Be on the lookout for the most blatant and most devious email phishing scams—and learn what you can do to avoid them
Tuesday, September 10, 2019
Written by: Office of Strategic Communication

If you send or receive emails at the University of Iowa, be on the lookout for phishing scams.

A phish is an email that looks legitimate but is actually a scam. Some people have had their identities stolen or their paychecks re-wired. Failing to recognize a phish can cost you and the university considerable time, money, and a lot of worry.

Find other recent phishing examples, complete phishing prevention tips, and instructions for reporting phishing scams on the Information Technology Services website.

Phishing emails look like they are from a trusted source, such as your bank, your employer, or a friend, but they’re really from hackers and con-artists. The email tries to trick you into clicking on a link that will download malware onto your computer or reveal a password, an account number, or other private information. 

Information Technology Services filters about 69 percent of the 2.5 million email messages that get sent to students, faculty, and staff every day, but some deceptive and dangerous emails manage to slip through to your inbox. 

Protect yourself and others by scrutinizing every email you receive, especially those that:

  • Ask you to click a link or open a file
  • Suggest negative consequences if you don’t do as they say
  • Include spelling, grammar, or formatting errors
  • Deal with finances, private data, or other sensitive topics

Here are 10 examples of recent phishing attacks on the UI campus and how to recognize them.

1. The “account-closure” notice
 

phishing attempt that threatens account closure
  • Virtually any email that threatens to close your account or delete your data is a phishing attack. If you’re not sure, call the sender. Don’t click on any links.
  • Authentic ITS Help Desk messages use specific subject lines, provide clear instructions, and—most importantly—avoid vague links like the one shown in this example.

2. The scare tactic
 

phishing attempt that aims to scare
  • Many phishes try to scare you into not thinking and responding quickly.
  • Many phishes have sloppy writing and design, or they look little “off.”
  • If you’re unsure about a link, move your cursor over the link and wait. The website it links to will appear and you can see if it matches what the email says.

3. Be suspicious of vague emails
 

phishing attempt that is vague
  • If this email really was important, it would be more specific. Don’t trust vague messages.
  • So many grammar and punctuation errors in an “important” email is suspicious.

4. Read the fine print
 

phishing attempt
  • If an email looks suspicious, read the fine print. This one, for example, mentions Champion System, an athletic apparel company.
  • Phishers regularly pretend to be useful services, such as voice notes. The ITS Help Desk never sends voice notes.

5. Taking advantage of timing
 

phishing attempt that mentions changing of server
  • Many phishes use a seasonal change to appear legitimate. Remember that most threats to close an account are phishing attacks. If you’re not sure, call the sender. Don’t click on any links.
  • So many grammar and punctuation errors in an important email is suspicious.

6. Financial information
 

phishing attempt that mentions tax info
  • University offices take care when handling your financial information. If a financial matter requires your attention, you’ll be asked to contact an office or securely log in to Employee Self-Service—not click an email link.
  • Note: The subject line includes a [UnivAdm] tag. Tagging can help you filter or classify your messages, but never assume that the presence (or absence) of a tag means a message is safe.

7. More than one logo
 

phishing attempt with multiple logos
  • This phish tells you it’s going to ask for a sign-in once you click the link. Phishing emails often point you to a bogus web page set up to capture login credentials or other information.
  • The university rarely sends emails with logos from two organizations; be suspicious of this.

8. Pretending to be a popular service
 

phishing attempt pretending to be from docusign
  • Phishers regularly pretend to be services, such as DocuSign.
  • If you’re unsure about a link, move your cursor over the link and wait. The website it links to will appear and you can see if it matches what the email says.

9. Threatening you with a penalty
 

phishing attempt that threatens a penalty
  • Many phishes not only threaten to close an account, they threaten you with penalties.
  • Many phishes have sloppy writing and design or they look little “off.”

10. Offering a reward
 

phishing attempt that offers a reward
  • This phish dangles a reward instead of making threats. Note that the university doesn’t send out emails promising refunds.
  • If you’re unsure about a link, move your cursor over the link and wait. The website it links to will appear and you can see if it matches what the email says.