Tips & Strategies

Learn the top quick steps, then deepen your knowledge and learn more strategies with key IU resources from Protect IU and the IU Knowledge Base.

Plus, find high-quality training resources available at IU.

Think before you click—Quick steps

1. Recognize

Verify the sender is who you think it is.

How: Double-click or tap the sender’s name at the top of the email to view the real email address. (In Gmail, hover without clicking.) 

Get more help to recognize >>

2. Rethink

If you can't verify the sender, do not click at all.

How: If the email refers to a known website, type that website address into a new browser window instead and check for information there. 

Get more help to rethink >>

3. Report

Suspect it's a phish? Send the alert.

How: Contact your campus UITS Support Center for help on how to report it. 

Get more help to report >>

Contact your IT Pro or the UITS Support Center

If you don't have other means to report quickly, contact your IT Pro or the UITS Support Center.

UITS Support Center contact information

 

Use the PhishMe reporter add-in for Outlook

If using Outlook, install the PhishMe reporter to report a suspected phish with one click. When you use the PhishMe reporter button on a suspected phishing email in your inbox, it deletes the selected message and sends it with full headers to phishing@iu.edu on your behalf.

Get the PhishMe reporter add-in tool

 

Forward the message to phishing@iu.edu with full headers

Using any major email provider, you can forward the message to phishing@iu.edu with full headers to report a suspected phishing email.

Learn how to forward with full headers
(Instructions for each email client are provided.)

Key recommendations from the IU Knowledge Base

Avoid scams

To guard against phishing scams, consider the following:

  • Indiana University and other reputable organizations will never use email to request that you reply with your password, full Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a website or by replying to the message itself. Never reply to or click the links in such a message. If you think the message may be legitimate, go directly to the company's website (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.
  • Read your email as plain text.

    Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client's ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.

  • If you choose to read your email in HTML format:
    • Hover your mouse over the links in each email message to display the actual URL. Check whether the hover-text link matches what's in the text, and whether the link looks like a site with which you would normally do business.

      On an iOS device, tap and hold your finger over a link to display the URL. Unfortunately, Android does not currently support this.

    • Before you click a link, check to see if the message sender used a digital signature when sending the message. A digital signature helps ensure that the message actually came from the sender.

When you recognize a phishing message, first report it as noted below, and then delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the websites it points to.

To learn more about guarding against phishing scams, see:

Training options to boost your defenses

Take free online courses

Take no-cost online training via IU Expand any time.

Explore online classes

Hold "Think before you click" workshops

Request a "Think before you click" instructor-led workshop with IT Training.

Schedule a workshop

Run practice simulations

Get the PhishMe simulation service for your department.

Request this service