Phishing and Spam


Phishing is an illegal way that criminals gather private information for the purposes of sending spam,sending phishing e-mails, logging onto university systems and in some cases commit identity theft. They use fake emails to trick people into submitting their personal information such as Social Security numbers, passwords, credit card numbers and bank accounts.

Spear phishing targets individuals or an organization.

When you receive a suspicious email ask or call before you click.  Report phishing emails to for the ISO to review the message.


An overwhelming amount of email received daily by the university community is classified as spam, or unsolicited email.

Instructions on how to report SPAM are available on SPAM Filtering.

How to identify a phishing email

Phishing often comes in the form of unexpected email from an unknown financial institution, government agency, corporation, or mail carrier.

Device Options

Characteristics of the communication can include:

  • Urgent response required
  • Grammar or language errors
  • Requests for passwords, credit card numbers, bank account information

View examples of recent phishing emails.

Protect yourself against phishing fraud and malicious files

Never give out your passwords, credit card information, Social Security number or other private information through email. Even if the email seems authentic or alarming, do not reply.

1. Don’t click.
Instead of clicking on any link in a suspicious email, type in the URL or do search on for the relevant department or page. Even though a website and/or URL in an email looks real, criminals can mask its true destination.

2. Pick up the phone.
If you have any reason to think that a department or organization really needs to hear from you, call them to verify any request for personal or sensitive information. Emails that say “urgent!”, use pressure tactics or prey on fear are especially suspect. Do an online search for a contact phone number or use the contact number published in the WUSTL directory.

3. Use secure websites.
Always check if you are on a secure website before giving out private information. You can determine whether a website is secure by looking for the “https://” rather than just “http://” in the Web address bar or for the small lock icon in the Internet browser.

4. Pay attention to security prompts.
If your browser cannot validate the authenticity of the website’s security certificate, you will be prompted. This is frequently a telltale sign of fraud and would be a good time to pick up the phone or report a suspicious message.

5. Keep track of your data.
Regularly log onto your online accounts and make sure that all your transactions are legitimate.

If you are a victim of an email scam, report it to your IT department, the ISO or HIPAA Privacy Office.

6. Review your account statements

7. Reset any account passwords that may have been compromised.