Skip to main content

Cornell University

IT@Cornell

Spot Fraudulent Emails (Phishing)

Tips for spotting email scams; report them with PhishAlarm.

This article applies to: Alumni and Visitors , Faculty , Security & Policy , Staff , Students

On This Page

Confirm the Source

Verify that the message is coming from the person's real email address. In email readers and devices that do not display the actual address, hover over the Sender’s name to reveal what follows the @ symbol. Scammers frequently attach a real person's name to a fraudulent email address. You can also investigate the Sender’s address by checking the email headers

Consider the Content

If you receive an unexpected message that asks you to click a link or take other unusual actions such as buying them a digital gift card or making a payment for them, check the Phish Bowl and Verified Communications to see if messages like this one are listed either as scams or as authentic university messages. Still not sure? Contact the sender by phone or chat and ask if they sent the message. You can also ask your local IT support staff or the IT Service Desk

  • 2024 Update: PhishAlarm, a new faster way to report suspicious email to the IT Security Office was made available on all Gmail web and Outlook web, desktop, and mobile interfaces. 

  • Some phishes (fraudulent emails) targeting Cornell are listed at the IT@Cornell Phish Bowl

  • Some trusted emails from departments are listed at Verified Cornell Communications

  • If the request appears to be from a Cornell department, look up that contact information separately, using Search Cornell, and reach out to determine if they sent the message. 

  • If the email isn’t listed at Verified Cornell Communications, and you don’t get a timely response from the department, contact the IT Service Desk for help. 

  • If the email appears to be from a service provider outside Cornell, such as your bank, PayPal, eBay, or a credit card service, look up their contact information separately using a trusted source (the 800 number on the back of your credit card or by searching for the service’s official website at a trusted search engine). 

  • Use the Phish Bowl - a small collection of phish - to see examples of fake emails that have been spotted at Cornell. 

Practice Constant Vigilance

The following clues are not comprehensive. Increasingly, generative AI tools allow scammers to craft more professional messages. It is easy to be lulled into believing an email that is well written or appears to be coming from a Cornell leader (see Whaling). As a famous fictional character advocates, practice “constant vigilance.” 

  • Poorly written. It may be written with ALL CAPS, have spelling and grammar errors, or may seem fragmented.
  • Asks you to send personal information (Social Security, credit card, bank account, or phone numbers, passwords, date of birth, address, etc.).
  • Tries to scare you into reacting by creating a sense of urgency with exclamation points, words like “immediately,” or threatening to close an account.
  • Offers something that's too good to be true.
  • Has a From address that doesn’t make sense or doesn't match the domain where it really came from. In email readers and devices that do not display the actual address, hover over the Sender’s name to reveal what follows the @ symbol.
  • Requests money for disaster relief or another cause.

Report Scams with PhishAlarm

Report all suspicious messages to the IT Security Office using the new PhishAlarm button in your email reader. You are Cornell’s first line of defense against bad actors and your alerts help the IT security engineers block malicious senders before they reach more Cornell community members. In addition, we can add those reported messages to the examples on this page.

PhishAlarm, first piloted in February 2024, is now available on all Cornell provided Gmail web and Outlook web, desktop, and mobile interfaces.

The button appears in different places, depending on your device and interface. For additional details, see the PhishAlarm instructions page.

Inspect Links before Clicking

Microsoft Safe Links protects you from malicious links sent to your Cornell Microsoft Outlook mailbox, as well as links in Microsoft Teams and Microsoft Office desktop, mobile, and web applications where you are signed in with your NetID.

If you're using another email service, don’t assume that what you see is where you’ll go when you click links in those email messages.

If the link appears to go to a Cornell webpage, make sure the first chunk of the address (after the https or http part) ends like this: cornell.edu/ --there should be nothing between cornell.edu and the slash (/). All authentic Cornell web pages place the cornell.edu before the slash. And before opening a shortened links, hover over it to see what's hidden beneath.

As criminals gain access to more information about people, fraud attempts become more sophisticated and narrowly targeted. These are some of the most common scams.

Authentic:

False Front:

Short Links:

Expect More Phishing Messages

Criminals continue to leverage the rapid technology evolution and consumers’ use of technology-driven social and business channels and devices to harvest personal data and produce increasingly authentic-looking conversational, marketing, and threatening fraud campaigns. The following list includes common scams, but there are many more. 

  • Gift card scams: do not buy gift cards without first validating the purchase with your supervisor over a phone or video call.
  • Job and internship scams
  • Whaling phishes that appear to come from Cornell's top leaders or are aimed at them
  • Messages targeted to stir your emotions: threats, a false sense of urgency, or a deal that's too good to be true.
  • Faked Zoom links (Cornell meetings always start with https://cornell.zoom.us/).
  • Faked websites and email addresses that look similar to legitimate popular websites, such as eBay, Amazon, or personal banking sites.
  • Faked CUWebLogin pages
  • Faked Duo (Two-Step Login) pages
  • Messages claiming to be from a Cornell office or official, requesting personal information and passwords.
  • Invitations to see photos of family or friends, greeting cards, or pleas for disaster relief assistance.

Contact IT Security if You are Tricked

Report immediately if you believe you have been tricked into clicking a potentially dangerous link or attachment. Contact Cornell's IT Security Office at [email protected]

If you think your Cornell NetID was compromised, immediately change your password, then contact the IT Security Office.

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.

OSZAR »