Malicious Emails & Phishing


Email is one of the most common ways for hackers to steal personal information and gain unauthorized access to systems. Your knowledge and awareness is the best defense against email attacks.

Generally, email messages fall into one of three types:

  1. Legitimate personal or business emails — Messages that the recipient wants or needs.
  2. Spam emails — Typically are selling a product or service, and while unwanted are otherwise harmless.
  3. Malicious emails — Seek to scam or defraud the recipient, or gain unauthorized access to personal data or systems.

Malicious Emails

Spam email can be annoying and require time and effort to manage; however, they typically don't present a significant security risk. Malicious emails, on the other hand, present a profound security risk and cost organizations and individuals billions of dollars each year.

Cyber-criminals use a variety of tactics in malicious emails, including:

  • Attachments or links that download and install malicious code to compromise systems.
  • Links to fraudulent websites that gather personal information, such as username and passwords.
  • Scams that fool the recipient into sending money or other items of value.
  • Ransom messages that extort the recipient to provide money or take other actions.

What is Phishing?

Phishing refers to malicious emails that try to trick you into giving out confidential personal information (e.g., credit card and bank account numbers, Social Security number, passwords, etc.) by impersonating a legitimate organization, offering a chance to win a prize if you register, etc.

Phishing messages may appear to be from organizations you do business with (e.g., banks, software companies, healthcare, etc.) or work for. They might threaten to close your account or take other action if you don’t respond.

Legitimate organizations, including KU, will never ask you to provide a password or full Social Security Number in an email or in an unsolicited phone call.

Criminals are thinking up new phishing attacks all the time. These are just a few examples of common phishing messages:

  • "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
  • “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
  • “You have won a free $500 Walmart gift card. Click here to collect your card."
  • “Test the new iPad and keep it when you’re finished. Just use the iPad and tell us what you think. Call us to become part of this exclusive test.”

Report Suspicious Emails

"Screenshot of Report Message button"

Use the "Report Message" button in Outlook or forward suspicious messages to abuse@ku.edu.


How to Protect Yourself

Here are some strategies to protect yourself and KU from phishing and social engineering attacks:

  • Don't open unsolicited or suspicious email attachments
  • Don't follow any instructions or requests unless you are sure of the sender
  • Learn to Spot Phishing/Social Engineering:
  • Look for misspelled words
  • Check to see if the email address matches the sender
  • Check to see if the URL in links matches the sender
  • Think twice before clicking on links in emails. Verify the destination of links by hovering over the link and looking at the URL in the pop-up.
  • Remember, legitimate organizations, including KU, will never ask you to provide confidential personal information (password, Social Security Number, etc.) in an email or in an unsolicited phone call. Unless you initiated the request, assume an email or phone call asking for confidential personal information is a phishing attempt. When in doubt, call the organization directly to verify legitimacy of the request.

Oops, I think I was Tricked!

If you think you've been tricked into divulging confidential information, don't panic. Phishing attacks want you to panic and act without thinking.

If the message came to your KU email account:

  • Immediately contact the KU IT Customer Service Center at 785-864-8080.

If the suspicious message came to your personal account:

  • Immediately change passwords for any accounts that may have been compromised.
  • Immediately contact the organization related to the confidential information you may have divulged (i.e., your bank, credit card company, etc.).
  • Review your accounts for any unauthorized activity.
  • Contact the organization that was being impersonated directly to inform them of the attack and regain control of your account.
  • Enable two-factor authentication on your accounts that provide it.
  • Report the fraud to the Federal Trade Commission.