What to Know About Phishing

Phishing is a type of email scam often associated with "spam" (unsolicited mass emails, usually trying to sell something). However with phishing scams, cyberthieves send emails that impersonate companies (often financial), service desks, or people that you already know and trust. The goal of phishing is to do one or both of these things:

  • Steal your personal information by tricking you into revealing your account name and/or password, PIN, or other sensitive information
  • Install malicious software (malware or virus) on your computer that can spy on you, capture your saved or stored information, or destroy your files

Columbia students, faculty and staff may receive emails that look legitimate and appear to come from trusted sources like "CUIT Service Desk", "MyColumbia" or "President Bollinger", asking the recipient to click on a link to "verify your account." Official emails from Columbia University will never ask you to follow a link and enter your UNI and password. If in doubt, please contact the CUIT Service Desk at 212-854-1919.

CUIT carefully maintains spam filters that prevent most unsolicited mass emails from reaching Columbia inboxes, however phishing scams are more likely to pass through the filters because they are designed to look very legitimate to scanning software. CUIT also blocks most viruses from reaching your account by filtering out emails that contain executables (files that may look like links but actually install a program when you click on them) and "zipped" attachments. But this does not protect you from malware that is installed when you click on an email link and browse to an infected site. Please forward any suspected spam messages you receive with full headers to spam@columbia.edu. If you think you have clicked a phishing link, please contact the CUIT Service Desk immediately at 212-854-1919.

Clues to identifying phishing emails:

  • Poor spelling and bad grammar: Respected institutions usually have teams focused on producing top-quality emails.
  • Links: A phishing link may lead you to a website asking you to log in to verify your identity, or it might actually download malicious software when clicked. DO NOT click any links in suspicious-looking emails. Instead, navigate to the company's official website using a search engine (Google, Bing, Yahoo, etc.) and log in to your account securely from there. Most companies (especially financial) will never ask you to verify or log in to your account by following a link in an email, and will instead send a secure message to your online account inbox.
  • Threats or urgent warnings: Many cybercriminals try to scare you into "verifying your account" so you do not act with caution. It is best to contact the company directly through their official contact information to determine if your account has been compromised.
  • Slight alterations of well-known company names: Often phishing emails will use a "from" email address that seems official, but is actually a spoof on the official name. For example, paypal-service@notifcation.accountsupport.com or president@colurnbia.edu (in this case, the "r" and "n" are used to impersonate the "m" in Columbia). Look closely at email address the message is sent from, and if overly complex, proceed with caution.
  • Your name isn't used: Phishing emails are often sent in mass batches to large groups without addressing anyone by name. Trusted institutions will usually use your front and/or last name in the body of the email.
Secure padlock located to the left of the URL in web browser
It's a good practice to look at all emails and websites suspiciously, but of course you need to visit websites. Here are some guidelines for determining whether a website is official and can be trusted.

Tips for identifying legitimate websites:

  • Look for the secure padlock: Chrome, Safari, Internet Explorer and Firefox browsers display a padlock in the URL field to indicate "safe" websites. You can click on the padlock to confirm that the certificate belongs to the same company as the website you are trying to visit.
  • Check if it is authenticated (HTTP Secure): Authenticated websites begin with https:// instead of http://. Most illegitimate sites do not bother getting security certification because they are shut down quickly. Confirming the https:// is especially important on pages where you submit payment information.
  • Use a search engine: Google, Bing and other search engines will compile the highest-trafficked sites near the top of the results list, and these are normally the official company sites.
  • Hover over links: Use your mouse hover over ("mouse over") a website link to view the underlying URL (will be displayed at the bottom of your browser). Even links that are labeled as URLs can send you to another place entirely, but when you hover over the link, the true destination URL will always be displayed at the bottom of your browser. 
  • Open the Google Transparency Report webpage: You can quickly check a website's address using this service to see its safety rating from Google.