Phishing: Reporting and Latest Scams

Phishing is a type of email scam often associated with "spam" (unsolicited mass emails). However with phishing scams, cyberthieves send emails that impersonate companies (often financial), service desks, or people that you already know and trust. The goal of phishing is to do one or both of the following:

  • Steal your personal information by tricking you into revealing your account name and/or password, PIN, or other sensitive information
  • Install malicious software (malware or virus) on your computer that can spy on you, capture your saved or stored information, or destroy your files

Columbia students, faculty and staff may receive emails that appear to come from trusted sources like "CUIT Service Desk," "MyColumbia," or "President Bollinger," asking you to enter your username/password to "verify your account." 

CUIT Security’s mission is to create a secure computing environment for Columbia University. The CUIT Cybersecurity Team investigates and triages phishing attempts sent to the Columbia University community. This offering is no charge and can be used as frequently as necessary. 

CUIT also leverages Proofpoint as our proactive email security gateway to filter out potential phishing and spam. However, because phishers are constantly innovating ways to bypass filters, CUIT has designed a process to handle any suspicious emails that you may receive. CUIT depends on our community reporting suspicious activity to help us stay safe. 

Official emails from Columbia University should never ask you to follow a link and enter your UNI and password. 

If in doubt, please contact the CUIT Service Desk at 212-854-1919 or report the email to phishing@columbia.edu with full headers (see below) so the CUIT Cybersecurity team can investigate where the email was sent from. 

Your email password and other personal information is not included in the full headers. Please note you cannot send full headers from a mobile mail app.

    How to report a suspicious email to phishing@columbia.edu

    Updated June 15, 2020

    A 45-second how-to video for LionMail/Gmail also is available to demonstrate how to report phishing.
    1. Open the suspicious message you'd like to report.
    2. Click the three dots in the upper-right corner of the message to see your options.
    3. Click Show Original. A new window (or tab) opens with the raw message, including the complete header.
    4. Click Download Original.
    5. Address an email to phishing@columbia.edu.
    6. Attach the downloaded .EML file to your email and click Send.

    Updated June 15, 2020

    A 45-second how-to video for Apple Mail also is available to demonstrate how to report phishing.
    1. Select the suspicious email that you would like to forward.
    2. Select File from the menu pane, then click Save As.
    3. Choose a location for the file (often your desktop), and change the format to Raw Message Source. Click Save
    4. Address an email to phishing@columbia.edu. Attach the downloaded .EML file to your email. Click Send.

    Updated June 15, 2020

    1. Double-click on the message you want to forward.
    2. Click on the Message Tab, and find the Respond section.
    3. Expand the More Respond Actions drop-down menu, and click Forward as Attachment.

    Outlook message menu with Forward as Attachment option selected

    4. Send the message (with attachment) to phishing@columbia.edu.

    Forwarded email view in Outlook

    Updated June 15, 2020

    A 45-second how-to video for Office 365 also is available to demonstrate how to report phishing.

    1. Click the New Message Button.

    With Office 360 open, click the New Message Button

    2. Drag the email you want to forward into the body of the blank message (this message will be added as an attachment).

    Drag the message you want to forward into the body of the blank message (this message will be added as an attachment)

    3. Send the email (with attachment) to phishing@columbia.edu.

    Send the message (with attachment) to phishing@columbia.edu.
    CAS login screen with cas.columbia.edu URL

    How to spot a fake Columbia login screen

    All genuine CAS login screens will have a URL that begins with https://cas.columbia.edu/ (or the lock symbol followed by cas.columbia.edu/). If even one letter is missing (or added), then be very suspicious and do not enter your password.

    How to identify phishing emails

    CUIT carefully maintains spam filters that prevent most unsolicited mass emails from reaching Columbia inboxes, however phishing scams are more likely to pass through the filters because they are designed to look very legitimate to bypass scanning software.

    If you think you have clicked a phishing link or have accidentally entered your login information on a suspicious site, please change your password immediately, then contact the CUIT Service Desk at 212-854-1919.

    You also should use Proofpoint to block any senders that are emailing you phishing messages. If a message is not caught by the Proofpoint Email Quarantine, then please report the sender to CUIT.

    • Poor spelling and bad grammar: Respected institutions usually have teams focused on producing top-quality emails.
    • Links: A phishing link may lead you to a website asking you to log in to verify your identity, or it might actually download malicious software when clicked. DO NOT click any links in suspicious-looking emails. Instead, navigate to the company's official website using a search engine (Google, Bing, Yahoo, etc.) and log in to your account securely from there. Most companies (especially financial) will never ask you to verify or log in to your account by following a link in an email, and will instead send a secure message to your online account inbox.
    • Threats or urgent warnings: Many cybercriminals try to scare you into "verifying your account" so you do not act with caution. It is best to contact the company directly through their official contact information to determine if your account has been compromised.
    • Slight alterations of well-known company names: Often phishing emails will use a "from" email address that seems official, but is actually a spoof on the official name. For example, paypal-service@notifcation.accountsupport.com or president@colurnbia.edu (in this case, the "r" and "n" are used to impersonate the "m" in Columbia). Look closely at email address the message is sent from, and if overly complex, proceed with caution.
    • Your name isn't used: Phishing emails are often sent in mass batches to large groups without addressing anyone by name. Trusted institutions will usually use your front and/or last name in the body of the email.

    “Are you free at the moment? Let me know ASAP.”

    How it works: You receive a short (often one-line) email from someone in your organization, usually someone senior to you, asking for an immediate response. After you respond, they get back to you very quickly, asking you to purchase gift cards or wire money somewhere.

    If you look closely, the person that it appears to be coming from has been spoofed by changing the display name or email address (i.e. "Lee Bollinger <lee.bollinger06@gmail.com>"). Because many departments post their organizational charts or hierarchies on their websites, it's easy for scammers to identify your managers.

    If you receive a request to buy a gift card, verify via phone or in a fresh email chain using the requester's official email address; you can also call the CUIT Service Desk to confirm its legitimacy.

    "I saw what you did."

    How it works: You receive an email threatening to reveal evidence of embarrassing online activity such as visiting pornographic websites. The sender may claim to have installed software on your computer, tracking your activity. They also often claim to have access to your contacts, and threaten to share a screenshot of your embarrassing activity with your colleagues, friends and family if you do not pay them. They may also include a reference to a password you have (or had at one time) that has been obtained through an external data breach, leading you to believe they have legitimately invaded your computer.

    If you receive a blackmail email and are concerned your computer has been compromised, call the CUIT Service Desk to have it examined. Do not respond and do not click on any links in the message.

    "I know your password is [oldpassword]"

    How it works: You receive an email that references a password you recognize as having used in the past. The scammer claims to have installed malware on your computer, and to have captured your account information, other personal information, or embarrassing activity. They will ask for money to "delete" this information and not share it with your contacts. The passwords are from old data breaches; you can check if one of your accounts was breached on sites like Have I been pwned. If you are still using this password anywhere, you should change it immediately and read CUIT's advice on creating strong passwords. Consider using a password manager to help you generate and store unique passwords for all your accounts

    If you receive a blackmail email and are concerned your computer has been compromised, call the CUIT Service Desk to have it examined. Do not respond and do not click on any links in the message.

    Secure padlock located to the left of the URL in web browser

    How to identify legitimate websites

    • Look for the secure padlock: Chrome, Safari, Internet Explorer and Firefox browsers display a padlock in the URL field to indicate "safe" websites. You can click on the padlock to confirm that the certificate belongs to the same company as the website you are trying to visit.
    • Check if it is authenticated (HTTP Secure): Authenticated websites begin with https:// instead of http://. Most illegitimate sites do not bother getting security certification because they are shut down quickly. Confirming the https:// is especially important on pages where you submit payment information.
    • Use a search engine: Google, Bing and other search engines will compile the highest-trafficked sites near the top of the results list, and these are normally the official company sites.
    • Hover over links: Use your mouse hover over ("mouse over") a website link to view the underlying URL (will be displayed at the bottom of your browser). Even links that are labeled as URLs can send you to another place entirely, but when you hover over the link, the true destination URL will always be displayed at the bottom of your browser. 
    • Open the Google Transparency Report webpage: You can quickly check a website's address using this service to see its safety rating from Google.