Email & phishing scams

Don't take the bait

If you have an email account, you’ve almost certainly been on the receiving end of too-good-to-be-true schemes attempting to con you into giving up information, buying into a scam, or clicking on malicious links or files.

These attempts have become increasingly sophisticated. Scammers can create convincing emails that appear to come from trusted sources, including your bank and even universities like IU.

Below are some guidelines to dramatically reduce the risk of falling victim to email and phishing scams.

How to spot a phishing message?

Does the message ask you to login or verify your account?

Always open a new window and use the institution’s official home page to log into any account. Links in an email may appear to go to the trusted site, but actually redirect to a page that steals your login information.

Is the message asking for the personal information of others?

NEVER respond to an email requesting personal, financial, or other protected information, even if it appears to be from IU, your bank, or another trusted institution.

Does the message ask you to immediately click a link?

Clicking through or replying to spam can verify your email address and encourage more such attempts in the future. Before you click or tap, position over the linked text to see if the full destination URL is legitimate.

Learn more about making sure a website is genuine.

Does the message ask you to immediately click an attachment?

Attachments are a key way that malware and harmful files are sent in phishing attacks. NEVER open attachments from senders you don’t know.

Does the sender's real email address match the "From" field?

Double-click or tap the sender's name to make sure the real email address matches the expected email address and has a legitimate domain after the @ symbol in the email address. For example, “” has a legitimate IU domain, but “” does not.

If it’s from an IU communication campaign or mass email, is it missing a security footer?

Emails from official IU sources have a security footer at the end of the message. This footer includes your name and IU email address. We include this in our emails to help you distinguish between legitimate emails and phishing emails.

How to report a suspicious email

If you see a suspicious email in your IU account, you can report it by selecting the Report Message icon in Microsoft Outlook under the Home ribbon. This lets both IU and Microsoft know that the email may be malicious, so that they can take action to prevent it from reaching others. You can also forward the message with full headers to

Once you’ve reported the message, delete it. Using the Report Message tool in Outlook will automatically delete it.

Help, I think I've been phished! What do I do?

Accidents happen, we get busy or tired and open an email without thinking about it. If you realize that you have fallen for a malicious message after replying to the email or clicking on a link, the best strategy is to no longer engage. Change your passwords if you used any while engaging with the scammers or on a site.

If you believe your identity has been stolen, file your complaint with the FTC and then visit the FTC's Identity Theft website. Victims of phishing can quickly become victims of identity theft.

If you believe that you are a victim of Identity Theft

Please note: the theft of a credit card (or credit card number) alone does not constitute identity theft (as determined by the FTC). You should, however, promptly call the financial institution and have the card number changed. You can also work out any erroneous charges on your account.

If you accidentally sent institutional data, or data about others, you should immediately report the incident to the University Information Security Office.