Contact Us

NSIT Support Line
4-TECH (773-834-8324)
support@uchicago.edu
Current Hours

Home > Services > Security & Safe Computing > Safe Computing > Email > Phishing Scams

Safe Computing

Safe Computing Home | Protect Your Computer: Operating System, Firewall, Antivirus | Protect Your Information: , Social Networking, Passwords, Browser Security, Wireless, Sensitive Data, File Sharing | Getting Help: Compromises, Harassment, Account Recovery, cMail Remediation

Identify Phishing Scams

This page contains a number of resources to help you learn about the risks of email scams and to teach you how to recognize a scam email. Read on to learn how to foil the phisherman.

How do I identify phishing scams?

If you are unsure if an email is legitimate, ask yourself these questions before replying or clicking on a link. Always keep in mind that University administrators and NSIT personnel will never request your CNetID username or password by email. Any emails claiming to be from the University, NSIT, or the uchicago.edu team that ask you to give out your private information are scams.

Look at the Header
  1. Have I given my email address to this company before? Do I have an account with this company? Does the sender identity match the purpose of email?

    Email about your banking or university account should come from the organization, not from a random email address. If you have no relations to the sender, 99% of the time it is a phishing email.

  2. Is my email address listed as the From: address?

    If so, then it is a fake email.

  3. Is the To: line address to undisclosed-recipients or a large number of recipients?

    A legitimate email from a business firm you have dealt with will usually be addressed only to you. If the text alludes to confidential information, but has several addresses on the To: line, it's definitely not legitimate.

Examples

Look at the Content
  1. Does the website link look valid? Make verifying web address a habit.

    Even though a link looks valid and displays the correct web address, it could take you someplace completely different. Don't ever click on a website link or an image without verifying that the link is legitimate--you could be redirected to an attacker's website. Rest (but not click) the mouse pointer on the link to verify the real Web address. Watch out for Web addresses that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the address "www.microsoft.com" could appear instead as:

    1. www.micosoft.com
    2. www.mircosoft.com
    3. www.verify-microsoft.com
  2. Are there misspelling and typos? How is the grammar and is the tone appropriate?

    An email from a professional company should be well written.

  3. Am I being promised a lot of money for little or no effort on my part?

    Watch out for emails with claims like:

    1. "You have won the lottery" (perhaps one from a foreign country) that you don't remember entering.
    2. A foreign government official would like your assistance in transferring funds and will pay you a hefty commission if you agree.
    3. You stand to inherit millions of dollars from a relative you don't remember.
    4. These are common phishing scam known as advanced fee fraud. What is too good to be true is likely too good to be true.
  4. Am I asked to provide money up front for questionable activities, a processing fee, or to pay the cost of expediting the process?

    This is a common way for con artist to scam money from unsuspecting users. The con artist will run away after taking your initial payment.

  5. Is someone asking me for my bank account number, other personal financial information or passwords?

    Be ware of emails asking for this information, even if the sender offers to deposit money into your account. Be suspicious of phrases like:

    1. "Verify your account."
    2. "Click the link below to gain access to your account."

Examples

Think about the Email's Purpose

Email is NOT a secure way to share sensitive information. Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through email.  Be advised that NSIT will never request your password, nor will we ask you to change or "validate" your password at a website other than http://cnet.uchicago.edu.

  1. Is the issue really as urgent as the sender make it to be?

    Be suspicious of phrases like:

    1. "If you don't respond within 48 hours, your account will be closed."
    2. "Failure to do this may automatically render your account deactivated."
    3. "Our investigation shows that your email address is compromised and is used to send out spam message in our webmail system. As a result, our network engineer will be conducting a maintenance in our webmail system, your Username will be disabled if you do not send us the required information within 48 hrs."
    4. Con artists try to convey a sense of urgency so that you'll respond immediately without thinking.
  2. Why does the sender request confidentiality? How can I tell if "evidence" that the proposed activity is legitimate really authentic?

    Be suspicious about offers to send you photocopies of government certificates, banking information, or other "evidence" that their activity is legitimate. Photocopies are not acceptable for verifying authenticity of documents.  These are often fake.

Examples

Examples of phishing scams

Look at our sample list of email scams on our Examples page. Some email scams also try to steal your personal information through ways other than email or online forms. For example, an email like this one requests credit card information by fax. Remember that your bank representative will never request your private information online, by phone, or by fax.

More examples can be found at Antiphishing.org, a phishing email archive database that keeps track of many different phishing emails that are reported throughout the year.

Can I report phishing scams?

Yes, you can report scams to the federal government. They collect the information to build cases against any given attacker. Remember there are many attackers out there, and the federal government only has so many resources to go after them. To report a phishing scam, forward the email to spam@uce.gov. You can also report phishing scams to the Anti-Phishing Working Group, a volunteer organization committed to wiping out phishing scams.

Learn More

Visit OnGuardOnline.gov for practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information. To learn more about identity theft and how to deter, detect, and defend against it, visit the FTC's Identity Theft website.

Carnegie Mellon University and Wombat Security Technologies have developed a fun, simple way to learn about fake URLs with an online interactive game. NSIT is not affiliated with the creation of this game or the ongoing research associated with it; however, we believe it is a good resource for anyone interested in protecting themselves from internet crime.

You can also visit the Security Cartoon website to learn more about potential dangers on the Internet.

Phishing: Don't Bite Don't let phishing scams reel you in. Phishing Poster

Last updated: 10/29/09