Blackboard Learn: December 2017 upgrade details
Cybersecurity: Where to learn more
Web Accessibility: OHIO search tool adds support for assistive technologies
WiFi KRACK: What you need to know
Securing the Internet of Things
Cyber security: Can you catch a phish?
How to spot phishing emails
Laptops for Harvey: OHIO IT helps University of Houston Downtown students get back online
Web Accessibility: Descriptive Links
How to create a cyber secure home
deco-circuit-banner

How to spot phishing scam emails

Monday, October 9, 2017
Haley Baker  

At Ohio University, cybersecurity is everyone's responsibility. The steps we take to secure our own data are the same steps we should take to secure the university's data. This article is part of a series of cybersecurity stories that focus on the ways we all can make a difference.


Email is something that most of us use daily, and because of our familiarity with it we often let our guard down when reading messages in our inbox. Phishing attacks prey upon this and try to trick you into doing something that would result in your private information being shared. These messages are often easy to spot, but require more attention to detail than you would typically give to other email.

What is phishing?

Screen shot of a Disabled Email Account phishing scam

Phishing is the act of sending a fraudulent message that claims to come from someone you know or trust and that requests personal information about you to use for malicious purposes. It can be something as small as stealing your login credentials to a website, or it could trick you into revealing banking information, sensitive business data, or other private data.

Phishing messages have 3 core “red flags” that may all be in the message, but even one of them should be enough to make you skeptical of the message.

Red flag #1: Emotion

The message tries to elicit an emotion.

Phishing messages will use phrasing that indicates you must complete an action in a short amount of time “or else.” They may even promise a financial reward if you follow their instructions. A legitimate email from a business or person will not attempt to sway you into swift action by using these emotional tricks.

Red flag #2: Odd language

The message is written oddly.

You may receive an email from a colleague asking to send them the payroll information for all of your department, but you notice that their email signature isn’t using their preferred name (Ed instead of Edward). The request itself may be typed with grammatical or spelling errors,and may not be using the same tone that a colleague would use. A great indicator that a message is not legitimate is that the "from" address doesn't match the person or department that supposedly sent the message! While this isn’t an infallible way to identify a legitimate email, it’s a good thing to look for.

Red flag #3: Call to action

Screen shot of a bogus document download email

The message asks you to do something.

If an email wants you to click an embedded hyperlink, download an attachment, or sign into a link before a deadline, you should be wary of the request. Use the “look, don’t touch” technique for links in emails: If you hover your mouse cursor on the link without clicking, it will show you the destination address. If the email you received from your bank links to an address that doesn’t have anything to do with your bank, it’s safe to say that you just caught a phish.

What to do with suspicious messages

If you're ever unsure about an email you've received, feel free to forward it as an attachment to security@ohio.edu. We'll help you identify if it's legitimate or a scam and explain what traits we looked at to identify it as such. 

If you want to see real examples of phishing messages, we maintain a collection of scam messages and tips on how to spot them on the OIT Security website. 

Related Links

FTC anti-phishing tips 
OIT Security
SANS Newsletter: Phishing