Phishing
Phishing is a trick used by scammers and hackers to steal your personal or private information through fraudulent emails or fake websites. Personal information refers to any private information about you or your organization that could be used maliciously by a thief. Examples include usernames, passwords, your banking information, card numbers, student or employee IDs, your Social Security Number, your address and contact information, and personal life details.
Phishers often pose as authority figures or legitimate organizations, like your bank or a subscription service. If they gain access to your information, they can steal your identity, infect your devices with malware, or even compromise the university.
Phishing emails and websites are designed to mimic legitimate emails and sites. Think of a shiny plastic fishing lure (that's why it's called phishing, by the way). Fortunately, knowing what to look for can still keep you safe. Here are eight to-dos for every time you receive an unexpected email:
- Ask yourself: is there anything out of the ordinary about this email? Were you expecting it? Is it written in the sender’s voice, or does it sound “off”? Are there grammar or spelling errors? Are the logo and branding different from usual, or even missing altogether? Note that professional places of business will rarely allow even one mistake in their emails.
- Be wary of messages that urge you to act quickly before a deal ends, an account closes, or some other consequence strikes. Online criminals often capitalize on their victim’s instincts and fears. Don't accept any "free" offers or make any account changes you aren't absolutely sure you signed up for.
- Don’t trust an email that asks for your personal information (see sidebar). Reputable organizations, like banks, government institutions, large companies, and this university, will never pressure you to divulge credentials or information.
- Check the addresses for any links. You can mouse over a link to see where it goes (or press and hold on a mobile device). Look for unusual spellings or extra material in the URL. Links that start with “http” instead of “https”, or that have long, multi-part domains (like “download.google.com.drive.systeca.net”) are particularly suspect.
- Check the sender’s email address, not just their name. Does their email match their organization exactly? Watch out again for misspellings or extra characters, like “susan@amazon.com.net”.
- Look for other contact information. Does the sender provide a phone number or address? If you receive an email from an unknown source, it’s best to independently research the source before responding in any way. Type the links yourself instead of clicking.
- Take your time. A minute of caution now can save you from the embarrassment and frustration of losing private data to a criminal.
- Whatever you do, never reply directly to the suspicious email under any circumstances.
To test your ability to identify phishing emails, take five minutes to try Google's helpful phishing quiz. The quiz provides an up-to-date look at what tactics online criminals will use to try to harm you.
If you think that an email or message you've received seems suspicious, please forward it as an attachment to phishing@byu.edu and we'll review it. Choose your email provider above for the steps to follow.
If you still have questions about how to forward an email after following these steps, you can consult our Knowledge Base article on the subject.
Our information security team will carefully examine the message. If it really is a phishing attempt, we will take any necessary measures to alert other potential victims. You can also check our Phish Bowl―an up-to-date repository of recent phishing attempts.
- Click "New Message"
- In the New Message window, click the icon in the upper right hand corner for "Open in new window"
- Position the new window so you can see both Outlook windows at the same time.
- From the inbox bar on the left, click and drag the suspicious email into the New Message Window.
- Enter relevant information in the "To", "From", and "Subject" fields.
- Send the email to phishing@byu.edu
- Open the email, but don't click on anything inside.
- Click on More in the Respond options located in the Home tab at the top of the application under the respond category.
- Under the Home tab, in the Respond category, select More.
- Select Forward as Attachment. You can also find this option from the 3-dot menu in the upper right corner of the email, next to Reply and Forward.
- Forward the email to phishing@byu.edu
OR
- Select the email and use shortcut Ctrl + Alt + f
- Forward the email to phishing@byu.edu
- Don't click on anything in the email.
- Select the message you want to forward as an attachment.
- Open the Messages menu from the toolbar at the top of the screen (near Apple logo).
- Select Forward Special > As Attachment.
- Forward the email to phishing@byu.edu.
OR
- Open the email and use shortcut Cmd + J
- Forward the email to phishing@byu.edu.
- Don't click on anything in the email.
- From your inbox (not the individual email window), select the checkmark by the email.
- From the More menu (3 dots on the far right of the top bar), select Forward as Attachment.
- Forward the email to phishing@byu.edu.
You may also select Report Spam from the same More menu. This options reports the issue to Google, not to us.