Learn how to recognize and report phishing

Phishing is a form of fraud where a scammer attempts to have you reveal personal financial or confidential information by posing as a reputable entity in an electronic communication. Many scammers try to bait you by urging you to respond immediately by clicking a web link that appears official (with all the familiar logos or corporate phrases). Even if the request looks genuine, be skeptical and look for these warning signs:

  • The message is unsolicited and asks you to update, confirm or reveal personal identity information (e.g., full SSN, account numbers, NetID, passwords, protected health information).
  • The message creates a sense of urgency.
  • The message has an unusual From address or an unusual Reply-To address instead of a “” address.
  • The (malicious) web site URL doesn’t match the name of the institution that it allegedly represents. For example… could be slightly changed to read: https://wIsc.ed/…).
  • The web site doesn’t include a padlock and have an “s” after “http//:” The “s” does not mean the site is secure, it means your communication with the site is secure from eavesdroppers.
  • The link in the pop-up doesn’t match the printed text.
  • The message may not be personalized. Valid messages from banks and other legitimate sources usually refer to you by name.
  • There are grammatical errors.

To Report Phishing

Outlook users:
To report phishing emails received via Outlook, please click the “Report Phish” button on the toolbar/ribbon located at the top of your page. This action will send the questionable email to the UW–Madison Cybersecurity Operations Center (CSOC). 

Non-Outlook users: 
If you do not see the “Report Phishing” button, then forward the message as an attachment  (Source: KB 34567) to Please do not simply forward the questionable email, as this will prevent us from seeing the header of the message and make it difficult to take appropriate action.

For additional information, please refer to: Office 365 – Submit a message as spam/phishing (Source: KB 45051).

If you are ever unsure whether an email message is legitimate, or what you should do with it, DO NOT RESPOND to it! Instead, contact the DoIT Help Desk (Source: for advice.