What Is Phishing?

Phishing is a social engineering attempt to trick you into revealing personal or sensitive information, and/or to install malware on your device. These messages can be delivered by email, phone call, SMS text message, or other means. The language in phishing messages often attempts to create a sense of panic and urgency, to entice you with offers that are too good to be true, or to appear as a message from a legitimate source. By responding—typing in your information, clicking a link, downloading a file, etc.—malware may be installed and your data stolen.

Phishing scams can also be delivered by pop-ups on webpages, fake login pages, paid ads, social media posts and messaging, as well as unsolicited tech support.


All types of phishing are on the rise. Other types of phishing, besides mass distributed messaging, are spear phishing which targets individuals or groups, and whaling which targets an organization's leaders or staff with access to funds and high risk data.


Common Signs of Phishing


Watch: Interview with Don Welch On Phishing

Format Factors

  • Spoofed addresses that falsely appear to be from someone you know, learn more below
  • Phony email addresses, e.g.  Chase_Bank@Gmail.com
  • An atypical address for that sender
  • A name that does not match the address
  • Generic greeting and closing
  • Poor grammar and odd formatting
  • Spelling and punctuation mistakes
  • Shortened URLs, links with typos, or unusual domain names, e.g. www.paypall.net
  • Vague titles for documents or attachments

Tone and Urgency

  • A call to immediate action
  • Threat of negative consequences if you do not respond immediately
  • Request for help
  • Offering money, goods, or prizes
  • Overly complimentary
  • Requests for personal information or to update payment info
  • Password reset emails you did not request, or MFA login approval prompts, phony package shipping updates, or fake late payment notifications
  • Seems suspicious or flagged as suspicious by Google

Don't Take the Bait

Slow down and confirm before you click to make sure it's a legitimate site.

  • Double check the domain name for misspellings
  • Is the extension (.edu, .com, .net, .org, .gov) correct?
  • The url should begin with https://
  • Check the sender's address too! Do the written address and destination URL match?
  • If the links match and begin with https://, click with caution and confirm the site is encrypted with a locked padlock in the address bar

How To View the URL

Computer: Hover your mouse over the link. The URL will appear at the bottom of your browser

  • Don’t see it? Make sure your browser settings are set to "show status bar"
  • In NYU Email, the true domain name is visible between the "3A_" and the "_":
  • Learn more about NYU Email: URL Defense FAQs

Mobile device: Press-and-hold the URL

If You Suspect an Email Is Phishing

  • Don't open vague or unexpected attachments or call any phone numbers they provide
  • Don't click embedded links
  • Don't react to urgency
  • Don’t reveal personal information unless you first confirm that the recipient is legitimate
  • Don't answer unknown phone numbers or reply to the sender
  • Forward phishing emails to phishing@nyu.edu before anyone else can fall for them!
  • Contact the sender at a trusted phone number to confirm any unexpected messages

Think You Might've Fallen for a Phishing Attack?

  • Forward the phishing email to phishing@nyu.edu and include specific information about the incident
  • Report any suspected ransomware with NYU's Cyber Incident Response form
  • Immediately reset the password for the affected account and for any other accounts that use that same password. (You should never reuse passwords.)
  • You may also want to change your direct deposit or account information, alert your bank, and check all of your financial accounts from a trusted device
  • Monitor all your accounts closely for the next few weeks
  • Improve your knowledge and protect against future attacks by signing up for Cybersecurity Awareness Training
  • Stay current with NYU IT Security News

An Example of How Phishing Works

Let's run through a phishing scam. It starts with a fraudulent email message that appears to come from a popular or trusted website. The email looks official enough that it can seem legitimate. This results in busy, unsuspecting people responding to the phishing requests by sending credit card numbers, passwords, account information, or other personal information.

The email may also contain embedded links that seem to lead to a legitimate website but actually lead to a "spoofed website." Entering information in this phony site is another way cybercriminals gain personal information that they can use to steal your identity or credit card, or to hack your accounts.