What is Phishing? (Encompassing Email, Phone & Text)
Phishing is the process of attempting to acquire sensitive information such as usernames, passwords or credit card details by masquerading as a trustworthy entity in an electronic communication. These are most often in the form of an email asking for personal information in order to “Reactivate a suspended account” or “Mailbox is full login for help.”, etc.
Phishing emails often mimic the look and feel of an official email sent from an institution you trust, such as your place of employment (another employee’s infected account), a bank, university, or credit card company. Although most “phishes” come as email, phishing scams can also come in the form of text messages and phone calls.
If you are not sure if the email is legitimate, DO NOT OPEN IT, instead email firstname.lastname@example.org, or you can call the company, bank, or university to verify that the email was, in fact, sent from them.
If it looks suspicious it most likely is and you can go ahead and just block the sender if it was from an external source.
Remember: No university, bank, or company will ever ask you to verify personal information via email.
For more information on phishing, please visit the Security Website at
Components often found in Phishing Emails
- Sender is someone you don’t know who’s urging you to take immediate action with some kind of threat
- Grammatical & spelling errors (but that’s improving)
- Email is NOT digitally signed
- URL’s are hyperlinked in text such as “Click Here”
- Images within the email
Scam tactics are increasingly sophisticated and change rapidly. Even if a request looks genuine, be skeptical and look for these warning flags:
Determining email legitimacy
- If claiming to be an employee or student, look them up in the directory Sinai 1 Phone Directory
Otherwise, Google their name to see if they are who they say they are.
- Avoid opening attachments or clicking on any links until you know for a fact that this is a legitimate email.
- Avoid forwarding the questionable email to others asking them if they think it is a phishing email.
- If there are URLs or hyperlinks, hover the cursor over them, but DO NOT click on it. Your email client will display the actual URL and it will give you an indication if this is legitimate or not.
- Phishing emails can embed malicious code behind an image that will automatically download. Thus, configure you email client to NOT display any images without asking first.
- Relatively advanced emails can even tailor the email’s content directly for the recipient.
- If you still have doubts about the legitimacy of the email contact the help desk to follow proper procedures on identifying the source of this email and its legitimacy.
Additional ways to Recognize Scams
- The message is unsolicited and asks you to update, confirm or reveal personal identity information (e.g., full SSN, account numbers,NetID, passwords, protected health information).
- The message creates a sense of urgency.
- The message has an unusual From address or an unusual Reply-To address instead of a “@mssm.edu, @mountsinai.org or @chpnet.org” address.
- The (malicious) web site URL doesn’t match the name of the institution that it allegedly represents.
- The web site doesn’t have an “s” after “http//:” indicating it is not a secure site.
- The link in the pop-up doesn’t match the printed text.
- The message is not personalized. Valid messages from banks and other legitimate sources usually refer to you by name.
- There are grammatical errors
IT personnel will never ask you for your password:
It is against IT policy to ask for someone’s password, please never give it out. (Even to help someone.)
If you believed you were comprised please reset your password immediately either by calling the helpdesk (4-help) or your respective help desk, as well as Report the IT Security Incident via the helpdesk.
To Report a Malicious Email, click here for instructions.