Identify Email Phishing Scams

This page contains a number of resources to help you learn about the risks of email scams and to teach you how to recognize a scam email. Read on to learn how to foil the scammers.

How do I identify email phishing scams?

If you are unsure if an email is legitimate, ask yourself these questions before replying or clicking on a link. Always keep in mind that University administrators and Information Systems personnel will never request your username or password by email. If an email claims to be from the University, Information Systems, or the murraystate.edu team and asks you to give out your private information, it is a scam.

Look at the Header

1. If the email claims to be from Murray State University, but doesn't come from an @murraystate.edu address, then it's likely a fake email. On a mobile device, the sender's email address isn't always obvious.
   1. In the Gmail mobile app, tap on "View Details" to see the sender's email address.
   2. In the Apple mail app, tap on the Name in the "From:" field to see the sender's email address.
2. Have I given my email address to this company before? Do I have an account with this company? Does the sender identity match the purpose of email? Email about your banking or university account should come from the organization, not from a random email address. If you have no relations to the sender, 99% of the time it is a phishing email.
3. Is my email address listed as the From: address? If so, it is a fake email.
4. Is the To: line address to undisclosed-recipients or a large number of recipients? A legitimate email from a business firm you have dealt with will usually be addressed only to you. If the text alludes to confidential information, but has several addresses on the To: line, it's definitely not legitimate.

Look at the Content

1. Does the website link look valid? Make verifying web addresses a habit. Even though a link looks valid and displays the correct web address, it could take you someplace completely different. Don't ever click on a website link or an image without verifying that the link is legitimate--you could be redirected to an attacker's website. Rest (but do not click) the mouse pointer on the link to verify the real Web address. Watch out for Web addresses that resemble the name of a well-known company, but are slightly altered by adding, omitting, or transposing letters. For example, the address www.microsoft.com could appear instead as:
   • http://www.micosoft.com
   • http://www.mircosoft.com
   • http://www.verify-microsoft.com
2. Are there misspelling and typos? How is the grammar and is the tone appropriate? An email from a professional company should be well written.
3. Am I being promised a lot of money for little or no effort on my part? Watch out for emails with claims that make a promise that seems too good to be true. These are common phishing scams known as advanced fee fraud. Examples of these claims might be:
   • "You have won the lottery" (perhaps one from a foreign country) that you don't remember entering.
   • A foreign government official would like your assistance in transferring funds and will pay you a hefty commission if you agree.
   • You stand to inherit millions of dollars from a relative you don't remember.
4. Am I asked to provide money up front for questionable activities, a processing fee, or to pay the cost of expediting the process? This is a common way for con artists to scam money from unsuspecting users. The con artist will run away after taking your initial payment.
5. Is someone asking me for my bank account number, other personal financial information or passwords? Beware of emails asking for this information, even if the sender offers to deposit money into your account. Be suspicious of phrases like:
   • "Verify your account."
   • "Click the link below to gain access to your account."

Think about the Email's Purpose

Email is NOT a secure way to share sensitive information. Businesses should not ask you to send passwords, login names, Social Security Numbers, or other personal information through email. Be advised that Information Systems will never request your password.

1. IS this a request you would normally expect to see from the sender?
2. Does it seem odd that this paticular sender would contact you through email?
3. Is the issue really as urgent as the sender makes it out to be? Con artists try to convey a sense of urgency so that you'll respond immediately without thinking. Be suspicious of phrases like:
   • "If you don't respond within 48 hours, your account will be closed."
   • "Failure to do this may automatically render your account deactivated."
   • "Our investigation shows that your email address is compromised and is used to send out spam message in our webmail system. As a result, our network engineer will be conducting a maintenance in our webmail system, your Username will be disabled if you do not send us the required information within 48 hrs."
4. Why does the sender request confidentiality? How can I tell if evidence that the proposed activity is legitimate and really authentic? Be suspicious about offers to send you photocopies of government certificates, banking information, or other evidence that their activity is legitimate. Photocopies are not acceptable for verifying authenticity of documents. These are often fake.

Can I report email phishing scams?

Yes. Please contact the Service Desk to report scams that purport to be a University service or if you are in doubt about the validity of an email. In addition, suspicious emails and activity can be sent to the Information Security team through the service: Report Phishing Email or at abuse@murraystate.edu.

Learn More

Watch this YouTube video about phishing - What is Phishing.

Visit OnGuardOnline.gov for practical tips from the federal government and the IT industry to help you identify Internet fraud, secure your computer, and protect your personal information.