What is phishing and how to spot a potential attack

Phishing attacks are attempts at social engineering recipient(s) into either installing malicious software meant to steal private data or giving up personal information. Such attacks can incorporate phone calls, text messages, 'spoofed' e-mails, fraudulent websites, social media, and malicious QR codes all of which are designed to fool recipients into divulging personal data such as account usernames, passwords, MFA (Multi Factor Authentication) passcodes, Social Security numbers, credit card numbers, banking information etc. If attackers get that information, they could gain access to your email, bank, or other accounts.

Phishing emails and text messages may:

  • Appear as if they are from a company, co-worker, friend, or family member you know or trust. 
  • Tell a story to trick you into clicking on a link or opening an attachment.
    • Claim they have noticed some suspicious activity or log-in attempts 
    • Claim there is a problem with your account, payment, email address, shipping information, or say you must confirm some personal information. See the Safe Browsing Guide for tips on identifying suspicious sites.  
  • Contains spelling mistakes, poor grammar, sTrAngE F0nts, mismatched colors, generic greetings, unusual email address, odd links, or QR codes. See the QR Code Security Guide for tips on staying secure. 
  • Use threats/warnings or a sense of urgency.
  • Ask you to call, text, or message them via WhatsApp or other 3rd party messaging services 

What is spear phishing

Spear phishing is targeted phishing, often aimed at executives and employees with access to confidential data. Be wary of any email asking you to reply with account information or click on a link, especially if the message is written to sound urgent. Be especially suspicious if you receive urgent requests for money from a colleague or friend, as well. Confirm the legitimacy of such a request by a different communication method. (For example, if you receive an email requesting funds, call the supposed sender to verify.) 


Report any suspicious email using one of the “Report Message” options to report Phish or Junk emails. Duke staff, faculty and students can report suspicious emails with one click of a button. 

The “Report Message” button is in all Outlook email clients (Windows, Mac, Web, Android, and iPhone). Duke’s information security offices encourage users to use the button instead of emailing to report suspicious emails. 

For more information see KB0031840


Beware Common Social Engineering Scams

What the Attackers Say

In email impersonation phishing scams, attackers attempt to impersonate Duke staff. 

1. The attacker registers an email address outside of Duke (such as Gmail, Hotmail, or another service) that appears to be a personal email account for the person they are impersonating.   

 2. Using publicly available information to determine targets, the attacker then sends a message to users they suspect may work with the person they are impersonating. These messages often begin with a simple request such as "Are you available?" or "May I ask a favor of you?". 

3. If the user responds to the message, the attacker will respond to begin the fraud. Typically, this will lead to them asking for money to be transferred or for gift cards to be purchased and the activation code provided via email. The attacker may attempt to move the conversation to text. 

Key Actions 

Treat any email message from a Duke employee not originating from a email address with suspicion.  

If you receive such an email asking to purchase gift cards or transfer funds via wire, DO NOT respond, and report using the "Report Messaging" button in the OWA / Outlook clients to facilitate automated investigation and response. 

If you received a message like this and replied with any personal information, money, or gift cards, contact the IT Security Office at

What the Attackers Say

The attackers claim to have hacked the victim's computer and provided a password as proof. They will often add additional pressure by claiming to have obtained explicit videos of the recipient. These are attempts to convince the recipient to send them funds in the form of Bitcoin. The attackers typically threaten to send the videos to all the user's contacts if the requested funds are not sent to the provided Bitcoin wallet address.  

The reality is these attackers have harvested real email addresses and passwords from various data breaches. In many cases the passwords listed are old but may still be valid or in use by individuals for other websites/services. (This is a security vulnerability known as password re-use.)  

Key Actions

Anyone who receives such a message should make sure to change the listed password for any account where it is still used. The IT Security Office strongly advises the use of unique passwords for every website/service and recommends using 1Password to help manage those passwords. See the 1Password Service Guide to learn more. 

Users can find out if their email address has been involved in a data breach by visiting Entering an email address into the search field on that site will provide a list of any publicly available data breaches that included the provided address.  

If you receive one of these messages, do not respond and please report it (as well as any other suspicious messages that you receive) to the IT Security Office by using the "Report Phish to Duke" button in the OWA / Outlook clients to facilitate automated investigation and response or emailing  

More detailed information about this type of scam can be found here:

Remember that phone numbers can be spoofed. If a call seems suspicious, hang up. If you do not recognize the incoming number, consider not answering the call. A legitimate caller can leave voicemail. If you know the person but the number is different contact them with the valid information you have. 

Links in text messages may be malicious. If you do not know the sender or were not expecting it, do not click any links.  

Report any suspicious calls or text messages to your local IT support or

Proofpoint Targeted Attack Protection

To protect Duke University users, Duke employs an email security product called Targeted Attack Protection (TAP) from the security company Proofpoint. More information is available on the Proofpoint Targeted Attack Protection (TAP) service page. 

Click Wisely

Review the Safe Browsing Guide to learn how to detect possible phishing pages.