skip to main content
Caltech
Information Management Systems and Services
IMSS  /  Services  /  Information Security  /  Security Issues  /  Common Scams  /  Phishing scam example

Phishing scam example

Phishing scam example

Most people will easily recognize this example as a fake. Nevertheless, these continue to proliferate because scammers can count on that one distracted, busy, or inattentive user out of many thousands to fall for it. Don't be that one!

bad

Pay attention to the sender and the subject
Phishing messages can come from a fake sender address or from a stolen account, so an @caltech.edu sender address does not mean the message is safe. However, this particular message purported to be official institute IT business, yet came from an outside [stolen] email account (we've changed the email address in the sample image for that person's privacy). Additionally, these types of scams commonly use capitalized subject lines with urgent language to attempt to scare victims into acting quickly, without thinking.

Poor spelling and grammar should raise a red flag
While you may encounter legitimate messages with mistakes, and a scam message could be very well written, it's quite common that these kinds of scams are riddled with spelling mistakes and poor grammar.

Recognize and avoid deceptive web links
Similar to how the text portion of a link can say "click here" while the destination is a web site address, the link text in this case is crafted to appear to be an official support/helpdesk link, but that is actually only the text portion. The link revealed when hovering over that text is completely different. Be wary when the link text does not match the actual destination for a link, and be especially wary when the link destination is not a website you recognize.

Be particularly wary of a questionable or even ridiculous call to action
Perhaps the most blatantly obvious indicator that this is not a legitimate message is the assertion that "you need to log on service desk tickets to help fasten our investigating". The scammers are counting on users simply ignoring the message and going straight to the link. Slow down: if you don't know why you're being asked to log in, don't do it. Better yet, avoid logging in using links sent to you via email. Where possible, log in using a bookmark or navigate to the site via your web browser (for example, by going to the access.caltech web portal).

Close
Avoid common scams
Avoid common scams