WiFi KRACK: What you need to know
Securing the Internet of Things
Cyber security: Can you catch a phish?
How to spot phishing emails
Laptops for Harvey: OHIO IT helps University of Houston Downtown students get back online
Web Accessibility: Descriptive Links
How to create a cyber secure home
Four steps to staying secure online
October is National Cyber Security Awareness Month
Skype for Business: 3 ways to stay in touch

Cyber security: Can you catch a phish?

Thursday, October 12, 2017
Haley Baker  

At Ohio University, cybersecurity is everyone's responsibility. The steps we take to secure our own data are the same steps we should take to secure the university's data. This article is part of a series of cybersecurity stories that focus on the ways we all can make a difference.

Phishing scams are everywhere. These fraudulent emails try to trick you into giving up login credentials or personal information by claiming to come from someone you know or trust. Ohio University receives hundreds of these scam emails every day. Most get filtered out automatically, but occasionally some get through.

OIT’s Information Security Office publishes copies of actual scams sent to OHIO email users to help people learn how to identify these attacks. Want to try your hand at catching a phish? Check out the example below from earlier this year, and see how many phishing “red flags” you can spot. 

Account Validation Scam

This message below follows a common phishing template that works best when the recipient is not paying close attention. It has a number of phishing red flags:

Screen shot of email that claims to come from

Red Flag #1: Bogus sender

The message claims to come from “Helpdesk,” but the sender is not using an @ohio.edu address.

Red Flag #2: Unsolicited call to action

The message is unsolicited and asks you to validate your account, something that a legitimate message would never do.

Red Flag #3: Bogus URL

The “Validate Email Account” link does not go to an ohio.edu website. Instead, it points to a page on a UK leather apron company’s site.

Red Flag #4: Odd language

The message uses strange wording, including referring to employees as “Staffs,” asking the recipient to “kindly confirm” their account, and signing the message as, “IT Help Desk” instead of “IT Service Desk.”

Second line of defense: Web address and the “green lock”

Sometimes a scam email is good enough to trick you into clicking its sign-in link. If you do click through to a website, look at the address bar to see where you were sent. In the example below, the website looks just like our own login page with two red flags, both of which can be found in the address bar:

Screen shot of a fake OHIO login page.

Red Flag #1: Odd URL

The URL in the address bar of the login page doesn’t have ohio.edu in it. Instead, it points to a page on a pharmaceutical company’s website.

Red Flag #2: No “green lock”

The lock icon at the start of the address bar has a strike through it. This means that the website is not secure. You should look for this icon any time you’re signing into a website with a username and password. If you don’t see a green lock, think twice about entering your login credentials.

More examples

To see more examples of phishing messages with in-depth summaries on how we identified them, visit the OIT Security homepage and scroll down to the Phishing News section.

If you’re ever unsure about an email you’ve received, feel free to forward it as an attachment to security@ohio.edu. We’ll help you identify if it’s legitimate or a scam and explain what traits we looked at to identify it as such. 

Related Links

OIT Security 
FTC anti-phishing tips
How to spot phishing scam emails