How To Identify Phishing Scams

Last Updated: April 3, 2024 10:36:35 AM PDT

Protect yourself from phishing scams with these tips.

Phishing (pronounced 'fishing') is an email scam designed to acquire sensitive information from people. The most successful phishing emails are designed to look like the email comes from a reputable source such as a known person or entity. UC San Diego faculty, staff, and students are often the target of attempts to gain login credentials or personal information through phishing scams that may claim to be coming from UC San Diego, UC San Diego IT Services, or a UC San Diego department. Sometimes the email says that your email account is over quota so you must click a link to reactivate or update your account, or that you must provide your user information to keep your account active. These are fraudulent attempts and should not be replied to or acted upon.

General tips

Never share your passwords with anyone.
UC San Diego, UC San Diego IT Services, your bank, FedEx, the IRS, your credit card company, and other reputable institutions will never ask for your password by email, phone, text message, or in person.
- Financial or medical institutions may communicate with you via secure messaging. You may receive an email from a financial or medical institution informing you of this message, but it will never ask for your personal information or password.
Do not click on any embedded buttons in a phishing email, especially those that say "unsubscribe" or "remove me from this mailing list." These links often install malware on your system.
Call the individual or office that purportedly sent the email to confirm that it is a real request.
Report phishing attempts and false senders to IT Services Security at abuse@ucsd.edu.

Integrated Procure-to-Pay Solutions (IPPS) also provides guidance about supplier fraud and scams here on Blink.

If you have questions about phishing, consult your department IT staff or IT Services Security.

Identify a phishing email

Look at this example of a phish message that is mocked up to show its telltale signs.

Remember, UC San Diego will never ask for or ask you to confirm your:

Account information
Password
Address
Personal information such as age, social security number, or home address.

Though the signature of an email may include a legitimate UC San Diego department name or logo, this alone should not be used to determine whether an email is actually from UC San Diego.

Check a website link within an email

Phishers commonly put a link in their emails that looks valid but actually goes to a fake or imitation site. Hover your mouse over the link (without clicking it) so you can see the actual destination website address.

Do not click on a link if:

The address does not correspond to your expectations.
You see misspellings in the address.

If you are uncertain, use a search engine to look for the institution's page and see if the addresses match.

What to do with a suspicious email

If you suspect a message is not a valid campus message, check Blink for information about the service. Call the individual or office that purportedly sent the email to confirm that it is a real request.

Do not follow links to a webpage.
Do not fill out any forms that ask for personal or financial information.
Delete the message.

Report fraudulent email, identity theft & ransomware

IT Services continuously monitors for phishing emails and takes action when the message source can be reliably determined. If you receive a suspicious email, please forward it to abuse@ucsd.edu where it will be automatically analyzed and the results used to prevent additional deliveries.

The Federal Trade Commission (FTC) exists to protect American consumers and provides a complaint mechanism where you can report a variety of scams and fraudulent activity perpetrated by criminals, even internationally. They also maintain the National Do Not Call Registry and are a resource for the prevention of, and recovery from, identity theft.

The Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) accepts complaints if you believe you have been the victim of an Internet crime, or if you want to file on behalf of another person. The FBI is also the source to report receiving a call from a person claiming to be with the Drug Enforcement Agency (DEA) as noted in this DEA Scam Alert.

Additionally, IC3 provides an informative ransomware brochure highlighting "prevention, business continuity, and remediation." In general, paying ransoms is not recommended as there is no guarantee that individuals will recover their files if they pay the ransom. The University of California has a position of NOT paying ransoms. Anytime an exception is considered, a specific protocol must be followed as complex legal issues exist in such circumstances. Contact our Chief Information Security Officer (CISO) for help. For more information about ransomware and guidance on protecting yourself, please visit our ransomware cybersecurity awareness page.

COVID-19 Specific Phishing Campaigns

Campus Notice - Be Aware of COVID-19 Related Hacking and Phishing Attacks
Federal law enforcement and the FTC are reporting a massive growth of spam, phishing, and text messaging scams, as well as web-based advertising offering false COVID-19 cures, treatments, and personal protection advice. Additional information about these campaigns was provided by our email security vendor Proofpoint in the form of this awareness video (2:27).
Across the Internet we are seeing evidence of organized crime attempting to lure unsuspecting users to bogus COVID-19 information websites while invisibly downloading malicious software designed to steal corporate and personal information. A recent example uses the actual COVID-19 data taken off an identical (legitimate) site provided by Johns Hopkins University. This can be safely viewed at: https://app.box.com/v/coronavirusscam.

Resources

For more information, contact IT Services Security at security@ucsd.edu.