*Latest* Phishing Email Alerts

Phishing is a type of email scam often associated with "spam" (unsolicited mass emails, usually trying to sell something). However with phishing scams, cyberthieves send emails that impersonate companies (often financial), service desks, or people that you already know and trust. The goal of phishing is to do one or both of the following:

  • Steal your personal information by tricking you into revealing your account name and/or password, PIN, or other sensitive information
  • Install malicious software (malware or virus) on your computer that can spy on you, capture your saved or stored information, or destroy your files

Columbia students, faculty and staff may receive emails that look legitimate and appear to come from trusted sources like "CUIT Service Desk," "MyColumbia," or "President Bollinger," asking the recipient to click on a link to "verify your account." 

Official emails from Columbia University will never ask you to follow a link and enter your UNI and password. If in doubt, please contact the CUIT Service Desk at 212-854-1919.

Recent phishing scams


    “Are you free at the moment? Let me know ASAP.”

    The gift card email scam

    How it works: You receive a short (often one-line) email from someone in your organization, usually someone senior to you, asking for an immediate response. When you respond, they often get back to you very quickly, asking you to purchase gift cards or wire money somewhere.

    If you look closely, the person that it appears to be coming from has been spoofed by changing the display name or email address (i.e. "Lee Bollinger <lee.bollinger@gmail.com>"). Because many departments post their organizational charts or hierarchies on their websites, it's easy for scammers to identify your managers.

    If you receive a request to buy a gift card, verify via phone or in a fresh email chain using the requester's official email address; you can also call the CUIT Service Desk to confirm its legitimacy.

    "I saw what you did."

    The sextortion scam

    How it works: You receive an email threatening to reveal evidence of embarrassing online activity such as visiting pornographic websites. The sender may claim to have installed software on your computer, tracking your activity. They also often claim to have access to your contacts, and threaten to share a screenshot of your embarrassing activity with your colleagues, friends and family if you do not pay them. They may also include a reference to a password you have (or had at one time) that has been obtained through an external data breach, leading you to believe they have legitimately invaded your computer.

    If you receive a blackmail email and are concerned your computer has been compromised, call the CUIT Service Desk to have it examined. Do not respond and do not click on any links in the message.

    "I know your password is [oldpassword]"

    The data breach scam

    How it works: You receive an email that references a password you recognize as having used in the past. The scammer claims to have installed malware on your computer, and to have captured your account information, other personal information, or embarrassing activity. They will ask for money to "delete" this information and not share it with your contacts. The passwords are from old data breaches; you can check if one of your accounts was breached on sites like Have I been pwned. If you are still using this password anywhere, you should change it immediately and read CUIT's advice on creating strong passwords. Consider using a password manager to help you generate and store unique passwords for all your accounts

    If you receive a blackmail email and are concerned your computer has been compromised, call the CUIT Service Desk to have it examined. Do not respond and do not click on any links in the message.

    CUIT carefully maintains spam filters that prevent most unsolicited mass emails from reaching Columbia inboxes, however phishing scams are more likely to pass through the filters because they are designed to look very legitimate to scanning software. CUIT also blocks most viruses from reaching your account by filtering out emails that contain executables (files that may look like links but actually install a program when you click on them) and "zipped" attachments. But this does not protect you from malware that is installed when you click on an email link and browse to an infected site. Please forward any suspected spam messages you receive with full headers to spam@columbia.edu. If you think you have clicked a phishing link, please contact the CUIT Service Desk immediately at 212-854-1919.

      How to identify phishing emails

      • Poor spelling and bad grammar: Respected institutions usually have teams focused on producing top-quality emails.
      • Links: A phishing link may lead you to a website asking you to log in to verify your identity, or it might actually download malicious software when clicked. DO NOT click any links in suspicious-looking emails. Instead, navigate to the company's official website using a search engine (Google, Bing, Yahoo, etc.) and log in to your account securely from there. Most companies (especially financial) will never ask you to verify or log in to your account by following a link in an email, and will instead send a secure message to your online account inbox.
      • Threats or urgent warnings: Many cybercriminals try to scare you into "verifying your account" so you do not act with caution. It is best to contact the company directly through their official contact information to determine if your account has been compromised.
      • Slight alterations of well-known company names: Often phishing emails will use a "from" email address that seems official, but is actually a spoof on the official name. For example, paypal-service@notifcation.accountsupport.com or president@colurnbia.edu (in this case, the "r" and "n" are used to impersonate the "m" in Columbia). Look closely at email address the message is sent from, and if overly complex, proceed with caution.
      • Your name isn't used: Phishing emails are often sent in mass batches to large groups without addressing anyone by name. Trusted institutions will usually use your front and/or last name in the body of the email.
      Secure padlock located to the left of the URL in web browser
      It's a good practice to look at all emails and websites suspiciously, but of course you need to visit websites.

      How to identify legitimate websites

      • Look for the secure padlock: Chrome, Safari, Internet Explorer and Firefox browsers display a padlock in the URL field to indicate "safe" websites. You can click on the padlock to confirm that the certificate belongs to the same company as the website you are trying to visit.
      • Check if it is authenticated (HTTP Secure): Authenticated websites begin with https:// instead of http://. Most illegitimate sites do not bother getting security certification because they are shut down quickly. Confirming the https:// is especially important on pages where you submit payment information.
      • Use a search engine: Google, Bing and other search engines will compile the highest-trafficked sites near the top of the results list, and these are normally the official company sites.
      • Hover over links: Use your mouse hover over ("mouse over") a website link to view the underlying URL (will be displayed at the bottom of your browser). Even links that are labeled as URLs can send you to another place entirely, but when you hover over the link, the true destination URL will always be displayed at the bottom of your browser. 
      • Open the Google Transparency Report webpage: You can quickly check a website's address using this service to see its safety rating from Google.