What Is Phishing?

Phishing is a social engineering attempt to trick you into revealing personal or sensitive information, and/or to install malware on your device, such as a computer, tablet, or mobile phone. These messages can be delivered by email, phone call, text message, or other means. The language in phishing messages often attempts to create a sense of panic and urgency, to entice you with offers that are too good to be true, or to appear as a message from a legitimate source. By responding—typing in your information, clicking a link, downloading a file, etc.—malware may be installed, your data stolen, and the network breached allowing malicious software to attempt to penetrate the network.

Phishing scams can also be delivered by pop-ups on webpages, fake login pages, paid ads, social media posts and messaging, as well as unsolicited tech support.


All types of phishing are on the rise. Other types of phishing, besides mass distributed messaging, are spear phishing which targets individuals or groups, and whaling, which targets an organization's leaders or staff with access to funds and high risk such as personal data and sensitive information such as research.


Common Signs of Phishing


Watch: Interview with Don Welch On Phishing

Format Factors

  • Spoofed addresses that falsely appear to be from someone you know, learn more below
  • Phony domains in email addresses, e.g Chase_Bank@Gmail.com
  • An atypical address for that sender
  • A name that does not match the address
  • Generic greeting and closing
  • Poor grammar and odd formatting
  • Spelling and punctuation mistakes
  • Shortened URLs, links with typos, or unusual domain names, e.g. www.paypall.net
  • Vague titles for documents or attachments

Tone and Urgency

  • A call to immediate action
  • Threat of negative consequences if you do not respond immediately
  • Request for help
  • Offering money, goods, or prizes
  • Overly complimentary
  • Requests for personal information or to update payment info
  • Password reset emails you did not request, or MFA login approval
  • prompts, phony package shipping updates, or fake late payment notifications
  • Seems suspicious or flagged as suspicious by Google

Stay Secure, Don't Take the Bait

Don’t click on links in emails that you were not expecting. Even if the email is sent from a trusted domain (like @nyu.edu), it could be a fake. When cybercriminals send messages from trusted domains these scams are hard to identify. If in doubt, double check on the sender’s official website to find accurate information and contacts.

Slow down and confirm before you click to make sure it's a legitimate site.

  • Double check the domain name (the name following the www in the URL or web address) for misspellings
  • Is the extension (.edu, .com, .net, .org, .gov) correct?
  • The URL should begin with https://
  • Check the sender's email address too! Does the domain of the email address match the destination URL?
  • If the links match and begin with https://, click with caution and confirm the site is encrypted with a locked padlock in the address bar

How To View the URL

Computer: Hover your mouse over the link. The URL will appear at the bottom of your browser

  • Don’t see it? Make sure your browser settings are set to "show status bar"
  • In NYU Email, the true domain name (this follows www in the URL) is visible between the "3A_" and the "_":
  • Learn how URL Defense protects NYU Emails, URL Defense FAQs

Mobile device: Press-and-hold the URL

If You Suspect an Email Is Phishing

  • Don't open vague or unexpected attachments or call any phone numbers they provide
  • Don't click embedded links
  • Don't react to urgency. Creating urgency is a tactic used by cybercriminals to get you to click
  • Don’t reveal personal information unless you first confirm that the recipient is legitimate
  • Don't answer unknown phone numbers or reply to the sender
  • Help others! Forward suspected phishing emails to phishing@nyu.edu before someone gets phished
  • Contact the sender at a trusted phone number to confirm any unexpected messages

Think You Might've Fallen for a Phishing Attack?

  • Forward the phishing email to phishing@nyu.edu and include specific information about the incident
  • Report any suspected ransomware with NYU's Cyber Incident Response form
  • Immediately reset the password for the affected account and for any other accounts that use that same password. (You should never reuse passwords.)
  • You may also want to change your direct deposit or account information, alert your bank, and check all of your financial accounts from a trusted device
  • Monitor all your accounts closely for the next few weeks
  • Improve your knowledge and protect against future attacks by signing up for Cybersecurity Awareness Training
  • Stay current with NYU IT Security News

How Phishing Works

Let's run through a phishing scam. It starts with a fraudulent email message that appears to come from a popular or trusted website. The email looks official enough that it can seem legitimate. The result is busy, unsuspecting people respond to the phishing requests by sending credit card numbers, passwords, account information, or other personal information.

The email may also contain embedded links that seem to lead to a legitimate website but actually lead to a "spoofed website." Entering information in this phony site is another way cybercriminals gain personal information that they can use to steal your identity or credit card, or to hack your accounts.