DePaul University Information Services > Security > Protect Yourself > Catching Malicious Emails

Phishing

Many users receive a variety of unsolicited commercial e-mail (also known as "spam") in their offices or at home. While people don't always like getting spam, much of it has a legitimate business purpose. Unsolicited e-mails, however, are often the initial means for criminals, such as operators of fraudulent schemes, to contact and solicit prospective victims for money, or to commit identity theft by deceiving them into sharing bank and financial account information.

This is called phishing - the attempt to gain confidential or sensitive information by social engineering via email.

Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites. Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and AOL. A phishing expedition, like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure hoping to fool at least a few of the prey that encounter the bait.

Email Best Practices:

  1. Be vigilant. If it looks suspicious, it most likely is.
  2. Ask for help. If you are not sure an email is legitimate, contact the company by phone or contact your administrator/help desk.
  3. Don't click on links.. Be very wary of the links that are included in emails. Links on phishing emails will not lead to the site you may think it does. Example: If you get an email that is supposedly from your bank with a link, don't click the link; instead, log in to your bank account from a web browser or call your bank to confirm the email is legitimate.
  4. Don't download attachments. Attachments may contain any number of things including, but not limited to, malware, viruses, worms, trojans, etc.
  5. Did I request this email or do I have any connection to this company? A big tell that an email may be mailicious is if it has nothing to do with you. Example: An email from a bank you don't belong to or requesting information that you don't have, etc.

Spotting a malicious email/phishing attempt:
Start by heading over to Microsoft - they have a good example of how to spot a phishing email.
https://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

Here is an interesting quiz from OpenDNS - it tests your ability to spot a phishing website and at the end will show you the giveaways for each site that is not real.
https://www.opendns.com/phishing-quiz/

Here are some more sites that may help you identify phishing attempts with ease.
http://www.zonealarm.com/blog/2014/07/7-ways-to-spot-a-phishing-scam/
http://www.techrepublic.com/blog/10-things/10-tips-for-spotting-a-phishing-email/
https://www.tdameritrade.com/security/online-threats/phishing.page

Example:

Phishing email. Phishing clues:

  • Note that sender is from an unrelated entity.
  • DePaul will only send emails from depaul.edu accounts
  • Google docs form used to collect credentials.

Date:  Mon, 3 Jun 2013 20:53:18 +0530
From:  Curt Brown
To:  undisclosed-recipients:;
Subject:  Upgrade Alert

You have exceeded your mail.depaul.edu quota limit of 500MB and you need to expand the mail.depaul.edu quota before the next 48 hours. If you have not updated your mail.depaul.edu account in 2013, you must do it now. You can expand to 10GB mail.depaul.edu quota limit. Click on the link below to upgrade your account: hxxps://docs.google.com/forms/d/12VQ7gktR2J18HvWdTj_GhogZ5a1RVeH9ShGTi8_zhwk/viewform Thanks for your understanding.