What Is Phishing?
Criminals use malicious email and websites to try to trick you into revealing your password or other sensitive information or to infect your computer with malware. Phishing email often uses urgent language, asks for personal information, and has grammatical, typographical, or other obvious errors.
Learn to Spot Phishes
Quick Tip: Check Links Before Clicking
Check the full URL to see if it goes where you expect.
- On your smartphone or tablet, press the link and hold down until a dialog box appears containing the URL.
- On your computer, hover over the link with your mouse. The URL will usually appear in the lower left corner of your window.
Pay Attention to Banners
- Google Mail Users. Google Mail at U-M flags messages that may be suspicious to help you identify potential problems. See Google Mail Banners Warn of Suspicious Email.
- Michigan Medicine Outlook Users. Take note of an automated warning banner at the top of emails received from senders outside the university that contain links or attachments. The email banner urges extra caution with such messages.
Phishing Clues You Can Use
- Don't Fall for Phish! Test your phish detection skills in this U-M phishing training.
- Look Before You Click. Beware of Phishing! (10-15 minute eLearning course; login with UMICH (Level-1) password required). Learn how to recognize and protect yourself from phishing attempts.
- Office Doc Dangers: Macros & Enabled Content Pose Risks. Learn what to watch out for in shared MS Office documents.
- Phishing Examples: What to Watch for. Includes screen shots of fraudulent and safe emails and webpages at U-M.
- Ransomware: Don't Pay the Ransom!
- Shared Document Emails Can Be Traps. Shared documents aren't always what they seem.
- U-M's spear phishing video
For additional quizes, tips, and information from beyond the university, see Phishing & Suspicious Email: Recommended Resources.
Where to Report Phish
Phish at U-M
You can report suspicious emails you receive at your university email account (U-M Google or Michigan Medicine Outlook) to the university.
For phishes that appear to impersonate a U-M address or service, send the entire message—with full email headers if possible—to ReportPhish@umich.edu. If you use U-M Google Mail, you can also report the phish to Google by using the report phishing option.
Note to U-M Google Mail users: If your message is rejected when you try report spam or phishing to ReportPhish@umich.edu, please try the following:
- In the message you would like to report, click the down arrow next to the Reply arrow and select Show original.
- In the Original Message screen, click Download Original to download the page as a .txt file.
- Compose a new message, attach the file you downloaded, and send the new message and attachment to ReportPhish@umich.edu.
If you receive a phish impersonating a bank, retailer, or other institution, please consider contacting them to let them know.
If You Get Caught
If you gave personal information in response to a phishing email or on a suspicious webpage, your account may be compromised.
- Change your UMICH password and follow the instructions at What to Do if Your Account May Be Compromised.
- Carefully review any online account that became vulnerable as a result of responding to the message.