Skip to main content
Sign In

IT Services, Information Technology Services


Phishing Information

How to protect yourself from Phishing attempts

What is Phishing?

Phishing is a psychological attack used by cyber criminals to trick you into giving up information or taking an action. Phishing originally described email attacks that would steal your online username and password. However, the term has evolved and now refers to almost any message-based attack. These attacks befin with a cyber criminal sending a message pretending to be from someone of something you know, such as a friend, your bank, your company or a well-known store.

How it works

These messages then entice you into taking an action, such as clicking on a malicious link, opening an infected attachment, or responding to a scam. Cyber criminals craft these convincing-looking emails and send them to millions of people around the world. The criminals do not know who will fall victim, they simply know that the more emails they send out, the more people they will have the opportunity to hack. In addition, cyber criminals are not limited to just email but will use other methods, such as instant messaging or social media posts.

What is Spear-Phishing?

The concept is the same as phishing, except that instead of sending random emails to millions of potential victims, cyber attackers send targeted messages to a very few select individuals. With spear phishing, the cyber attackers research their intended target, such as by reading the intended victims’ Linkedln or Facebook accounts or any messages they posted on public blogs or forums. Based on this research, the attackers then create a highly customized email that appears relevant to the intended targets. This way, the individuals are far more likely to fall victim.

Why should I care?

You may not realize it, but you are a phishing target at work and at home. You and your devices are worth a tremendous amount of money to cyber criminals, and they will do anything they can to hack them. YOU are the most effective way to detect and stop phishing. If you identify an email you think is a phishing attack, or you are concerned you may have fallen victim, contact your help desk or security team immediately.

Phishing Indicators:

  • Be suspicious of emails that request for your password. The university Office of Information Technology (OIT) will NEVER ask for your password. An email that contains a link that requests your username and password is most likely a phishing attempt.
  • Check the email addresses. If the email appears to come from a legitimate organization, but the “FROM” address is someone’s personal account, such as or, this is most likely an attack. Also, check the “TO” and “CC” fields. Is the email being sent to people you do not know or do not work with?
  • The “REPLY TO” email address in some cases is an email address.  This field can be easily spoofed, and/or messages can be sent from an account that has already been compromised, so an “ from” address should not be considered a positive indicator of a legitimate message, but a address should always be considered an indicator that the message is phishing. There is no OIT Help Desk contact information included in the message: OIT messages will always contain this information.
  • Be suspicious of emails addressed to “Dear User” or that use some other generic salutation. If a trusted organization has a need to contact you, they should know your name and information. Also ask yourself, am I expecting an email from this company?
  • Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique to rush people into making a mistake. Also legitimate organization will not ask you for your personal information.
  • Be careful with links, and only click on those that you are expecting. Also, hover your mouse over the link. This shows you the true destination of where you would go if you clicked on it. If the true destination is different than what is shown in the email, this is an indication of an attack.
  • Be suspicious of attachments. Only click on those you are expecting.
  • Be suspicious of any message that sounds too good to be true. (No, you did not just win the lottery.)
  • Just because you got an email from your friend does not mean they sent it. You friend’s computer may have been infected or their account may be compromised. If you get a suspicious email from a trusted friend of colleague, call them on the phone.

(This information is excerpt from a poster by SANS Institute. The poster can be downloaded here.)

For more information about global threats, visit:

A list of message subjects that have been used in recent phishing attacks against the university can be found here.

OIT will never ask you for your credentials, under any circumstances. Furthermore, we will never ask you to visit a website to validate your account. If you are unsure about a message, and it is not on the page above, please contact the OIT Help Desk (4-HELP or 303-724-3457) for clarification.

You can also send any phishing e-mail samples to so we can update our phishing protections.

© The Regents of the University of Colorado, a body corporate. All rights reserved.

Accredited by the Higher Learning Commission. All trademarks are registered property of the University. Used by permission only.