Important to know

CU or any reputable organization will never ask for your passwords in an email or phone call.

Cybercriminals Like to Phish, but Don't Take the Bait

Phishing – when a cybercriminal poses as a legitimate party in hopes of getting individuals to engage with malicious content or links – remains one of the most popular tactics among cybercriminals today. According to a 2021 report by Spanning, 80% of cybersecurity incidents stem from a phishing attempt. However, while phishing has gotten more sophisticated, keeping an eye out for typos, poor graphics and other suspicious characteristics can be a telltale sign that the content is potentially coming from a phish.

What is phishing?

Phishing is a type of electronic scam. Cybercriminals use deceptive tactics to manipulate people into doing what they want with the goal of stealing information and money. They use phishing because, unfortunately, it’s easy to do and often effective.

The tactics used, sometimes called “social engineering,” are the foundation of all phishing scams conducted through emails, text messages, and cell phone calls. As technology becomes more advanced, so do the cybercriminals' tactics.

Make the cybercriminals job harder and ineffective by recognizing the red flags when receiving unusual or unexpected messages.

What are some tactics used in phishing scams?

Tactics often found in phishing scams range from a fake and malicious web link to a directive that appears to come from your supervisor or a university leader.

When receiving an unusual or unexpected message, look for these tactics and red flags:

Play on emotions

Phishing messages are often written to generate emotions that will motivate you to take immediately action; fraudsters don’t want you to take time to consider the message’s legitimacy. The most common emotions include a sense of fear or urgency, or an award of good fortune—something that is too good to be true.

Some real examples:

  • Your email account is or will be locked.
  • Your computer is infected or compromised.
  • You’re a cash prize winner for a drawing you never entered. To receive the prize, you are required to prepay the taxes through a wire transfer.
  • You’re threaten with legal action by a government agency unless payment is promptly made with gift cards.

Phishing email forcing user to change password

Fake, malicious links and attachments

Cybercriminals can use links and attachments to deliver malware—malicious software—to your computer and possibly gain access to CU networks and sensitive work information. Such access may also allow them to lock your computer for ransom until a payment is received.

Malicious links can be disguised to look like trusted links and take you to fake or infected websites. Attachments can appear to come from a known source, but whose account has been compromised.

Some real examples:

  • You receive an email that appears to come from Microsoft stating, “issues with your account” and includes a link titled “Secure Account Here.” By hovering the cursor over the link, you see that the real URL is “microsoft-support.com.” Microsoft has no such link. 
  • You are urge to open an unexpected attachment from the university. You are asked to review and confirm your acceptance of changes to the payroll calendar.

Phish Email with Malicious Attachment

Fraudulent data entry

You’re prompted to fill in sensitive information like user names, passwords, and financial information.

Some real examples:

  • Soon after applying for a job, you receive an offer. No interview is necessary; simply complete the attached credit report form and the job is yours.
  • You receive an email that appears to come from CU informing you to “upgrade your mail quota.” You are instructed to enter your campus portal password. A legitimate email from your campus IT department will never direct you to enter confidential information into an email.

Email asking for data

Impersonation of individuals or companies 

By impersonating an individual or company or both, cybercriminals can send phish that looks legitimate. They use compromised email accounts and addresses to send the phish. To appear more authentic, business logos are often copied from the Internet and added to the message.

Be aware: cybercriminals may send email that appears to come from a CU address, such as @cu.edu or @colorado.edu. (Think of a return address on a postal letter; someone can list whatever return address they would like, but that doesn't guarantee that is who sent the letter.) The cybercriminal's intention of the email is to get you to click links or open attachments.

Some real examples:

  • Staples sends you an email notification that there are delivery issues with your office supply order. You are instructed to click on the link to resolve the issue and schedule another delivery. The logo and formatting look like a Staples email; however, when you hover the cursor over the link, it indicates the URL is "staples-delivery-876976.com," which is not a legitimate address for the site.
  • Phishing emails appearing to come from Microsoft Teams have targeted as many as 50,000 Teams users with the goal of obtaining Office 365 logins. 

Phish Email MS Teams Messages

There's no link, attachment, or data entry request. What’s the catch?

Cybercriminals get more creative, making it more difficult to detect fraud. Recent phishing scams don’t use malicious links or attachments and appear to come from your supervisor, campus leaders, or departments.

Some real examples

  • One common phishing email making its way through the university is the gift-card scam. The scam typically starts with a brief email exchange, such as “are you in the office” or “have a special favor to ask.” If you respond, appearing to fall for the impersonation, you will be asked to promptly purchase several gift cards and email the card numbers to them.   

Phish Email Gift Card Request

How can I avoid getting scammed?

  • Don't react to tactics aimed to scare you into taking urgent action, including: threats of a lawsuit, a computer full of viruses, locked accounts, or opportunities to earn or save money now.  

  • Don’t reveal personal or financial information in an email or text messages. (CU will never ask you for your username or password.)

  • Don’t open email attachments you are not expecting, even if it appears to come from someone you know. Their account may have been compromised.

  • Be cautious of links provided in an email. Hover the cursor over the link to verify that the URL leads to a site you recognize. (How to verify links on mobiles devices will depend on the device.)

  • Verify the legitimacy of charities and crowdfunding sites before making donations. Do not provide donations in cash, gift cards, or money wires.

  • If you are unsure whether an email request is legitimate, try to verify it by contacting the sender or company directly by an alternate known communication method.

  • When in doubt, throw it out. If it looks suspicious, even if you know the source, it’s best to delete or, if appropriate, mark it as junk.

  • Think before you respond: 

    • Emails from a university leader asking you to make an urgent wire transfer or buy gift cards are likely to be scams.

    • No one from your campus IT department is going to call to inform you about a computer virus and ask for your passwords.

    • Government agencies will not call and threaten you, or make demands for payment in the form of gift cards.

I’m still not sure if it’s a legitimate message or a phish. What should I do?

You don't have to be an expert. If something seems suspicious, it probably is. For university-related messages, forward emails to your campus IT or Information Security office and we’ll look into it for you. 

For suspicious messages sent to your personal account, do your research to see if the message if legitimate:

  • Contact known persons or companies directly.

  • If the sender is unknown, see if the organization actually exists and call them directly.  

  • Consider ignoring and deleting the message.

What should I do if I opened a suspicious link or attachment or inadvertently shared sensitive information?

Immediately report it as a possible incident. Visit the Report an Incident web page to learn more.

How do I avoid receiving phishing scams in the first place?

The surest way to avoid receiving phishing scams is to live off-the-grid somewhere high in mountains of no-where. For the rest of us, here are some suggestions:

  • Be mindful of what you share online. Fraudsters can easily collect email addresses from numerous sources.

  • Use email spams filters for your personal devices and accounts.

  • Be cautious when joining loyalty or rewards programs. Some companies may unknowingly sell or share your information to deceitful data brokers.

How can I report personal or home phishing scams?

You can report a phishing scam attempt directly to the company that is being impersonated. You can also send reports to the Better Business Bureau at bbb.org and Federal Trade Commission at ftc.gov.

Learn more about phishing: