Carnegie Mellon University


Phishing is a malicious email attempt to obtain sensitive information by disguising as a trustworthy website, person, or company.

Phishing is a form of social engineering that uses legitimate-looking email or fraudulent websites to encourage users to give up personal data or information, such as social security number, credit card numbers, passwords, etc. It is an attempt to acquire sensitive information about you and could lead to identity theft.

Phishing emails are typically sent to a large group of individuals that appear to come from trusted Web sites, like a bank, credit card company, social networking site, or an online store. Phishing messages often tell a story and attempt to trick you into clicking on a link or opening an attachment. 

Types of Phishing

Spear Phishing: Targeted, sophisticated phishing messages personalized to victims. Spear phishers learn about the victim by spying on their personal email, social media and other online habits. The perpetrators use the information they have gathered to portray themselves as a legitimate entity and will create tailored messages to your interests in order to steal personal information such as your Andrew ID and password.  

Vishing: Phishing conducted over the phone by scammers portraying as a trustworthy entity in an attempt to convince the target to take action. Listen to a recorded vishing message

Smishing: Phishing conducted via SMS text messages. Smishing is a security attack in which the user is tricked into downloading malware onto their smart phone or device.

Business Email Compromise: Form of phishing attack where a criminal impersonates a person of authority such as an executive, president, supervisor, dean, etc. The scammer attempts to get an employee or vendor to transfer funds or sensitive information.

Learn to Spot Phish

Although identifying phishing emails can be difficult, there are indicators that if spotted, can help to prevent an account compromise or identity theft. It can be helpful to focus on one part of an email at a time. Each part offers its own set of clues and questions to ask.

Analyze the Sender Details: Who sent the email and when was it sent? Was this message expected? Would this person typically send an email like this?

  • Confirm the Sender's Identity: The display name of the sender can be spoofed to look like a legitimate person or organization. Hover over the name or double click the email name to view the actual email address. 
  • View the date and time of the message: Is it ordinary for this person to be sending this type of message at this time?

Analyze the Context: What is the purpose of the email? Is it personalized?

  • Beware of Urgent Subject Lines: Invoking a sense of urgency or fear is a common phishing tactic used by scammers. Be cautious of subject lines and message content that invoke a sense of urgency or fear.
  • Look Out for Generic Salutations: If the message is from a supposed familiar source, but contains a generic greeting and signature, it could be a sign of a phish.

Analyze the Content: What is the tone of the email? Does the message contain a call to action?

  • Think Before you Click: Don't click on links or download attachments from unknown sources, especially when they're unexpected. While a website address might look perfectly valid, hover your cursor above the link and a different URL address may display altogether. 
  • Protect Your Credentials: Carnegie Mellon University and other legitimate organizations will never ask you to verify your personal credentials via email or over the phone. Be wary of unsolicited requests for personal information.  
  • Trust Your Instincts: If you receive an unexpected email from a seemingly trustworthy source that seems out of character, don't respond to the email. Instead, reach out directly to the individual through a trusted channel to confirm the message. Never respond directly to a suspicious email.

Examples of Phishing 

View examples of phishing emails sent to the CMU Community.

Check the Full URL

Security tips on how to view the full URL on a computer, smartphone, and device.

Shortened URL Security Tips

How to check a shortened URL, and best practices for using shortened URLs.

Look Before You Log In 

Learn what to look for to help spot fake CMU login pages that many scammers use in phishing.

Phishing Quiz

Identifying phishing can be harder than you think. Can you spot when you're being phished? Try the Google phishing quiz to test your skills!