What is phishing and how to spot a potential attack

Phishing attacks are attempts at social engineering recipient(s) into either installing malicious software meant to steal private data or giving up personal information.  Such attacks can incorporate phone calls, text messages, 'spoofed' e-mails, and/or fraudulent websites all of which are designed to fool recipients into divulging personal data such as account usernames and passwords, Social Security numbers, credit card numbers, etc. If attackers get that information, they could gain access to your email, bank, or other accounts.

Phishing emails and text messages may:

  • Look like they’re from a company you know or trust.
  • Tell a story to trick you into clicking on a link or opening an attachment. They may say they’ve noticed some suspicious activity or log-in attempts, claim there’s a problem with your account or your payment information, or say you must confirm some personal information. See the Safe Browsing Guide for tips on identifying suspicious sites. 
  • Contain spelling mistakes and poor grammar.
  • Use threats or a sense of urgency.

What is spear phishing

Spear phishing is targeted phishing, often aimed at executives and employees with access to confidential data. Be wary of any email asking you to reply with account information or click on a link, especially if the message is written to sound urgent. Be especially suspicious if you receive urgent requests for money from a colleague or friend, as well. Confirm the legitimacy of such a request by a different communication method. (For example, if you receive an email requesting funds, call the supposed sender to verify.)

Use button to "Report Phish"

Envelope with a phish hook to it above the text "Report Phish to Duke"

Report any suspicious email using the Report Phish to Duke button found in all Outlook email clients.

Duke staff, faculty and students can report suspicious emails with one click of a button.

The “Report Phish to Duke” button is in all Outlook email clients (Windows, Mac, Web, Android and iPhone). Duke’s information security offices encourage users to use the button instead of emailing to report suspicious emails.

The button is part of the Proofpoint service in use at Duke for protecting accounts against malicious links and attachments in emails (See KB0024212 and the Proofpoint Targeted Attack Protection Service page).

More information about using the button is available online in the Duke KnowledgeBase: KB0031840

Beware Common Social Engineering Scams

What the Attackers Say

In email impersonation phishing scams, attackers attempt to impersonate Duke staff.

1. The attacker registers an email address outside of Duke (such as Gmail) that appears to be a personal email account for the person they're impersonating.  

 2. Using publicly available information to determine targets, the attacker then sends a message to users they suspect may work with the person they're impersonating. These messages often begin with a simple request such as "Are you available?" or "May I ask a favor of you?".

3. If the user responds to the message, the attacker will respond to begin the fraud. Typically this will lead to them asking for money to be transferred or for gift cards to be purchased and the activation code provided via email. The attacker may attempt to move the conversation to text.

Key Actions

Treat any email message from a Duke employee not originating from a email address with suspicion. 

If you receive such an email and are asked to purchase gift cards or asked to transfer funds via wire, please do not respond, and report the issue either using the "Report Phish to Duke" button in the OWA / Outlook clients to facilitate automated investigation and response.

If you received a message like this and replied with any personal information, money or gift cards, please contact the IT Security Office at

What the Attackers Say

The attackers claim to have hacked the victim's computer and provide a password as proof. They will often add additional pressure by claiming to have obtained explicit videos of the recipient. These are attempts to convince the recipient to send them funds in the form of Bitcoin. The attackers typically threaten to send the videos to all of the user's contacts if the requested funds are not sent to the provided Bitcoin wallet address. 

The reality is, these attackers have harvested real email addresses and passwords from various data breaches. In many cases the passwords listed are old, but may still be valid or in use by the individuals for other websites/services. (This is a security vulnerability known as password re-use.) 

Key Actions

Anyone who receives such a message should make sure to change the listed password for any account where it is still used. The IT Security Office strongly advises the use of unique passwords for every website/service and recommends using 1Password to help manage those passwords. See the 1Password Service Guide to learn more.

Users can find out if their email address has been involved in a data breach by visiting Entering an email address into the search field on that site will provide a list of any publicly available data breaches that included the provided address. 

If you receive one of these messages, do not respond and please report it (as well as any other suspicious messages that you receive) to the IT Security Office by using the "Report Phish to Duke" button in the OWA / Outlook clients to facilitate automated investigation and response or emailing

More detailed information about this type of scam can be found here:

Remember that phone numbers can be spoofed. If a call seems suspicious, hang up. If you don't recognize the incoming number, consider not answering the call. A legitimate caller can leave voicemail.

Links in text messages may be malicious. If you don't know the sender or weren't expecting it, don't click any links. 

Report any suspicious calls or text messages to your local IT support or

Proofpoint Targeted Attack Protection

To protect Duke account holders and the Duke network, Duke employs an email security product called Targeted Attack Protection (TAP) from the security company Proofpoint. More information is available on the Proofpoint Targeted Attack Protection (TAP) service page. 

Click Wisely

Review the Safe Browsing Guide to learn how to detect possible phishing pages.