'phishy' email, covered in holes, hooked by a fishing hook

Phishing? Smishing?
Learn to Recognize Scams!

Phishing is a bogus or malicious email sent to steal personal information such as usernames, passwords and other sensitive data. By impersonating an email from a trustworthy entity, the scammer pretends credibility or urgency to trick you into (unintentionally) giving up the personal information or providing your access to a system at UofL.

There are many different types of online and digital messaging scams – email phishing, text or SMS smishing, spear phishing, social engineering, whaling, malvertisements, vishing, fake Duo prompts, QR code attacks and more. We try to filter out most known email phishing attempts but can't catch all of the lures sent to your @louisville.edu email address. It is very important to learn how to report scams and how not to get hooked or bite onto the wrong clickable link.

four fish surrounding a 'report phishing' icon, one of the fish looks like a 'cardinal' fish
ocean floor

Email Phishing

In this type of email phish, the scammer pretends to be a credible source to trick the recipient into giving up personal information or providing your access to a system at UofL. The attacker will register a fake domain (sender’s email or web address) or format the email’s headers to look like the inquiry comes from a trusted source. There could be logos or trademarks that mimic a real organization. Often embedded buttons or QR codes hide the scammer’s harmful links or malware.

Look for fear-based actions, such as urgent payments or technology concerns, where you must click on a link or open an attachment. The email will imply bad consequences if you do not act. Ask yourself, would this supervisor (department head), establishment (bank) or institution (IRS) really contact me in this manner or ask me for this action?

email phishing example

Spear Phishing

Spear phishing are targeted emails to specific individuals. By gathering easily accessed, online information about you, such as name, job position, role at UofL or area of study, the attacker will use the data to their advantage in the email. The scammer will pretend to be someone who knows you or an entity with an unexpected need.

The goal of spear phishing is to steal sensitive information such as login credentials or infect your target device with malware. Hackers often send specialized targeted emails using a compromised email address or contact list to infiltrate their recipient’s system. Often the malicious content uses the scammer’s knowledge of your position to take an action that, ultimately, harms the institution or provides access to the university’s secure data.

spear phishing example

Social Engineering

Online social engineering targets you in the same manner that a con artist swindles a mark for money. Through the psychology of persuasion, the scammer gains your trust while you lower your guard and reveal personal info, divulge sensitive data or click on an attachment. A cybercriminal communicates with the victim (email, text) saying that they are from a trusted source – like your bank, UofL’s administration, etc. – and need you to take immediate or further action. Sometimes the email looks realistic with logos or appropriate signatures.

  • Verify the sender! If it looks suspicious or you are not comfortable, don’t click or respond. Check on the authenticity of the message.
  • Be wary of tempting offers or out-of-context urgent requests. Ask yourself if the sender would really contact you in this manner. Check the source.
social engineering phishing example

Duo Smish TEXT

Did you get a UL2FCTR/Duo authentication request that you did not initiate? UofL’s Duo or second factor service will never email, call or text you asking for a passcode or PIN. We don’t send SMS or text notifications without you first signing into a system.

  • If you’ve gotten a Duo request that you didn’t initiate, deny the request. You should only get a prompt when you are trying to access a UofL resource that has UL2FCTR required.
  • If you’ve gotten a SMS or text with a passcode that you didn’t request, auto-report it to your mobile device provider (ATT, Verizon, etc.) and delete it.
  • If you get a fraudulent phone call, don’t press any keys or verify your identity, hang up. Block the number on your device.
  • Always check the location of the push request (does it match your location?) and remember, avoid sharing Duo passcodes with anyone!

REPORT UL2FCTR fraudulent activity to ITS.

duo smish example oneduo smish example two

Smishing or Vishing

Phishing to your cell phone via text or SMS message is smishing. Vishing are scams that come as short, fraudulent phone calls. Working in a manner similar to phishing emails or social engineering, the smish or vish uses known or familiar sources to play on a sense of urgency – often bill paying, bank transactions, car warranties, package delivery – to get you to click or reply with information.


  • Communication via text or messaging apps to your smart phone or tablet that prompt you to open a link to a webpage or another app often hide malware that will infect your device.
  • The smish might include a link to track a package or confirm a delivery, even though you did not order anything recently.


  • Sometimes fraudulent calls are made by actual people; other times they are done via robocalls. The scammers may even spoof phone numbers of real companies or individuals to deceive you.
  • The scammer informs that you won a contest or have unusual activity on your bank or credit card. They will then ask for personal information or to access your account to check or receive a deposit.
smish vish example onesmish vish example two

Duo Phish PROMPT

Did you get a UL2FCTR/Duo verification prompt request that you did not initiate? UofL’s Duo or second factor service will never email, call or text you asking you to verify a separate prompt. We don’t push authentication notifications without you first signing into a system.

  • Attackers will send or initiate a prompt to your Duo account with the intention of the legitimate user accepting it without paying attention to the listed location.
  • Always check the location of the push request (does it match your location). If you’ve gotten a push request that you didn’t initiate, deny the request. You should only get a prompt when you are trying to access a UofL resource that has UL2FCTR required.
  • If you get an unauthorized Duo prompt, it is possible that the scammer has tried to access a system with your personal email, userID and/or password. We HIGHLY suggest updating your UofL password via our Identity Management System immediately.

REPORT UL2FCTR fraudulent activity to ITS.

duo phish example oneduo phish example two

Multiple Phish Attack

Scammers often use more than one method of attack – a phishing email with a nefarious link to a fake webpage that displays a dubious UofL sign in which initiates a Duo-looking message to accept a prompt. Yes, cybercriminals are devious and getting better every day.

With AI tools, simple browser extensions, webpages are easy to copy or recreate – so detecting the fraudulent ones is difficult. Scammers can steal a user’s UofL credentials and Duo login codes by redirecting recipients to a fake UofL login page. The phishing email and webpage steal UofL branding and use forged UofL email addresses to appear more realistic. This is also frequently done with Microsoft Outlook imagery, PayPal or other popular banking visual identifiers – the phishing attack states an urgent need to fix your account.

multiple attacks example

Exhaustion Phish Attack

Nag, nag, nag to get you to say yes. Scammers will send requests over-and-over to annoy you into accepting one to make it stop.

  • For emails, use the Report feature within Outlook.
  • For text messages, the only answer is to report the number to your provider and block the sender each time. It is critical that you do not click to accept on any suspicious links or requests.
  • For UL2FCTR / Duo prompts that you did not initiate, do not accept the prompt. Report Duo fraudulent activity to ITS.

Two-factor fatigue and email/text bombing are tactics where attackers flood a user with repeated requests to exploit the user's decreasing alertness due to exhaustion. Take time to think about what you are being asked to do and why before you act. Think twice before clicking within text messages or providing sensitive information on unsolicited inquires.

exhaustion example oneexhaustion example two

QR Code Quishing

QR (Quick Response) code phishing, or quishing, is both social engineering and a multiple phishing attack in one that scams an individual into scanning a fake QR code in order to either redirect you to a bogus website or install malware on your device.

QR codes show up in emails but are often found publicly as printed for the ease of use in a situation. Be on the lookout for any of the following:

  • Any unsolicited QR codes. Phishing emails and social media often feature these codes for scanning. Make sure that the code comes from a trusted source.
  • The QR scan/redirect takes you to a spoofed site where the URL differs from the original or provided website address.
  • Requests to enter sensitive information like login credentials or personal data. The site will steal information that you enter.
qr code example

How to Identify Phishing

Use the SLAM method

  1. Check Sender
  2. Is the sender’s email and name a valid entity?

  3. Check Link
  4. Hover over any embedded link. Is the URL really legit?

  5. Check Attachments
  6. Never open any attachments until you confirm sender.

  7. Check Message
  8. Does it have any of the following?
    Urgency: The scammer needs you to do something right away! These scams are brief and to the point… Send me your phone number.
    Bad Grammar: Pleese advise to reply me with your private phone number and occupation. Kindly engage me about your needed financal aid status.

If you are not sure of a link, URL, attachment or sender, please
Report it to ITS for verification.
If you are not sure of a link, URL, attachment or sender, please
DO NOT CLICK IT OR REPLY! Report it to ITS for verification.
alive cardinal fish about to take the bait of a phishing hook, and a floating fish that didn't make it

How to Report Phishing

If you believe you have been phished or you inadvertently exposed your UofL ID and or password, please reset your password.

Report Email Phishing

Select the Email > Report > Report Phishing

This option is for when you believe it is a phishing attempt. This will send it to us for investigation and manual remediation.

If you see an email subject such as: "Issue with Payment" and the email is asking you to send money, call them, or submit your card information, it may be phishing. If it is, then reporting as phish would be the better option.

two fish, one happy cardinal fish about to report some phishing, and another smaller fish whom is also happy to report phishing next to a 'report phishing' email icon

Report Junk

Select the Email > Report > Report Junk

This option is for marking an email and its sender as "junk." Emails are sent to junk so that they do not clutter up one's inbox and senders marked as junk do not give notifications when the email arrives.

If you see an email with a subject similar to: "Check out these cool t-shirts!" This is most likely general spam, so reporting this as junk would be the best course of action.

three fish gazing upon a 'report junk' email icon
two fish, one larger and yellow on their phishy phone, and the other smaller and blue, gazing upon a 'report junk' icon
many hooks, one with a piece of torn email, and another with a humorous chunk of 'spam' hanging off the hook

Phishing, Spam or Junk

It is often tempting to report every unwanted email as phishing. Reporting emails that have automatically gone to your junk, or reporting spam as phishing sends these for manual review. Reviewing emails that are junk, unwanted, or spam overwhelms our system. Instead, we would ask that you empty your junk folder often.

Phishing contains or include:

  • Messages that seem personal but “aren’t quite” correct.
  • Attempts to get information from you via email, text or phone calls.
  • Impersonations of VIPs or supervisors you know.
  • Fear based content to threaten or extort.
  • Demands urgent action, clicking of links, downloads, copy/ paste of URLs, and scanning QR codes, etc.

Junk or Spam emails contains or include:

  • Advertising a product or marketing campaign requests.
  • Get rich quick schemes or easy job offers. Stock market or crypto trading.
  • Gambling opportunities and dating requests.
  • Hoax virus warnings or technology deals.
  • Chain emails which encourage you to forward to multiple contacts to bring ‘good luck’ to you.