Carnegie Mellon University

Phishing and Spam Emails

While there are many tools in place to filter and block a large volume of phishing or spam emails, some of these messages may be delivered to your inbox. Make sure you understand the difference between a spam and phishing email and how to handle each type of message.


Spam emails, are unsolicited and irrelevant commercial emails, sent online to a bulk number of recipients. Oftentimes spam messages are from a company trying to sell you something. While these emails can be a nuisance, they are not considered malicious.

Examples of Spam:

  • Advertising (retailers, dating sites, online pharmacies, gambling)
  • Get rich quick schemes (You've Won!)
  • Hoax virus warnings
  • Chain emails

Received a Spam Email?

If a spam email is delivered to your inbox, you can report it to the Help Center by forwarding the message to


Phishing is a malicious attempt to obtain sensitive information by disguising as a trustworthy website, person, or company. Requests for personal information such as a password, credit card, bank account number, Social Security Number, etc. are examples of information attackers in a phishing campaign might seek.

Examples of Phishing:

  • Request personal information
  • Direct users to open a link or unexpected attachment
  • Verify account information and/or password
  • Convey a sense of urgency

Received a Phish Email?

If you received a message that you believe is phishing, follow the steps below to report it to the Information Security Office (ISO).

  1. Obtain the message headers from the email in question. This information allows the ISO to investigate how the email entered the environment and prevents future phishing emails from being delivered to campus.
  2. Forward the phishing email and message headers to
  3. Delete the phishing email.

* If you are using the Gmail web browser, you can forward phishing emails to the ISO using PhishAlarm.