Skip to content

Phishing fundamentals: 3 tips to shore up your defenses

From high-profile ransomware attacks to massive data breaches, the cybersecurity landscape has been quite turbulent in the past two years. Despite all of the new and emerging threats, however, phishing — one of the oldest pain points in cybersecurity — continues to wreak havoc and remains as much a threat now as ever.

Phishing has been a mainstay in the cybersecurity landscape for decades, evolving to become one of the most dangerous cyberthreats to an organization’s digital health. In fact, in 2020, 43 percent of cyberattacks included phishing or pretexting, while 74 percent of U.S. organizations encountered a successful phishing attack.

As employees and students at a public institution, we are especially vulnerable to cyberattacks like phishing because certain elements of our contact information are easily accessible. That’s why proper digital hygiene and information security best practices are so necessary.

With that in mind, here are a few best practices and tips for dealing with phishing threats.

Know the red flags

Phishers are masters at making their messages and interactions appealing. From design to language, it can be difficult to discern whether an email is a genuine or potential threat, which is why it is so important to know common red flags. Awkward and unusual formatting, overt callouts to open a hyperlink or an attachment, and subject lines that create a sense of urgency are all hallmarks that the email you received could be a phishing attack and indicate that it should be handled with caution.

Phishers may ask you to disclose personal information such as your name, account information, date of birth, Social Security number, and address. They also may try to lure you to open a malicious file or an unsecure link to compromise your computer. If an email seems suspicious, hover over the links to see where you are being directed. If it's not legit, don't click.

What is phishing?

Phishing is a form of social engineering designed to steal your personal information, passwords, or money — typically via deceptive emails, text messages, phone calls, social media posts, or pop-ups.

Pretexting is another form of social engineering that often goes hand in hand with phishing. An attacker will use a specific scenario (the pretext) to persuade people to provide information or do something they wouldn’t do in normal circumstances. Often, attackers will impersonate a friend or trusted entity to manipulate their targets into disclosing personal information, such as account information, passwords/ PIN numbers, or credit card information.

For more information about the various phishing schemes, please download the phishing tip sheet.


How to report a phishing attack

When you receive a phishing attempt through a university email account, the Information Security Office (ISO) and U Police ask that you immediately report it. The ISO can then confirm the phishing attempt, remove the email, and block the sender from our system to protect other students, faculty, staff, patients, and community members.

Forward the email as an attachment to and U Police at If you are unsure how to forward a message as an attachment, use a search engine to find instructions for your email client or ask someone to assist you. If you use UMail via Outlook Web Access (OWA), compose a new message, drag and drop the email you want to forward into the body of the new message to send it as an attachment. Access this vendor support website for more information.

If, by accident, you click on a questionable link and enter login credentials, immediately go to the Campus Information Services portal — — and change your password. In addition, contact ISO's Security Operations Center at to notify information security staff.

If you need further assistance, please contact your cognizant central IT help desk: Main Campus UIT Help Desk (801-581-4000, option 1) or University of Utah Health ITS Service Desk (801-587-6000).

Last Updated: 6/15/22