Security Awareness: Don't get hooked by Phishing Scams

What is phishing?

Phishing scams are a technique often used by hackers and identity thieves to compromise accounts and install malware. 

Phishing is a social engineering method in which the attacker uses an email message or phone call to lure unsuspecting recipients into giving out personal, financial, or other sensitive information, which the attacker then uses to commit identity theft, gain access to victim's accounts, or compromise their computer. The email or call usually appears to come from a legitimate source.

How do I know if an email is phishing?

ITS has compiled the following tips to help you avoid falling prey to phishers:

  • Scrutinize all emails before downloading attached files or clicking links.
    • Verify that the email address of the sender is legitimate and someone you know. Even if the sender name appears to be legitimate, hovering your mouse over the sender address may show you a different email entirely. 
    • Be skeptical of messages that have poor spelling or grammar, sloppy formatting, or a generic greeting such as “Dear Customer” rather than your name.
    • Beware of common intimidation tactics such as “Urgent action required!” or “Your account has been compromised!” If you're concerned, contact the sender through other known means, such as company support phone numbers.
  • Don’t click on unrecognized links.
    • Want to know where a link is actually going? Hover over it with your mouse cursor to reveal the actual web address.
    • At MSU Denver, all email links are checked for legitimacy through the Outlook SafeLinks feature. However, the ever-changing landscape of phishing attempts means this may not always catch a fake link.
    Don’t download “free” software onto your PC; this is a common gateway to getting scammed.

Example of a phishing e-mail:

Dear Outlook Account User, This message is from Outlook user care messaging center to all employee and student, to all Outlook account owners. We are currently upgrading our data base servers and e-mail account center. We are deleting all compromised account during the last academic break.  You will have to Authenticate your Outlook Account to prevent a permanent closure of this email address/web-mail account.  To Authentication CLICK HERE<http://microsoftportalwebaccess.weebly.com/>  Successfully authenticated addresses will be automatically notified via inbox.  Warning!!! Account owners who do not authenticate their account after receiving this update will have his or her account terminated. We are committed to protecting your privacy. Your sensitive details will not be shared with any third party.  MICROSOFT CARE CENTER HELP DESK © 2014 Microsoft Corporation. All rights reserved.

What do I do if I've received a phishing email?

DON'T respond to phishing emails

Scammers are often working off of large lists of email addresses and have no idea which of those accounts, if any, are actively monitored, or even still open. Any response signals to the scammer that someone is paying attention to that address.

DO report phishing emails

Most major email clients have built-in reporting functionality that allow users to bring attention to a suspicious or malicious email, with the added benefit of blocking the sender's address.

Please report and mark any potentially malicious email you see within Outlook, when possible. Please see our Report Phishing Email service for additional information on reporting emails.

What do I do if I've fallen for a phishing email?

If you've given out sensitive information, there are steps you can take to protect yourself and your accounts. If you act quickly, you may be able to avoid serious losses.

  1. If you provided login information, you should change your password immediately. If you use this password on other accounts, change the password for those accounts as well.
  2. If this was a breach of MSU Denver information (including information about you as an employee), you should immediately report it to ITS. The security team will be able to help you with next steps.
  3. If you provided information about yourself, follow the guidance in our article, What do I do if I revealed my personal information to a phisher?

Additional Resources