flags. If you have a way to check what the link is without clicking it, such as hovering your mouse over it, you can check to see if it will really take you to the link that it claims to be. If the email says it will go to the West Valley site but the link says it will go somewhere else, that is an immediate cause to not click it.
Some of these red flags on their own aren't necessarily suspicious, such as the ambiguous salutation. Taken together with other red flags, however, gives you a better chance of spotting a phishing email before clicking anything or giving up any info. Some other red flags not seen in this example:
- Obvious typos or grammatical errors: If an email appears to be a template from a company like Microsoft or Google (or even from our internal departments), it will typically have been reviewed by several employees for grammar mistakes. Phishing scammers on the other hand are prone to putting strange formatting or obvious errors in their messages. If you spot amateurish mistakes in what appears to be a template message, that is often cause for suspicion.
- Account you never created: A common phishing scam is to make it seem as though an account was created on a website with your email and without your permission. If you get an email from a site like for example Yahoo or Amazon to your work email address when you know you've never used those sites with your work email, that is cause for suspicion.
- Unrequested generosity: Phishing scammers may tell you you've won a free cruise or some raffle for money. These are usually obvious, but it's possible to be blinded by the thought of free stuff. Always be weary of generosity that you were not expecting and did not request.
- Unknown carbon copies: If other users were Cc'd on an email but you don't know them and they aren't in your department, that may be cause for suspicion. Mass internal emails are usually done through mailing lists and won't show Ccs, but scammers who don't have access to those mailing lists may simply drop tons of people into the Cc field.
- Out of character: If you get a message from a personality that you know, but the message is seemingly out of character, that is cause for suspicion. If Brad Davis himself suddenly emails you asking for a credit card number, that may not actually be Brad Davis.
- Unusual hours: Was a message from HR sent at 3 AM? We're not open then, so that message likely isn't from HR at all.
- Blackmail: If an email claims to have something incriminating on you and tries to threaten you with it, that is immediate cause for suspicion, especially if they do not immediately present whatever it is they claim to have. This is a common alternative to the "urgency" method of inducing panic, and can blind otherwise sensible people to the dangers of clicking on whatever link they send you.
Reporting Phishing
When you receive what you believe to be a phishing email, don't do any of the following:
- Reply to it
- Open any attachments, QR codes, or links
- Forward it to any colleagues
Instead, DO:
- Show it to a colleague in person if you're not certain
- Send a separate, new email to a known internal email. For example if they are impersonating HR, you could send a new email to someone you know is in HR to ask if the phishing message was legitimate.
Whether or not you are able to confirm for certain that something is a phishing email, you should always err on the side of caution and report it if it makes you particularly suspicious.
To report an email the proper way, look for the Phish Alert Report button in Outlook when you're viewing the email. It will have an icon of a mail envelope with an orange hook attached to it.
In the old Outlook, it's near the top right of the screen:
In the new Outlook and Outlook on the web, it's near the Reply and Forward buttons (and sometimes inside of the "..." button if your screen is too narrow to display everything on one line):
After reporting a phishing email, it will delete itself from your inbox. Someone from IS will verify whether it was legitimate or not. Phishing emails that are reported and identified are usually mass-deleted from our mail server from the inboxes of everyone that received them, so reporting a phishing email is important as a way of protecting your colleagues from potentially falling for the scam.