Go Directly to Page Content
Go Directly to Site Search
Go Directly to Site Navigation
ITS Safe Computing

Spam, Phishing, and Suspicious Email

What are Spam and Phishing?

Spam is the use of electronic messaging systems to send unsolicited—usually undesired—bulk messages indiscriminately. Some spam is merely annoying, while other spam can result in a number of very bad outcomes for unsuspecting recipients.

Phishing is a specific type of spam. Phishing or spoofing is the term used for deceitful or fraudulent emails designed to trick people to provide personal information that leaves them vulnerable to identity theft, computer viruses, and compromised email accounts. The number and sophistication of phishing scams continues to increase. Non email types of phishing include phony websites or phone calls that ask the potential victim to supply or verify personal information.

Spear Phishing is an even more insidious form of phishing, where criminals impersonate U-M officials to trick you. Watch a short video to learn about spear phishing.

Stop. Think. Connect.

Staying safe on the Internet takes some common sense steps—Stop. Think. Connect. Protect yourself and help keep the web a safer place for everyone.

Recognizing a Phishing Message

For examples of fraudulent and safe emails and webpages at U-M, see What to Watch for: Phishing Examples.

Phishing emails:

  • Typically use urgent or exciting language
  • Ask for passwords, bank account information, usernames, credit card numbers, social security numbers
  • Often have grammatical, typographical, or other editorial errors (but the more sophisticated phishes may not)

Tips to Avoid Getting Phished

  • Do not respond to any suspicious email by clicking on links or filling out forms with personal or financial information.
  • Remember that if something sounds too good to be true, it probably is.
  • Ask yourself why would you be singled out for a windfall or other special treatment out of the millions of other Internet users. Such offers are almost always a scam.
  • Don't believe everything you read. Just because an email or web site is presented attractively doesn't mean that it's telling you the truth.
  • Be patient. Too many users end up the victims of Internet crime because they do not stop to think, but instead act on impulse clicking on a "sexy" link or an interesting looking attachment without thinking of the possible consequences.
  • Unless you're certain of a person's identity and authority to request such information, never provide your personal information or information about your company/organization via email, text, or over the phone.
  • If you think an email may not be legitimate, attempt to verify it by contacting the company or organization directly. But don't use the contact information provided in the email to make contact, it could be bogus; look up the organization's contact information yourself.
  • Double-check the URLs of websites you visit. Some phishing websites look identical to the actual site, but the URL may be subtly different.
  • Be cautious about sending sensitive information over the Internet if you're not confident about the security of the website.

How to Report Phishes

If you receive a phishy email that that appears to come from U-M, forward the entire message with full original headers (see instructions for including full original headers) to abuse@umich.edu. The email sender cannot be identified without the full original headers.

I Responded to a Phish. Now What?

If you responded to a message that may have been a phish, follow the instructions at Compromised Accounts. You should carefully review any online account that became vulnerable as a result of responding to the message. For additional guidance, contact the ITS User Advocate.

Learn more about phishing.

Test your phishing knowledge.

Spam Filtering

It is important to keep your computer's browser up-to-date with all security patches applied. ITS uses Microsoft Forefront for spam and virus detection. In addition, there is an ITS service that can further reduce the amount of spam that you receive on your U-M email account.

  • Using the Do Not Spam List to Reduce Spam
    Rejects email from known sources of spam. This will reduce, but not eliminate spam. Many spammers switch identifies frequently, and therefore avoid being listed as a known spam source (available to all U-M community).

Still have questions?

View questions and answers from the U-M community about spam and phishing.