Photo illustration showing a fishing hook on a computer keyboard
University of Iowa students, faculty, and staff are frequent targets for phishing scams that aim to steal passwords and other sensitive info. But most phishing emails are easy to avoid if you know how to spot a few red flags.
Sunday, March 31, 2019 - 11:27am

Presenting some of the most blatant and most devious email phishing scams—and what you can do to avoid them

The University of Iowa email system receives more than 2.5 million messages per day, but about 69 percent of them never reach inboxes. Screening tools flag them as spam or scams. They’re discarded before they can do harm.

But some deceptive and dangerous emails manage to slip through, including phishing messages that aim to steal passwords, account numbers, or other sensitive info. 

Some of these messages come from email accounts already compromised by phishing attacks. They can look like legitimate emails claiming to be from university offices or even people you know.

Most phishing emails, however, include telltale signs. Here are 10 examples of recent phishing attacks and the red flags that give them away. 


1. Your basic phish

Email claiming recipients account will close and data be deleted unless a link is clicked.


The blandest messages can be the most insidious. This example shows perhaps the most common type of phishing email sent to students, faculty, and staff—the “account-closure” notice.

  1. Many phishing emails claim to be from the ITS Help Desk. Unlike this phish, real Help Desk messages use specific subject lines, provide clear instructions, and—most importantly—avoid suspicious links like the one shown in this example.
  2. Virtually any email that threatens to close your account or delete your data is a phishing attack. If you’re legitimately concerned, call the alleged sender and inquire. Don’t click any links in these messages.
  3. URLs in real Help Desk messages are frequently spelled out, not hidden behind phrases like “click here.” Hovering over a link will reveal where it actually points.

2. “Your naked picture was just leaked!”

Email claiming that recipient's picture was posted online and requesting a link click for confirmation.


It’s easy to laugh at this phish, but also easy to imagine folks clicking the malicious link out of genuine concern or sheer curiosity. Here are a few signs the message is fake:

  1. The alarmist subject line reads like clear clickbait.
  2. The university logo is a sloppy copy-and-paste job.
  3. Were you to hover over the linked text, you’d see it points to a suspicious URL, not a page as claimed.
  4. The signature is all caps save for the final “k”—again, sloppy.
  5. The ITS logo and contact info may look legit, but the formatting seems off.

3. Could you be more vague?

Email asking recipient to click a link and download a study guide.


Most phishers don’t bother to get too specific—they’re emailing thousands of addresses hoping just a few click. This message is a classic example of the ultra-vague:

  1. “Very important”—if the subject were really important, wouldn’t the sender at least hint what it was?
  2. For a brief message, this one includes an awful lot of grammar and punctuation errors, hallmarks of phishing.


4. Voice note? More like voice NOT.

Email asking recipient to download a voice recording file.


Phishers regularly try to mimic popular services, with mixed results. A few clues that show this one’s a scam:

  1. If you regularly get voice notes in your email, you might be tempted to give this a look. If you don’t, delete without pause. (One thing’s for sure: You never get voice notes from the ITS Help Desk.)
  2. Phishers believe no one reads the fine print, so they sometimes use official-looking text from other businesses or organizations (Champion System actually makes athletic apparel).
  3. This message uses the same sloppy signature as the “naked picture” email above. 


5. Unhappy new year

Email asking recipient to upgrade their email service by clicking a link.


The timing makes this phish especially nasty—it began hitting campus inboxes just around the start of the semester:

  1. The “welcome back” message might have been enough to fool some recipients. Systems do sometimes change during the breaks between semesters.
  2. But the looming threat—“your account will be deactivated”—is a sign that something’s up. Claiming something bad will happen if you don’t click now is a standard phishing tactic.
  3. This email’s author seems to have lost all interest in capitalization and punctuation.
  4. Another slightly legit-looking but poorly formatted signature!


6. Tax time

Email asking recipient to click a link and provide tax info.


Another phishing message that capitalizes on the calendar—this time, it’s tax-preparation season.

  1. The subject line includes a [UnivAdm] tag. Tagging can help you filter or classify your messages, but never assume that the presence (or absence) of a tag means a message is safe.
  2. University offices use considerable care when dealing with tax or other financial information. If a financial matter requires your attention, you’ll be asked to contact an office or securely log in to Employee Self-Service of MyUI — not to click an email link.


7. Double trouble

Email asking recipient to click a link and receive package delivery instructions.


This message claims to be from DHL…or maybe the university…or maybe both.

  1. The attempted affiliation with two real organizations—with logos and images from both—is the biggest red flag. Something seems wrong, especially once you read the message.
  2. This phish tells you it’s going to ask for a sign-in once you click the link. Phishing emails often point you to a bogus web page set up to capture login credentials or other info.
  3. As usual, the overall grammar, punctuation, and fine print are garbled.


8. You’re not DocuSign!

Email asking recipient to click a link and sign a document.


This fake DocuSign notification might look valid. Recipients familiar with the service may notice that the subject line and graphic seem off, but even they might click the link. The biggest tell is the URL behind the message.

  1. Hover over a link (or press and hold on mobile) to see the real address behind it appears. Phishing emails commonly obscure URLs that point to suspicious-looking domains, so checking every link before clicking will help you stay safe.


9. There will be a penalty

Email asking user to verify payment by clicking a link or risk losing email access.


This phish adopts the tried and true tactic of the vague threat. Many phishing attempts look and read very much like this.

  1. By coupling improper “payment activities” with disrupted “email access,” this email hits two common anxieties. It seems too bad to be true.
  2. Your basic empty threat, both poorly worded and imprecise. It might look like they’re barely trying, but even obvious phishing emails snag unsuspecting victims.


10. Ka-ching!

Email asking recipient to click a link and get a refund.


This phish takes the opposite approach, dangling a reward instead of threatening a penalty.

  1. Like other legitimate organizations, the university doesn’t send out emails promising refunds. 
  2. The university no longer has a “Bursar Account Management” office. Receive a suspicious email supposedly from a UI office? Look up the office and give them a call—chances are, they’ll immediately expose the email as a fake.


Protect yourself and others

Phishing is a serious threat. While some fake messages may seem obvious, even ridiculous, they can easily slip past anyone who is new to the university, skimming email, or learning English. 

And other attacks—including “spearphishing” messages that target specific individuals with access to sensitive data—can be very convincing.

Protect yourself and others by scrutinizing every email you receive, especially those that:

  • Ask you to click a link or open a file
  • Suggest negative consequences—account closure, data loss, etc.—if you don’t act
  • Include spelling, grammar, or formatting errors
  • Deal with anything related to finances, student or patient data, or other sensitive topics

Remember, if a message feels like phishing, it probably is. Trust your instincts and when in doubt, delete.

Find other recent phishing examples, complete phishing prevention tips, and instructions for reporting phishing scams on the ITS website.