Phishing

External email tagging is a new feature in Outlook that's rolled out campus-wide! When you receive an email that is coming from a domain that is not affiliated with UC Merced (@gmail.com, @bananas.com, etc.), a small tag will appear in the email letting you know that the email came from an external source.  

Important: Just because an email came from an external source, does not mean that it is automatically bad. However, if an email comes from an external source and shows any signs of phishing (noted below), there is a good chance that it is a phish and should be reported.

Checking the from name and email address is a great way to spot a phish! Changing the from name is an extremely common tactic called "spoofing", so it is important that you take the time to look at the email address of the sender as well. Make sure that the email address and name combination makes sense, and also make sure to check for any spelling mistakes or additional/less characters in the email address.

Legitimate emails, especially those from large companies or businesses, rarely have spelling or grammatical errors. Brands and corporations simply wouldn't allow that! If you spot an email that has a multitude of spelling errors, or just sounds grammatically incorrect, double check the email address of the sender. When in doubt, as a friend or co-worker to take a look at the email too! Asking for help can help you avoid a lot of headache in the future!

Take some time to check how you are greeted in the email? Are you greeted by name, or are you greeted with an extremely generic salutation (i.e., "Dear User, Hi Valued Customer")? Legitimate businesses will often address you by name or by surname. Think about how you would write an email to a coworker, professor, or friend. You wouldn't write a generic salutation to them, so if you receive an email from someone that has a generic greeting, double-check the contents of the email. At UC Merced, emails will also often come with additional security information, such as a student id number, or a signature including the name of the department the email was sent from. Legitimate emails will usually also contain UC Merced branding.

Hackers can embed viruses or malware into attachments in an email! Upon downloading or opening them these malicious files can have the potential to steal your passwords, your private information, and even spy on you! To combat this, always verify an email is coming from a trusted source before clicking on any links or attachments. If you are ever in doubt about an emails legitimacy, double check with a friend or report the email. If you can, run any downloaded files through a virus checker, or preview the file in your web browser, without actually opening it. (Fun fact: If you try to open a file such as a pdf or image in your web browser, and it cannot be opened, there is a chance that the file is actually not what it seems as most modern browsers can handle opening basic file types).

Hackers love to embed malicious links with fake text. A link that says "ucmerced.com" may actually link to a completely different website. To expose this fraud, stop and take time to hover your mouse over the link. Your browser will usually show you the full URL. If the URL matches the title or is linking to a trusted source than you can go ahead and click. NEVER click on a link from an unknown source, without verifying its destination first!

Nobody should be threatening you in an email. In fact, it is against UC Merced's policies to do so. If you ever receive an email that is threatening you, immediately report it to a trusted adult or supervisor. Hackers know that sending an email that promotes fear is a way for them to get what they want. Similarly, if an email seems overly urgent, stop and take some time to review what the email is asking of you. Hackers know that if you feel pressured you are less likely to think things through and instead opt to just do whatever the email says without stopping to think. By stopping and reviewing the email carefully, you can avoid being phished. Remember, an extra few minutes is not going to be the end of the world, even if the email is from a legitimate source.

The signature line is another great place to spot phishing attacks. Check to see if the signature of the email contains any contact information or at least a name. Most legitimate businesses will have a signature containing the name of the person as well as the company they work for. It will also contain contact information such as a phone number or a link to the company website. If there is no contact signature, make sure that the name of the person sending the email is spelled right. At UC Merced, most staff members will often include a signature with the UC Merced logo, as well as their department information, so look out for those when you receive an email.