Skip to page content

Email Phishing

There are many forms of email scam, but one of most common right now is phishing, which is an attempt by a malicious party to trick message recipients into taking actions that will reveal private information (like passwords) or cause malicious software to be installed on the recipient’s computer. Understanding these attempts, learning to identify them, and knowing what action to take when such attempts are made can be crucial to protecting your information as well as Tarleton’s.

Two Techniques: Spoofing and Hacking

Spoofing occurs when a malicious party takes advantage of weaknesses in the Internet email system which enable them to forge the “from” address, allowing the malicious sender to pose as a trusted person or entity and trick the recipient into taking action which might reveal private or secret information or which might cause malicious software to be run on the recipient’s computer. Spoofed messages do not come from or pass through the email system of the forged sender; they just give that appearance.

Hacking occurs when a malicious party has gained access to a victim’s email address and password; for example, via a spoofed message from “HelpDesk@tarleton.edu” or “admin@microsoft.com” directing the victim to “validate their email account” by clicking on a link and then entering credentials on a fake, but real-looking, web page. Once the malicious party has the victim’s credentials, he/she/they can login as the victim and send unlimited messages of any kind, to anyone as the victim. The hacker effectively becomes the victim and can perpetrate further scams in the victim’s name with no need to forge or spoof the victim’s address.

If you think an email is a phishing attempt, please contact the Tarleton Helpdesk at helpdesk@tarleton.edu or calling them at 254-968-9885.

Screenshot of email header with email address information

The From or Reply To email address is a different domain or slightly different spelling than the official email address.

Did the Email Actually Come from Someone That You Trust?

Where did the email originate? Although the from in the following example appears valid, if you look closely, you'll see that the mailto: is a Gmail account instead. If they don't match, this is definitely a phishing attempt.

Official email from A&M System components will usually not originate from non-Tarleton accounts. Don't be fooled by similar spellings, either (i.e. johntarleton@tarlleton.edu).

Is This Really the Site That You Wanted?

Screenshot of the email message shows the visible address is different from the actual address on mouse hover

Where will the links take you when you click on them? When you hover your mouse cursor over links in an email, you should look to see whether the displayed link actually matches the text of the link in what you see when you are not hovering over it.

In this case, when you hover over the link address in the email message, you will see a very different link that would take you to an unsecure site. This is a good indication that the email you are viewing is a phishing attempt.

Avoid the Bait of a Phishing Scam

Online con-games are designed to prey on unsuspecting recipients with attention- getting emails that appear to come from legitimate institutions.

Examples include:

  • Financial institutions such as banks, savings and loans, or mortgage accounts
  • A shipping or packaging company that has the words 'Delivery Failure' in the subject line
  • A fake email from an FBI Director, CIO or other high-ranking individual
  • A message from "your" help desk or email service asking for account information, passwords or other personal information

The messages may ask you to 'update,' 'validate,' or 'confirm' account or email address information, or will include links that direct you to a site that looks like the actual Web site.

The purpose is to trick you into divulging personal information or to download malicious code that can record all keystrokes including passwords or copy contact list information to scam friends and family or commit other crimes in the your name.

More Information

File a Complaint

Tarleton Rule: Electronic Information Resource Complaints