the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers

Phishing is an illegal way that criminals gather private information for the purposes of sending spam, sending phishing e-mails, logging onto university systems and in some cases commit identity theft. They use fake emails to trick people into submitting their personal information such as Social Security numbers, passwords, credit card numbers and bank accounts.

Spear phishing targets individuals or an organization.

Gil the Phish Drops the Bait

How to Identify a Phishing Email

Phishing often comes in the form of unexpected email from an unknown financial institution, government agency, corporation, or mail carrier. 

Characteristics of the communication can include:

  • Urgent response required
  • Grammar or language errors
  • Requests for passwords, credit card numbers, bank account information
  • Unusual email address

Safety Tips

  1. Don’t click.
    Instead of clicking on any link in a suspicious email, type in the URL, or do a search on for the relevant department or page. Even though a website and/or URL in an email looks real, criminals can mask its true destination.
  2. Keep your information private. 
    Never give out your passwords, credit card information, Social Security number, or other private information through email.
  3. Know what’s happening.
    Visit the Information Security Office Alerts page often to get the latest WashU Information Security Alerts. 
  4. Pick up the phone.

    If you have any reason to think that a department or organization really needs to hear from you, call them to verify any request for personal or sensitive information. Emails that say “urgent!”, use pressure tactics or prey on fear are especially suspect. Do an online search for a contact phone number or use the contact number published in the WUSTL directory.

  5. Use secure websites.

    Always check if you are on a secure website before giving out private information. You can determine whether a website is secure by looking for the “https://” rather than just “http://” in the Web address bar or for the small lock icon in the Internet browser.

  6. Pay attention to security prompts.

    If your browser cannot validate the authenticity of the website’s security certificate, you will be prompted. This is frequently a telltale sign of fraud, and it would be a good time to pick up the phone or report a suspicious message.

  7. Keep track of your data.

    Regularly log onto your online accounts and make sure that all your transactions are legitimate. If you are a victim of an email scam, report it to your IT department, the ISO, or HIPAA Privacy Office.

  8. Review your account statements.
  9. Reset any account passwords that may have been compromised.

What To Do if You’re a Victim

Report. When you receive a suspicious email ask or call before you click.  Please report phishing emails using the Phish Alert Button (PAB) from your Outlook account.