Authority Scam: Exploiting Dutifulness

Phishing Scams: Can you Spot them like Scrappy?

Scrappy in a winner pose.

Scrappy is on the case! Join him as he cracks the code of phishing scams. We'll uncover sneaky tricks scammers use in their emails, so you can become a whiz at identifying them and protecting yourself from online fraud.

Get ready to . . . 

  • Read real-world examples: Scrappy will show you suspicious emails and challenge you to spot the red flags.
  • Think like a detective: Use your critical thinking skills to identify clues that something's fishy.
  • Become a reporting hero! You will learn when to report an email and keep everyone safe online.

Be like Scrappy: Always report suspicious emails! Remember: Spot. Stop. Report.

Example 1

From:

Stephen Sprague <montaje@united-events.es>

To:

scrappy@kennesaw.edu

Subject:

[External] Direct Deposit Update Details 
! This message was sent with High Importance.

Message:

Hi Scrappy,

I hope this email finds you well. I wanted to reach out to request a copy of the direct deposit form that I need to fill out before the upcoming payroll is processed.

Thanks,
Stephen Sprague

Director - Audits and Investigations

Spot. Stop. Report.

    1. Suspicious domain name. You see a legitimate-sounding name, yet when you hover over it, you can see the actual email address. Legitimate organizations use their own domain names.
    2. External sender warning inserted in the subject line.
    3. The email is marked with "High Importance," trying to instill a sense of urgency in you.
    4. The mention of payroll alarms recipients; they don't want to jeopardize receiving their paycheck on time.
    5. There is no clear indication of where Stephen Sprague works. "Audits and Investigations" is not a company name.
    1. Spot: Note that the email is marked as [External]. 
    2. Stop: Do not reply and don't download any attachments if there are any.
    3. Report: Use the Phish Alert button to report the email to UITS. (If it is legitimate, you will be notified that you can safely proceed with any requests.)

Example 2

From:

InterimChairDepartment@gmail.com

To:

scrappy@kennesaw.edu

 

Subject:

[EXTERNAL] Quick request

 

Message:

Kindly send me your available cell number -- 

Interim Chair Department of <Department Name> and Interim Associate Dean for <Department Name>

Spot. Stop. Report.

    1. External sender warning inserted in the subject line.
    2. The sender claims to be an Interim Chair of a Department, yet the email comes from a free Gmail account, not a KSU account.
    3. No personal greeting. Scammers like to be efficient and send the same email to as many people as possible.
    4. A request for your personal phone number may seem simple and benign, but once a cybercriminal has your phone number, they can use it to target you on your phone, and they can gather more personal information through social engineering tactics.
    5. The email does not have a proper signature.
    1. Spot: Take note of the discrepancies. 
    2. Stop: Do not respond to the email. If you are in doubt, reach out through an official channel and ask the person claiming to have a quick request if they indeed contacted you.
    3. Report: Use the Phish Alert button to report the email to UITS. (If it is legitimate, you will be notified that you can safely proceed with any requests.)

 

If you have any doubts about the legitimacy of an email, report it to University Information Technology Services (UITS)!  Forward it to abuse@kennesaw.edu, or click the "Phish Alert Report" button in Outlook.

Return to Phish Market

 

©