Recognizing Phishing Emails

Phishing is defined as trying to obtain financial or other confidential information from someone by imitating a trusted organization or person. Examples of phishing include messages pretending to come from IT asking you to enter your password, messages that contain malicious attachments, or fake messages from your bank telling you to visit their website via an enclosed link. Phishing usually happens over email, but can also take place over instant messaging services. This article explains how to spot phishing emails, including some helpful examples of real phishing attempts at IC.


Microsoft Outlook, Office 365 Outlook Web App


Identifying Phishing Emails

Be careful:

  • Watch out for “phishy” emails asking the recipient to “confirm” personal information. 
  • IT will never ask you for this information via email and if you receive an email from IT that does request this information, it's a phishing email. Report these types of email to the Service Desk.
  • Don’t click on links within emails that ask for your personal information. Criminals use these links to lure people to phony Web sites that impersonate real. Hover over the link and look at the destination link closely in the bottom bar of the window. To check whether the message is really from the company or agency, call it directly or go to its Web site (use a search engine to find it).
  • Never enter your personal information in a pop-up screen. Use browser pop-up blockers.
  • Only open email attachments if you’re expecting them and know what they contain.
  • If someone contacts you and says you’ve been a victim of fraud, verify the person’s identity before you provide any personal information.
  • If you want to verify whether an email is legitimate, contact the sender using a seperate channel of communication. For example, if you recieve an email from your bank, you can call them usng the number on their website (not in the email) to check.

Why Phishing Works

Phishing attacks are so common because they are very effective. Many times, a computer security breach is not caused by some sophisticated hackers breaking into a network, but by one person clicking on an attachment or link in an email. By understanding why phishing works, you can better protect yourself and your information.

Attackers rely on several principles or techniques to convince people to fall for their tactics:

  • Urgency: By making it seem like time is critical, victims can be manipulated into doing what the attacker wants. An email might take the form of a fake notice from the IT department, telling the victim that the department is deleting unused email accounts and that the recipient must reply immediately with their username and password or their account will be deleted.
  • Trust: Imitating a trusted party, such as your employer, your bank, or the government, is another technique attackers use. For example, the sender might imitate the IRS, say that you owe back taxes, and tell you to download the attached document to view the details. They would be counting on the victim trusting the IRS and being worried about legal trouble, and therefore downloading the attachment.
  • Spearphishing: This is a type of phishing attack that targets a specific person. Attackers imitate a friend or coworker, and use whatever personal information they can find to make the email look legitimate. A frequent example is an email targeted at an employee that pretends to come from the CEO and asks that money be wired to a specific account.
  • Pharming: Pharming is a virus or malicious program secretly planted in your computer that hijacks your Web browser. When you type in the address of a legitimate Web site, you’re taken to a fake copy of the site without realizing it. Be aware of how your browser is behaving. Run antivirus software if you're suspicious of anything.

Real-Life Examples

Below you will find two examples of phishing messages sent to the Ithaca College community. Follow along with the numbered boxes for an explanation on specific red flags that can help you spot a phishing email in the future. 

Example 1: Outlook 2016

A phishing email. The sender of the email is not The message body does not match the style of official IC communications.  Hovering the mouse pointer over the link shows it does not go to an website.

  1. The display name field of an email is often the best place to start. This field can be easily manipulated to falsify the actual sender. Here we see the address as "", there are two red flags here. First, the email is coming from the email system. Announcements to the campus will come from an address ending with "". Secondly, "ITHACA.EDU" is suspicious given that it appears in all caps. 
  2. The message body is often the most difficult section to spot a red flag. Common red flags in a message body are: spelling and grammar errors, a false sense of urgency, and information that could contradict your general knowledge about the college.  Here the author does not have very many spelling or grammatical mistakes, but the look and feel of the message differs from legitimate communications sent from campus departments.
  3. Scrutinizing links can be the best way to spot a phishing message. The key step is to not actually click a link, but to hover your mouse's pointer over the blue text. This will display the actual web address a link will take you to. If a link does not point to an website, it may be malicious. An example of this is given in the second picture of this example below.

The link in this phishing email is malicious, as revealed by hovering over the link to reveal its destination.

The link actually went to an off campus website that was designed to look like MyHome.

Example 2: Outlook Web App

An email viewed in the Outlook Web App. The "from" address is spoofed to look like it came from IC.  The email is about salary increases, which are not communicated over email. The link in the email does not go to an site.

This example is one of the more difficult messages to spot as a phishing messaging, but by checking the display name, analyzing the body for contextual clues, and hovering over links, you will be able to see it is a phishing email.

  1. The display name here is "Ithaca HR" with the email address "". Once again, the sender manipulated the from: field to make it appear as if this message was sent from an email account. If you are ever unsure if a message actually came from a user or department on campus, take the time to call them and confirm that they actually sent the message. Here the minor clue is that the email address is odd, given that it says "hr" twice.
  2. The body of this message is free from spelling and grammatical errors, but two details stand out. Firstly, veteran members of the faculty and staff will know from experience that salary raises emails like this are not sent via email. Secondly, the valediction or farewell of the letter uses the word "faithfully", this is somewhat out of character for emails sent from most campus departments.
  3. The link here is once again the best indicator that this email is not legitimate. When you hover over the link you can tell this link actually links to a website hosted on the Russian domain system. On web browsers, you need to look in the lower left corner for the details on where a link actually goes. This is illustrated and enlarged in the next two images.

An email being viewed in the Outlook Web App. Hovering the mouse over the link indicates it goes to a .ru domain.

  1. Start by hovering over the link with your mouse cursor.
  2. The info box appears in the lower left with the actual website you will be taken to.
100% helpful - 1 review


Article ID: 77
Wed 8/2/17 1:27 PM
Wed 11/4/20 10:32 AM