Phishing | UM System

Phishing scams are a form of Internet fraud. This type of scam uses spam or pop-up messages to trick users into disclosing credit card numbers, bank account information, Social Security numbers or other confidential information.

Cyber-criminals send emails or generate pop-up messages claiming to be from a legitimate business or organization that you might typically deal with, such as your Internet Service Provider (ISP), online payment services (credit card companies, eBay, PayPal), loan company, parcel delivery servicer, University and/or bank.

Phishing scams are becoming more sophisticated in nature because cybercriminals are incorporating company logos and company contact information in their scams. While designed to appear authentic, the websites you are directed to are actually controlled by the attacker and are intended to harvest your personal information.

Identifying a Phishing Scheme

When looking at an email, consider more than the information presented in the body of the email:

Check the domain name and always be wary of unusual sources. If an email claims to come from an internal source, check to make sure it ends in the appropriate domain.
Only visit trusted links. To review the link you're about to click, hover your mouse over hyperlinks (without clicking) to display the address of the page behind the link. Make sure the link URL directs to the page the email is indicating.
Beware emails requiring immediate attention and/or demanding personal or account information. Other suspicious indicators include spelling/grammatical mistakes, an overall generic tone and an ambiguous website link.

In short, never reply to a message or click on a link in a message that asks for personal or login information, and report suspicious messages immediately.

Reporting Suspicious Messages

If you receive a suspicious message, report it immediately. An easy way to do so is through the Report Message add-in. This tool makes it easy to report emails that are incorrectly flagged or harmful messages that slip through security. Reports are sent to Microsoft and the UM System security team for review. This feature is automatically available in all Exchange Online mailboxes.

Using the Report Message add-in

Avoid Getting Snagged

The University will never ask you for your username and/or password. This is private information and you should never share your password with anyone. Additionally, the University would rarely notify you about your mailbox exceeding its limits. If you receive a notice and are concerned, contact IT tech support directly.

Additional steps you can take to avoid being snagged in a phishing scam:

Turn on your firewall and use anti-virus software. Anti-virus software and web browsers periodically offer updates, which contain security patches, so these items need to be updated regularly.
Make sure your operating system and applications are up to date.
Never email sensitive information.
Limit your web browsing to well-known and trusted websites and use encryption. Use SSL encryption (https://) for web browsing when possible. If you initiate a transaction, look for a secure SSL encryption as well as indicators that the site is secure for transmissions, such as the padlock symbol.
Beware of unsecure Wi-Fi connections. You should never access, transmit or receive sensitive information over an unsecure Wi-Fi network.
Check bank and credit card statements regularly. Watch for any unauthorized charges and report them immediately.
Before you act, carefully consider the type of information requested. Pay close attention to the site you are directed to.
Do not click on direct links. If you get an email from a known source, such as your bank or credit card company, type their web address directly into your browser instead of clicking on the link provided. Remember, cyber attackers can spoof company logos and contact information.
Do not open attachments from unknown sources. Attachments can contain viruses that allow cyber attackers to gain control of your computer system. If they gain access to your email directory or social media networks, they can send malicious emails on your behalf. If the email is from a known source, but the tone is generic and there is no explanation for the attachment, contact the sender before opening.
Be cautious when using a public space. If you are using a public computer, never save items to the machine, clear your cookies and cache, and sign off before you leave.
If it seems too good to be true, it is probably an attack. You can report phishing email to the University. To do so, open a new email message and address it to abuse@missouri.edu. Drag and drop the phishing email from your inbox into this new email message as an attachment.

Frequently Asked Questions

Can phishing emails still reach my official University account?

Yes. Just because an email reached your account doesn’t make it legitimate. While the University directs email through anti-spam filters as they enter into our mail servers, it is inevitable that some of these emails may still reach your account. Cybercriminals are constantly looking for ways to bypass our rules. Additionally, there are instances where an internal user's account has been compromised and their emails are allowed to pass through our filter. Given this, it is critical that you become familiar with how to distinguish a phish and know what to do when you get one.

Does the University of Missouri filter email?

Yes, the University of Missouri filters email based on technical flags associated with known bad senders and known bad web links.

Filtering is done to:

Reduce the amount of junk mail our users must deal with
Protect our users and our IT systems from phishing schemes and malware

How are “junk mail” and “phishing” messages identified?

University email technicians use spam filtering tools to block millions of unwanted inbound emails, which are known as junk mail and phishing messages. Spam/junk mail and phishing indicators are not created by University IT employees. They are developed by security companies, such as Cisco, through analysis and the sharing of information about known bad senders and known bad web links.

What should I do if I did not receive an email I think I should have?

If you didn’t receive an email you were expecting, make sure to contact your campus IT tech support team:

University of Missouri-Columbia: 573-882-5000
University of Missouri-Kansas City: 816-235-2000
Missouri University of Science and Technology: 573-341-4357
University of Missouri-St. Louis: 314-516-6034

Why do cybercriminals want my account information?

Cybercriminals can use your information in a variety of ways. With your personal and financial data, cyber-attackers can commit fraud and identity theft. They also can harvest your account information to send out more spam to others. By pretending to be you, they may be able to get more users to click on their malicious sites.

Would a legitimate email be filtered out?

If someone on the Internet has their email account compromised, their email address might be flagged and placed in this quarantine. If you believe an email address that you are expecting mail from should not be blocked, you may request that the address be added to an allow list. That list is used by the information security team to allow emails from selected, trusted senders to make it through the filters. To request an address be added to the whitelist, work with your departmental IT support personnel. Requests should be sent to security@missouri.edu. Please note that submitting a request does not guarantee it will be granted.