Home
Stories & examples

Stories & examples

With the interactive scenarios based on real details below, you can put yourself in the shoes of someone struggling with a phishing attack. Think through how each person could have handled the situation differently. Consider if you might be vulnerable to a similar scam.

With the provided questions and answers for each scenario, you'll learn what to watch out for and how to protect yourself.

Not all "phish" are alike

Scammers use a variety of types of emails to try to trick people into action. Seeing real examples can help you understand the potential.

View example phishing emails

Practice your response with these scenarios

Avatar of a fictitious character named "Gilly"

Meet Gilly

Can you relate?

Avatar of a fictitious character named "Gordon"

Meet Gordon

What would you do?

Avatar of a fictitious character named "Garmin"

Meet Garmin

Could this happen to you?

Gilly

Gilly is an IU employee. Today she has back-to-back meetings. While checking emails on her phone, she sees an email from the “Employee Portal” prompting her to confirm payment for a medical procedure immediately.

She clicks on the link and is taken to a site that looks much like IU’s Central Authentication Service (CAS) login page—except that the form didn't seem to behave the same as usual when entering her username and passphrase.

Gilly submits her IU login details and is then redirected to a strange page. She is suddenly distracted when the organizer of her next meeting walks by, and she forgets about the message.

Before expanding the below sections, write down your responses for yourself. Then compare your answers.

Gilly could have tapped the sender's name to check the real reply-to email address. It likely was not a legitimate IU email address, as it is very hard for phishers to spoof the actual reply-to email address of an email.
Gilly could have checked if the message had IU's Trusted Security Footer to indicate the message is from a trustworthy sender.
Instead of clicking on the link in the email, Gilly could have gone directly to one.iu.edu to find the relevant service, then looked for any notifications directly in the known service website.
On a mobile device, it can be difficult to do the equivalent of a "hover" action to reveal the actual URL, depending on the device. If Gilly didn't know how to do this on her own device, she should not have tapped any link in the email.
IU doesn't have a service called "Employee Portal." Scammers often use terms that might seem official and seem plausible.
IU doesn't contact you directly about medical procedures or bills.
Once Gilly clicked the link, it took her to a spoofed IU CAS page. Even then, she could have taken time to notice differences between the spoof CAS page she was taken to, versus the legitimate CAS page at https://cas.iu.edu/cas/login. IU's CAS page has specific traits and features that are hard to mimic by site spoofers. We can study the legitimate CAS page, and also make sure we check the actual URL at the top of the browser window before entering any sensitive information. Learn more about how to be sure a website is genuine.

Gilly gave up her IU login credentials to the scammers. They now have her username and passphrase for all of her IU services that use those credentials.
IU now requires the use of Two-Step Login (Duo) for most systems, but for any systems that are not using Duo, the scammers can get into that system and steal information or make changes under Gilly's login.
- If scammers also gained access to one of Gilly's enrolled devices, more sensitive information, including financial details, could be compromised.
If Gilly has not been careful to avoid repeating her username and passphrase for other sites and systems she uses, the phishers can try plugging in her IU credentials to a great many other popular sites to see if they can gain access.
Even from that one click in a phishing email, phishers could have installed malware onto Gilly's mobile device. It's important to note that malware exists for all mobile platforms.

Gilly's own personal identity could be compromised, if the phishers uncover enough sensitive data about Gilly using her credentials. This could lead to debt, ruined credit, and other legal and financial issues.
Scammers using her IU credentials to impersonate her might steal assets or money from the university. The severity could depend on what systems Gilly has access to.

Contact her campus UITS Support Center to request a passphrase scramble and get help to report the phish.
Rebuild her phone (with a factory reset).
Change her passphrases for all of her accounts. Start with email, then go to banks, and so on. Learn more about how to keep your IU passphrase secure.
Monitor her credit reports and credit card statements for fraud.
Ensure that the bank information associated with her payroll is correct.
Strengthen her skills to recognize, rethink, and report phishing attempts in the future.

Gordon

Gordon is a new manager-level employee at IU. One week after starting his position, he receives an email that appears to be from “The IT Support Center” which requires that he verify his “company password” is strong enough as a new employee.

The email has a link that takes Gordon to an IU-branded page with a form to enter his email address and password so it can be verified. Gordon wants to make sure his passphrase is strong, so he fills out the form.

Connected to his position, Gordon has already been added to a Box folder that contains restricted institutional data.

Before expanding the below sections, write down your responses for yourself. Then compare your answers.

Gordon should remember that IU will never ask for anyone's passphrase.
Gordon could have tapped the sender's name to check the real reply-to email address. It likely was not a legitimate IU email address, as it is very hard for phishers to spoof the actual reply-to email address of an email.
Gordon could have checked if the message IU's Trusted Security Footer to indicate the message is from a trustworthy sender.
Instead of clicking on the link in the email, Gordon could have gone directly to one.iu.edu, searched "passphrase," and opened the "Passphrase Reset" task to review necessary passphrase requirements and reset if desired.
At IU, the word "passphrase" is used, not "password" (and certainly not "company password").
Password strength is evaluated at password creation, not retroactively once it is already created. Rules for password strength are also universal at IU. Learn more about your IU passphrase.
At IU, the UITS Support Center is not called the "The IT Support Center." Scammers often use terms that might seem official and seem plausible.

Even from the one click in a phishing email, phishers could have installed malware onto Gordon's computer, which could be used in a variety of ways to steal data and could affect Gordon personally, or others depending on what information is available from Gordon's computer.
Gordon gave up his IU email address and passphrase to the scammers. They now have his username and passphrase for all of his IU services that use those credentials.
IU now requires the use of Two-Step Login (Duo) for most systems, but for any systems that are not using Duo, the scammers can get into that system and steal information or make changes under Gordon's login.
- If scammers have also gained access to one of Gordon's enrolled devices, more sensitive information including financial details could be compromised.
- Gordon has access to restricted information in Box, which could be compromised if scammers bypass Duo prompts.
If Gordon has not been careful to avoid repeating his username and passphrase for other sites and systems he uses, the phishers can try plugging in his IU credentials to a great many other popular sites to see if they can gain access.

Gordon's own personal identity could be compromised, if the phishers uncover enough sensitive data about him using his credentials. This could lead to debt, ruined credit, and other legal and financial issues.
Scammers using Gordon's IU credentials to impersonate him might steal assets, data, or money from the university. The severity could depend on what systems Gordon has access to.

Contact his campus UITS Support Center to request a temporary passphrase scramble and get help to report the phish.
Ask for help from the UITS Support Center or his designated IT Pro to completely wipe and reset his computer.
Change his passphrases for all of his accounts. Start with emails, then go to banks, and so on, in order of highest priority. Begin to use a reputable password manager to make sure passwords are never repeated. Learn more about how to keep your IU passphrase secure.
Monitor his credit reports and credit card statements for fraud.
Ensure that the bank information associated with his payroll is correct.
Strengthen his skills to recognize, rethink, and report phishing attempts in the future.

Garmin

Garmin is an IU graduate student in his final year. He receives a message that seems to be from the head of his department, recommending he attend an upcoming event.

He clicks the “Register” link, which results in a “page not found” notice on an unknown website.Garmin doesn’t realize that by clicking the link, a keylogging malware application was installed on his computer. Later, from that same computer, he makes some online purchases.

Before expanding the below sections, write down your responses for yourself. Then compare your answers.

Garmin could have tapped the sender's name to check the real reply-to email address. It likely was not a legitimate IU email address, as it is very hard for phishers to spoof the actual reply-to email address of an email.
Garmin could have checked if the message had IU's Trusted Security Footer to indicate the message is from a trustworthy sender.
Instead of clicking on the link in the email, Garmin could have searched for the name of the event online to see if it is publicized elsewhere and scrutinized all search results carefully. Learn more about how to be sure a website is genuine.
If unable to verify the sender's reply-to email address or digital signature, Garmin could have contacted the sender directly by phone to verify the veracity of the message.

Keylogging malware tracks all keystrokes made on a keyboard by the targeted user, to look for patterns and possible credential information. This means that in addition to giving up credit card information from his online purchase, any system Garmin logged in to by typing his username and passphrase after the malware was installed is now compromised. This could include email accounts, bank accounts, IU systems, and more.
If the phishers gather enough information and access based on Garmin's keystrokes, Garmin's data and finances could be severely compromised beyond quick repair.
If the phishers gather enough information and access based on Garmin's keystrokes, IU's data and finances could be severely compromised, depending on what Garmin has access to.

Garmin's own personal identity could be compromised, if the phishers uncover enough sensitive data about him using his credentials. This could lead to debt, ruined credit, and other legal and financial issues.
As a graduate student at a pivotal time in his early career, this could lead to having a hard time finding job placements, and lead to a continual financial struggle.
Scammers using Garmin's IU credentials could steal critical research data from the university, depending on what Garmin has access to as part of his research and studies.

Contact his campus UITS Support Center to request a temporary passphrase scramble and get help to report the phish.
Ask for help from the UITS Support Center to completely wipe and reset his affected computer.
Change his passphrases for all of his accounts. Start with emails, then go to banks, and so on, in order of highest priority. Begin to use a reputable password manager to make sure passwords are never repeated. Learn more about how to keep your IU passphrase secure.
Monitor his credit reports and credit card statements for fraud. Contact all financial institutions for exact recommended next steps.
Freeze or take other action to protect credit reports.
Strengthen his skills to recognize, rethink, and report phishing attempts in the future.

Now that you have practiced your responses, let's add to your skillset.

View more tips and strategies >>

Real phishing emails

The following email examples show you various ways scammers use email lures to get victims to click or take other action, by impersonating trusted services or people.

The purpose in showing these various ploys is to help you recognize the potential threats and how varied scam attempts can be.

The hook: Follow urgent banking transaction instructions

phishing example of impersonating a manager giving bank wiring instructions

This is an example of a spear phishing email, designed to impersonate a person of authority requiring that a banking or wiring transaction be completed. The request is designed to be urgent to prompt action without thinking.

Image source: edts.com blog article "15 Examples of Phishing Emails from 2016-2017"

The hook: Complete invoice payment or face penalties

phishing example of impersonating a company with an unpaid invoice and requiring payment

This email impersonates a financial institution requiring that an invoice be paid.

Image source: edts.com blog article "15 Examples of Phishing Emails from 2016-2017"

The hook: Enter details to process refund

phishing example of Amazon email notice requiring action to receive refund

This phishing email impersonated Amazon, requiring immediate action in order to receive a refund. Notice several punctuation errors in the text. When hovering over the URL, you would also see a URL domain that was designed to look legitimate, but was not an actual Amazon domain.

Image source: https://www.komando.com/happening-now/367273/top-story-amazon-phishing-email-could-lead-to-ransomware-attack

The hook: Investigate unusual account activity

phishing example of email from Microsoft tech support

This email makes the recipient concerned about (fake) recent international activity on their account. The email contains a link to review the activity, but the link was not legitimate.

Image source: Phishing.org

The hook: Restart service with payment

phishing example of a Netflix email notification requiring restart action via a link

This email impersonates Netflix, a popular video streaming service, and requires that the recipient click the link to restart a membership. This was a very sophisticated phish, mimicking the service's brand and all the way through to a scam site that collected payment details.

Image source: edts.com blog article "15 Examples of Phishing Emails from 2016-2017"

The hook: Send sensitive information to authority immediately

phishing example of request for recipient to send sensitive info via email

This email impersonates an authority at the company and requires that sensitive information is sent to a third party (a fake accounting firm). While you might not have access to W-2 forms, consider other data you have access to that could be requested by a spammer. Investigate all requests for data extremely carefully and use only approved ways to share sensitive institutional data.

Image source: edts.com blog article "15 Examples of Phishing Emails from 2016-2017"

Stories & examples

Not all "phish" are alike

Practice your response with these scenarios

Gilly

What clues or signs should Gilly have considered to determine if this was phishing or legitimate?

What are some outcomes of following the direction of the message?

What is the worst that could happen?

What should Gilly do next?

Gordon

What clues or signs should Gordon have considered to determine if this was phishing or legitimate?

What are some outcomes of following the direction of the message?

What is the worst that could happen?

What should Gordon do next?

Garmin

What clues or signs should Garmin have considered to determine if this was phishing or legitimate?

What are some outcomes of following the direction of the message?

What is the worst that could happen?

What should Garmin do next?

Real phishing emails

The hook: Follow urgent banking transaction instructions

The hook: Complete invoice payment or face penalties

The hook: Enter details to process refund

The hook: Investigate unusual account activity

The hook: Restart service with payment

The hook: Send sensitive information to authority immediately