Overview
Unlike spam or junk email, phishing emails are designed to look like legitimate messages from a real financial institution, government agency, or some other service, business, or individual. The object is to get an unsuspecting user to reveal personal information like account numbers, passwords, or Social Security numbers or click on a link that may attempt to download and install malware or or open a malware infected attachment.
Spear phishing is a subset of phishing where the bad actor tailors a message for a specific target. They will often do research on the subject using publicly available data like web searches, school or work directories, and social media so that they can make the message that much more convincing.
Avoid getting phished by thinking before you act on a message. Be skeptical, even if the message at first appears to be legitimate. When in doubt throw it out or confirm that the message is authentic. Contact the sender or institution yourself using the contact information you already have not by replying to the email—call them on the phone, in the case of a bank, use the customer service number on the back of the ATM or credit card. Don’t open any attachments or follow any links until you are sure the message can be trusted.
When users report phishing we will investigate the nature of the phishing attempt, the number of targets, and who, if anyone, responded. We take appropriate actions like:
- Blocking the sender
- Removing messages from inboxes
- Warning anyone who responded
If phishing messages were automatically moved to spam, it is not necessary to report phishing. The automated detection mechanisms are working. No further action is required. However, if the message was delivered to the user's inbox, please report phishing using the built-in reporting feature of the Gmail browser
How to Report Phishing
Report phishing messages as phishing by selecting the "Report phishing" option from the right hand menu of the message window or the "Report phishing" button if a large yellow phishing warning banner is present. Reporting phishing messages as phishing in this way will notify IT staff who will investigate and take appropriate actions. It also helps Google improve their algorithms that detect phishing messages. Or watch this video:
1 Minute on How to Report Phishing
For more information on identifying and reporting phishing messages see this Knowledge Base article (links over to Carleton)