Avoiding Phishing Emails

phishing-flow-chart-preview.png. A decision tree providing advice for avoiding phishing emails  In most cases, an email  that contains links, attachments, asks for money, credentials, or other sensitive information and you can't verify who it's from should be examined carefully until you can verify that it's legitimate.


Avoiding Dangerous Links

  • Confirm your identity to target you in the future
  • Trick you into entering credentials for a well-known website on a fake website
  • Take control of your browser to download malicious code or ransomware
  • Shortened URLs: Attackers can shorten a malicious URL to hide its true destination. This gives the user less information about where they are being directed to and thus makes them more susceptible to attacks. For example: https://bit.ly/3i0Myc2
  • Number-based links: Attackers can use URLs that only consist of numbers, i.e. direct IP addresses, to hide malicious sites. For example: http://172.217.4.174
  • URL Look-alikes: Attackers can use URLs that are close to real websites, hoping that the user will not notice the difference between the malicious URL and the real URL. For example: walmart.com vs walrnart.com
  • Hyphens: Attackers will use domain names that contain brand names, but are hyphenated. This often goes unnoticed by the user and leaves them vulnerable to an attack. For example: https://ama-zon.com/
  • Read between the dots - read the domain name before opening a link! If you don’t recognize the link, don’t open it. For example: https://ama.zon.com
  • Only click on a link if you are expecting it, such as an order confirmation.
  • If the email requests action for an account, log into your account from a URL you trust to see if action is needed.
  • Hover over the link to preview it before clicking to examine the URL for suspicious characteristics.
  • Use a search engine to verify that the domain shown is the correct domain for the website that the email is leading you to.

Avoiding Dangerous Attachments

  • By opening a malicious attachment, you leave open the possibility of malware being installed on your computer without your knowledge.
  • The malware can enable attackers to access, control, and record information stored on your device.
  • Some malware will even scan your device for email addresses and send the infected message to them
  • Malware can quickly spread through your employer’s networks via your device. This enables attackers to quickly acquire and leak sensitive or confidential data.
  • Avoid files that have extensions you are not familiar with, such as: .exe, .msi, .dmg, .pkg, .mpkg, .js, .psc1, and .csh
  • To bypass email filters, attackers will sometimes send compressed files with malicious contents. Compressed files have extensions like: .zip, .jar, .rar, .tar, .7z.
  • Microsoft Office Documents - Microsoft Office documents can contain macros that can act maliciously. When viewing Microsoft Office documents, do not enable macros that you did not define.
  • Check the Content of the Email
    • Read the email before opening the attachment. Does the file extension match the type of content that you’re expecting given the context of the email?
  • Contact the sender about the attachment, confirming that they sent the attachment and mean for you to open it. This can protect against email spoofing.
  • Search for the topic of the email via a search engine. If the email is a scam, there could be an online discussion about it.
  • When in doubt, report the email to ITS

Data Entry Phishing

Data Entry Phishing is the process of luring users into entering sensitive information on fake websites. Users are typically targeted for information such as:

  • Personally identifiable information (PII)
  • Account login information
  • Proprietary confidential information
  • Bank account information

Data Entry Phishing happens in three steps:

  1. Attacker sends a phishing email, asking the user to urgently click on a malicious link.
  2. User clicks the link, which leads to a website that looks real.
  3. User enters their information, giving it to the attacker.
  • You can fall for the scam without realizing it. Often, once you have entered your information on the fake site, the fake site will redirect you to the real site that it was imitating. This makes it harder to realize that you have given away your personal information.
  • Anti-malware programs often will not detect it, since nothing is being installed on your computer.
  • When attackers gain credentials for an organization’s systems, they can put the whole organization’s data at risk of being stolen.
  • Be cautious of emails that ask you to click a link or enter your personal information or credentials. Credible businesses rarely ask for your personal information or ask you to click a link in an email to reactivate an account.
  • Pay attention to the link and look for signs of the website being a phishing website. These signs include:
    • The URL not starting with https. A URL starting with means that the data going between the website and your computer is encrypted and secure. While attackers can use https, a website asking for sensitive information without using https is immediately suspicious.
    • The URL not being correct for the company or service you are attempting to access. For example: wolmart.com or wal-mart.com vs walmart.com
    • The website contains errors or threatening language. While many phishing websites are very convincing, telltale signs of phishing websites include: poor grammar or threatening language, blurry logos or images, and layout/styling errors
  • If a site or email looks like it could be malicious, ask for help. You can ask a colleague or submit a ticket to ITS if you feel that you may be at risk.
  • Immediately report the incident to ITS
  • If you have provided banking information, contact your financial institution.
  • Change any passwords you may have revealed.
  • Monitor the affected account for any signs of identity theft.

More Resources

DO REPORT an email phishing attempt immediately to Google

If you are using the UCSC Gmail web interface:

  • Open the message in Gmail (in your web browser)
  • Click the three vertical dots ' ⋮ ' next to reply
  • Choose 'Report phishing'

More on Gmail

  • Google Phishing Quiz: Google has published a fun, informative quiz to test if you can spot when you're being phished.
  • Open DNS Phishing Quiz: Open DNS has published an effective quiz to help you differentiate between phishing websites and legitimate websites.

For examples of email phishing scams that are being sent to UCSC staff, faculty, and students see the The Phish Bowl.