Email phishing scams remain an effective tactic for cybercriminals looking to steal passwords and other sensitive info. Universities like Iowa are among the most tempting targets for scammers, making phishing one of the most common security threats we face.

The university’s security systems catch many phishing messages before they reach your inbox, but a few creep through. The most sophisticated phishing emails look like legitimate messages from services you use, businesses you patronize, or even people you know.

Phishing red flags

Phishing messages used to look sloppy, riddled with spelling errors and other telltale signs. Today’s phishing attacks can be much more polished. They might emulate the design of real messages you receive or point you to websites that look authentic.

Even when an email looks and sounds real, the content—especially the action it encourages you to take—can signal a scam. Look out for these characteristics:

• Requests to provide log-in credentials or reset your password: Never provide your login name or password—legitimate organizations will not request this or other sensitive info. Don’t respond to password-change requests you didn’t initiative. 
• Suspicious email addresses: Check to make sure email addresses match the name of the sender shown on the email.
• Urgent language: Don’t fall for messages that demand you take immediate action. Related, beware of fake “invoices” that claim you’ll be charged for a service you didn’t purchase—these are almost always phishing messages.
• Links or attachments you didn’t expect: When an email asks you to visit a site or service you use, navigate there directly in your web browser rather than clicking a link. Likewise, don’t open attachments you aren’t expecting.

Dealing with suspicious emails

Trust your instincts. If an email seems suspicious, it’s probably a phishing attack. Follow these steps to protect yourself and your account:

1. Verify the sender: Check the “from” email address for subtle misspellings or a domain that seems unfamiliar or doesn't match the purported sender’s organization. (Note: The domain is the information that follows the @ sign in an email address, like uiowa.edu.)
2. Look for urgent or threatening language: Examples include “immediate action required” or “your account will be locked.”
3. Hover over links: To avoid clicking suspicious links, hover your cursor over them to reveal their actual destinations. Here again, look for domains that seem suspicious.
4. Report the email: Forward suspicious messages to your local IT support, help desk, or security team. See more information about reporting phishing.
5. Delete the email: Once reported, delete the message and empty your trash folder to avoid accidental clicks later.

Staying vigilant, looking for red flags, and dealing with suspicious messages properly can protect you from phishing scams and safeguard both personal and university information.