Report phishing

To report possible phishing attempts or junk mail, you can use the "Report Message" button within Outlook.  Please refer to this Knowledge Base article on how to use this method to report Junk or Phishing.  Reporting phishing using phishing@auburn.edu is only for cases where the button is not available (Mac mail, non-outlook mobile apps, etc.).

If you become aware of a phishing scam, you may also consider filing a complaint with the FBI through their Internet Fraud Complaint Center website or forwarding the email to the Federal Trade Commission and the company being spoofed.

What is phishing?

A malicious attempt to gain personal info

Phishing is an attempt to acquire personal information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from "Auburn University," popular social websites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by email spoofing and often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Don't become a victim of phishing attempts:

• DO NOT reply to the email with any personal information or passwords. If you have reason to believe that the request is real, call the institution or company directly.
• DO NOT click a link in an unsolicited email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser.
• DO NOT use the same password for your University account, bank, Facebook, etc. In the event you do fall victim to a phishing attempt, the thieves will try the compromised password in as many places as they can.
• DO change ALL of your passwords if you suspect any account you have access to may be compromised.
• DO be equally cautious when reading emails on your phone. It may be easier to miss telltale signs of phishing attempts when reading the email on a smaller screen.

Auburn University will NEVER ask for your account information (username/password) or other personal information via email.

Note: Auburn University cannot be held responsible for users that fall for phishing attempts delivered through the University email system. The Office of Information Technology and Risk Management and Safety encourages you to review this information, understand its importance and become vigilant of phishing attempts.

Phish Tank

Visit our phish tank for examples of the latest threats to the Auburn community.

aub.ie/phishtank

Alarming statistics

• 156 Million phishing emails are sent globally EVERY DAY
• 16 Million of those emails make it through email filters
• 8 Million of those emails are opened
• 800,000 links in those emails are clicked
• 80,000 people fall for a scam and voluntarily give their personal information EVERY DAY
• The Microsoft Computing Safer Index Report (Feb 2014) estimated the world-wide impact of phishing scams is ~$5 Billion

Warning signs

There are often signs that can tip you off that a message may not be what it appears.

• Urgent Language - Phishing attempts often use language meant to alarm. They contain threats, urging you to take immediate action.  “You MUST click on the link below or your account will be canceled.”
• The Greeting - If the message doesn't specifically address you by name, be wary. Fake messages use general greetings like “Dear eBay Member” or “Attention Citibank Customer” or no greeting at all.
• URLs Don’t Match - Place your mouse pointer over the link in the email message. If the URL displayed in the window of your browser is not exactly the same as the text of the link provided in the message, DON'T CLICK THE LINK.  It’s probably a fake.   Sometimes the URLs do match and the URL is still a fake.  Before you click, look for other clues in the message like the use of a secure connection (SSL – https://).
• Avoid the Obvious- “Official” messages that contain misspellings, poor grammar and/or punctuation errors are dead-giveaways – assume those are fake.  And, of course, if you don’t have a Wells Fargo credit card, for example, don’t respond to a request for information for card holders!
• Request for Personal Information - If an email message asks you to provide your username, password, or bank account information by completing a form or clicking on a link within an email message, don’t do it.   Legitimate companies will never ask you to provide that kind of information in an email message.  Most legitimate messages will offer you an alternate way to respond like a phone number.

If you have or may have fallen for a phishing scam

1. Immediately change the password to the online account the phishing email was pretending to be from and to any other accounts that used the same login information.
2. Contact the IT Service Desk at (334) 844-4944 or itservicedesk@auburn.edu.
3. Run a virus scan on your system using anti-virus software.
4. If you believe you may be the victim of identity theft, visit: Federal Commission for Identity Theft
5. Forward the phishing email "as an attachment" to phishing@auburn.edu and then DELETE the message from your Inbox.
6. Regularly check your banking and credit card accounts for any unauthorized transactions that may have been initiated by the phishers.

Links and references

For avoidance tips, more info and examples try these sites:

• Amazon: "This Email from Amazon?"
• Anti-Phishing.org
• Apple: "Identifying fraudulent 'phishing' email"
• FBI: "Spear Phishers"
• Google: "Unwanted or suspicious mail"
• Microsoft: "How to recognize phishing email messages, links, or phone calls"
• OnGuard Online.gov
• PayPal: "Your Guide to Phishing"
• Scam Busters