What are phishing scams and how can I avoid them?

On this page:

Phishing explained

Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., passphrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.

One type of phishing attempt is an email message stating that you are receiving it due to fraudulent activity on your account, and asking you to "click here" to verify your information. See an example below.

Phishing scams are crude social engineering tools designed to induce panic in the reader. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.

Specific types of phishing

Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker's objective. Several distinct types of phishing have emerged.

Spear phishing

Phishing attacks directed at specific individuals, roles, or organizations are referred to as "spear phishing". Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.

The best defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.


The term "whaling" is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.

Avoiding phishing scams

Indiana University and other reputable organizations will never use email to request that you reply with your passphrase, Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a website or by replying to the message itself. Never reply to or click the links in a message. If you think the message may be legitimate, go directly to the company's website (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.

When you recognize a phishing message, delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the websites it points to.

Always read your email as plain text.

For help, see Microsoft Support.

Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client's ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.

To learn more about guarding against phishing scams, see the following videos.

To view the lynda.com videos, you will need to log in with your IU credentials. If you have not logged into lynda.com before, go to https://ittraining.iu.edu/lynda/, click Go to lynda.com, and then sign in with your IU Network ID username and passphrase.


Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won't avoid them all. Some legitimate sites use redirect scripts that don't check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.

Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to produce URLs that look remarkably like the authentic ones. See Don't Trust Your Eyes or URLs.

Reporting phishing attempts

  • If the phishing attempt targets IU in any way (e.g., asks for IU Webmail users to "verify their accounts", includes a malicious PDF directed to university human resources, or impersonates IU or UITS), forward it with full headers to the University Information Security Office (UISO) at phishing@iu.edu.

    For instructions on displaying and sending full headers, see How do I display and send the full headers of an email message?

    The UISO can take action only if the message originated from within IU or targets the university. All other spam should be reported to the appropriate authority below. If the message did originate from within IU, see What should I do when I get spam email?
  • You can report a phishing scam attempt to the company that is being spoofed.
  • You can also send reports to the Federal Trade Commission (FTC).
  • Depending on where you live, some local authorities also accept phishing scam reports.
  • Finally, you can send details to the Anti-Phishing Working Group, which is building a database of common scams to which people can refer.

For more about phishing scams, see Email & Phishing Scams.

If you've fallen for a phishing scam

For specifics about what to do if you're a victim of a phishing scam, see Email & Phishing Scams

Example of a phishing scam

The following phishing scam was targeted at IU Webmail users:


From: "INDIANA.EDU SUPPORT TEAM" <supportteam01@indiana.edu>
Reply-To: "INDIANA.EDU SUPPORT TEAM" <spupportteam@info.lt>
Date: Sat, 12 Jul 2008 17:42:05 -0400
To: <"Undisclosed-Recipient:;"@iocaine.uits.indiana.edu>

Dear INDIANA.EDU Webmail Subscriber

This mail is to inform all our {INDIANA.EDU} webmail users that we
will be maintaining and upgrading our website in a couple of days from
now.As a Subscriber you are required to send us your Email account
details to enable us know if you are still making use of your
mailbox. Be informed that we will be deleting all mail account that is
not functioning to enable us create more space for new students and
staffs of the school, You are to send your mail account details which
are as follows:

*User Name:
*Date of birth:

Failure to do this will immediately render your email address deactivated from our database.

Thank you for using INDIANA.EDU


This is document arsf in the Knowledge Base.
Last modified on 2015-08-18.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.