Phishing scams can trick anyone. Whether you’re a seasoned cybersecurity expert or an average email user, you’re at risk of being a target. In this article, we share practical ways to foil phishing scams and keep your information safe. It all starts with this simple and proven method: read and understand, then act.

How to Spot a Phishing Email

Perhaps you might think you know how to spot a phishing email. You know the warning signs, such as a sketchy sender email address, misspelled words, and the urgency to act fast without thinking. But when you’re hit with a convincingly urgent and important email, everything you know flies out the window.

The first step in spotting a phishing email is to read carefully. Bad actors are getting better at constructing their emails, so this may not be as simple as it sounds. Refrain from taking quick actions, like clicking links (including scanning QR codes), downloading an attachment, or even responding to the sender.

Instead, as you read your emails, be mindful of the following:

• Sender information - Make sure the email is from a trusted, legitimate source. Fraudulent email addresses are spelled or made to look like they came from a verified address. Don’t rely on the display name alone, as this can be spoofed to look like someone you know. Be sure to view the actual email address that sent the message. When in doubt, contact the person directly to confirm the legitimacy of the email by calling them at their known number or sending a new email to their known email address. 
• Grammar, spelling, and context - Scam emails often contain errors or poor sentence construction, however, generative AI has allowed scammers to generate more convincing messages. While grammar and spelling are obvious red flags, you should also stop to ask yourself whether the context of the message makes sense. Would this person really be asking this of you?
• Pressure to act fast - Scammers often create a sense of urgency to get you to act without thinking. Keep in mind that entities, like your bank or UCR, almost always provide advance notice if action is required on your part. If this message is the first time you’re hearing of this request, take a pause and look through your other emails and communication channels to determine whether this is something that has been communicated previously. Again, if in doubt, reach out directly to a known contact or customer service center to ask about the legitimacy of the message.  
• Request for login details - Entities who value your privacy and security will never ask you to provide your login credentials via email or a link in an email, unless you prompted a request to reset your password or remember your login ID. A common scam is to send an email telling the recipient that their account will be deactivated/deleted if they do not click the link to verify their login credentials. UCR will never ask you for your password or sensitive information in order to keep an account active.  
• Request for upfront payment - Some phishing scams, such as job scams, ask you to make a payment first in order to receive a benefit or reward. Remember that legitimate employers will never ask you to pay for anything upfront. Requests to purchase gift cards with the promise of reimbursement is a common tactic used by scammers. As a general rule, don’t provide any financial information or bank account details to someone unless that person has a legitimate reason for requesting them (e.g., the HR representative at a company that has legally employed you has asked for the information via a secure employee portal).  
• QR codes - These are ubiquitous and can be made by anyone, which makes them vulnerable to being exploited by bad actors. Learn how to check if a QR code is safe.

As you read, understand the information you are receiving. Some helpful questions to ask yourself are:

• Is the sender’s email address legitimate?
• Am I expecting this communication, link, or email attachment?
• Does the message make sense? Can I verify this information elsewhere? Is this truly urgent?
• Is this QR code coming from a trusted source? Why would they include a QR code in an email (when I am likely reading on my phone)?
• Is the offer too good to be true? If I think I know this person, how can I contact them directly at a known number or email address to verify?
• Did I apply for this job / position? This message appears to be random; why am I receiving it? How can I contact the employer directly?

How to Avoid Falling for a Phishing Scam

Finally, take action. After exercising your best judgment, consider how you will respond. If you receive suspicious communication, report it immediately. Do not click links, scan QR codes, download attachments, or even respond to the sender.

Phishing emails can be reported through PhishAlarm, the hook-and-envelope icon you will find in your UCR R’Mail or Outlook email. PhishAlarm reports are forwarded to the UCR Information Security Office. However, you may also email the team at infosecoffice@ucr.edu. Another alternative is to report directly to the FBI Internet Crime Complaint Center at www.ic3.gov. Click “File a Complaint” and then select “Other Cyber Crime.”

What Happens if You Fall for a Phishing Scam?

Falling for fraudulent emails can open up more ways for bad actors to target you or the entire UCR community. It creates a domino effect that can make UCR vulnerable to cyber attacks.

UCR’s Security Is at Risk

Compromised UCR email accounts can be used to send phishing emails to the campus community. In some cases, bad actors attempt to access a UCR email account and see if the account owner accepts the MFA push verification. If the user doesn’t respond to the push verification, the bad actors reach out to them directly by other means, like SMS or phone call, to trick them into accepting the push or providing a verification code.

Avoid falling for fraudulent communications twice. Be mindful of your actions and diligently follow cybersecurity best practices, including refraining from accepting MFA prompts and verification code requests that you did not initiate.

If you gave out sensitive information and realized that you might have been a victim of a scam, take these steps immediately:

1. Stop all communications with the scammer. Do not engage further nor attempt to negotiate with them.
2. Change your passwords and secure your accounts with multi-factor authentication (MFA). This is important if you gave away your account credentials. Additionally, check any affected account/s for unauthorized activity.
3. Report the fraud to the appropriate authorities. Report the incident to the UCR Information Security Office if your UCR account was compromised (e.g., the scammer gained access to your email or changed your direct deposit details). If you lost money from a scam, please report the incident to law enforcement such as the FBI Internet Crime Complaint Center.

Related: Beware of SMS Phishing (Smishing) Attempts Targeted at the UCR Community