During the first week of classes, Indiana University blocked more than 7.1 million malicious emails. What are malicious emails? How are they blocked? How do some slip through the cracks? What do you do if you’ve been phished?
Malicious emails range from common spam to messages that contain malware or try to convince you to give up your credentials to access your information or finances.
“They all range from mildly irritating to very dangerous,” Jason Williams, chief information security officer for IU’s University Information Security Office said.
Most malicious emails are blocked well before they reach your inbox. This is most commonly done through filters, which block malicious messages based on keywords and sent from suspicious or compromised accounts and widespread spam campaigns.
However, these filters don’t stop every malicious message because spammers and scammers work constantly to update their messages to avoid detection.
“This is what they do. Their full-time job is stealing your stuff,” Williams said.
What to do if you receive spam: report it
If you see a suspicious email in your IU account, you can report it by selecting the Report Message icon in Microsoft Outlook under the Home ribbon, Williams said. This lets both IU and Microsoft know that the email may be malicious, so that they can take action to prevent it from reaching others. Or you can forward it to firstname.lastname@example.org.
Once you’ve reported the message, delete it. Using the Report Message tool in Outlook will automatically delete it.
Additionally, emails that say something is “urgent” or that your account will be deleted if you don’t act quickly, are most likely scams.
“Think about it, if a person knocked on your door and said you had to do something immediately, you’d be pretty suspicious,” Williams said. “It’s the same for emails.”
For more information about how to spot phishing messages, visit phishing.iu.edu.
What to do if you click on a phish
“If you do fall for malicious email, know that it happens to everybody,” Williams said. “We all get busy. We all get tired, and we get an email and we’re not thinking about it or not looking at it very well. And we click on a link, or we open an attachment, or we reply to that message and then you realize that you’ve actually fallen for a phish or a piece of spam.”
“The best thing you can do is disengage,” Williams said. “Stop engaging with spammer and close the website down. Be on the lookout for suspicious behavior on your computer and computing accounts, and if you used your password anywhere on the site, you should change your password.”
It’s important to use your best judgment if you have fallen for a phishing scam, Williams said. Recognizing what kind of information a malicious actor may have is important to ensuring your safety.
“For example, if it’s something that puts IU or IU information at risk,” Williams said. “You want to focus on securing your IU account by calling the UITS Support Center or contacting email@example.com. It doesn’t mean they’re going to have your Facebook or Instagram or your bank account information.”
However, it is possible that you can be influenced or tricked into installing malicious software on your computer.
“If they’ve asked you to install something on your computer and this happens a lot where you get an email from a fake Microsoft or a fake vendor. You should be thinking at that point. Well, they’ve got access to my computer. What can they get to on my computer? Anything at that point is fair game.”
“It happens to everybody. So, don’t be ashamed to reach out and ask for help,” Williams said. “Don’t be ashamed to call your bank. Don’t be ashamed to call whoever you need to like your credit card company to change your stuff because they hear it all day, every day. It happens to everybody.”