Skip to main content

Cornell University

Spot Fraudulent Emails (Phishing)

Tips for spotting email scams; report them with PhishAlarm.

This article applies to: Alumni and Visitors , Faculty , Security & Policy , Staff , Students

On This Page

Step One Is Always Confirm the Source

Verify that the message is coming from the person's real email address. In Outlook, you need to hover over the name to see the email address. One of the most common tricks scammers use is to attach a real person's name to a fraudulent email address.

If you receive an unexpected message that asks you to take action by clicking a link or to do something unusual like sending a gift card, check the Phish Bowl and Verified Communications to see if it’s listed there. Still not sure? Call the sender by phone and ask if they sent the message, or ask your local IT support staff or the IT Service Desk.

  • Some phishes (fraudulent emails) targeting Cornell are listed at the IT@Cornell Phish Bowl.
  • Some trusted emails from departments are listed at Verified Cornell Communications.
  • If the request appears to be from a Cornell department, contact the department with information you find when you look up its number at Search Cornell.
  • If the email isn’t listed at Verified Cornell Communications, and you don’t get a timely response from the department, contact the IT Service Desk for help.
  • If it appears to be from a service outside Cornell, such as your bank, PayPal, eBay, or a credit card service, look up their contact information using a trusted source (the 800 number on the back of your credit card or by searching for the service’s official website at a trusted search engine).
  • Use the Phish Bowl to see some phishing (fake) emails that have been spotted at Cornell.
  • 2024 Update: PhishAlarm, a new faster way to report suspicious email to the IT Security Office was made available on all Gmail web and Outlook web, desktop, and mobile interfaces.

Obvious Clues That May Indicate an Email Is a Scam

Beware a false sense of safety. The lack of any of these signs does not guarantee that an email is legitimate! Whaling phishes that target Cornell leaders are often well-written and make reasonable requests.
  • Poorly written. It may be written with ALL CAPS, have spelling and grammar errors, or may seem fragmented.
  • Asks you to send personal information (Social Security, credit card, bank account, or phone numbers, passwords, date of birth, address, etc.).
  • Tries to scare you into reacting by creating a sense of urgency with exclamation points, words like “immediately,” or threatening to close an account.
  • Offers something that's too good to be true.
  • Has a From address that doesn’t make sense or doesn't match the domain where it really came from. In Outlook, you need to hover over the name to see the email address.
  • Requests money for disaster relief or another cause.

Common Scams

As criminals gain access to more information about people, fraud attempts become more sophisticated and narrowly targeted. These are some of the most common scams.

  • Gift card scams: do not buy gift cards without first validating the purchase with your supervisor over a phone or video call.
  • Job and internship scams
  • Whaling phishes that appear to come from Cornell's top leaders or are aimed at them
  • Messages targeted to stir your emotions: threats, a false sense of urgency, or a deal that's too good to be true.
  • Faked Zoom links (Cornell meetings always start with https://cornell.zoom.us/).
  • Faked websites and email addresses that look similar to legitimate popular websites, such as eBay, Amazon, or personal banking sites.
  • Faked CUWebLogin pages
  • Faked Duo (Two-Step Login) pages
  • Messages claiming to be from a Cornell office or official, requesting personal information and passwords.
  • Invitations to see photos of family or friends, greeting cards, or pleas for disaster relief assistance.

Hover over URLs before You Click

Microsoft Safe Links protects you from malicious links sent to your Cornell Microsoft Outlook mailbox, as well as links in Microsoft Teams and Microsoft Office desktop, mobile, and web applications where you are signed in with your NetID.

If you're using another email service or following links in another way:

Don’t assume that what you see is where you’ll go when you click. If you’re expecting a link to go to a Cornell webpage, make sure the first chunk of the address (after the https or http part) ends like this: cornell.edu/ with nothing between cornell.edu and the slash. Watch out for fake pages that have tricky endings like this one: .net/cornell.edu (it’s a fake because “cornell.edu” is after the slash, instead of before it).

In many browsers and email programs, hovering over a link (without clicking) lets you see the ACTUAL URL for the link. If the underlying link is different, be very cautious. As an example, hover over the following link and look for the real link to display in your browser (often in the bottom left corner): www.icecream.edu.

Also, be cautious of any link that doesn’t clearly indicate where it leads. Hover over the links below to see what's hidden beneath:

Watch Out for Forged Email Addresses

From addresses in emails are more complicated to check, but they are very EASY to fake. Anybody can make a From address look like it came from someone you trust just by the Display Name alone. In Outlook, you need to hover over the name to see the email address.

For example, an email may look like it’s from “Cornell Workday Notice” but on closer inspection, the email address is imacrook @ isteallstuff.com. You can investigate whether an email address is real by checking the email headers.

What to Do If You Responded to a Suspicious Email

Report immediately if you believe you were tricked into clicking a potentially dangerous link or attachment. Contact Cornell's IT Security Office at itsecurity@cornell.edu.

If you think your Cornell NetID was compromised, immediately change your password, then contact the IT Security Office.

Report Suspicious Email with PhishAlarm

PhishAlarm, a new faster way to report suspicious email to the IT Security Office, is now available on all Gmail web and Outlook web, desktop, and mobile interfaces.

The button appears in different places, depending on your device and interface. Examples and additional details can be found on the PhishAlarm instructions page.

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.