fish caught in a net

Don’t touch that phish!

I need your help. Please contact me right away.

Receiving an email with that kind of text feels urgent, confusing and scary. You instinctively want to reach out and help, especially if it was sent to you by someone whose name you recognize or from an email address ending in

Scammers are getting better at their craft and it’s more important than ever to learn how to recognize a phishing attempt and avoid being compromised.

Phishing warning signs

Phishing is a form of fraud where a scammer attempts to have you reveal personal, financial or confidential information by posing as a reputable entity via electronic communication. A phishing attempt will try to entice you to open an attachment or click on a link to a site that appears legitimate. Even if the request looks genuine, be skeptical.

Here are some warning signs of a phishing attempt:

  • The message is unsolicited and asks you to update, confirm or reveal personal information (e.g., full Social Security numbers, account numbers, NetID, passwords, protected health information).
  • The message creates a sense of urgency.
  • The message has an unusual From address or an unusual Reply-To address; it may also come from a compromised “” address.
  • The (malicious) website URL doesn’t match the name of the institution it allegedly represents. For example,… could be slightly changed to read: https://wIsc.ed/…).
  • The website doesn’t include a padlock and have an “s” after “http//:” The “s” does not mean the site is secure; it means your communication with the site is secure from eavesdroppers.
  • The link in the pop-up doesn’t match the printed text.
  • The message may not be personalized. Valid messages from banks and other legitimate sources usually refer to you by name.
  • There may be grammatical errors.

If you receive a phishing email, don’t click on it, report it.

How to report phishing

Outlook users:

To report phishing emails received via Outlook, please click the “Report Phish” button on the toolbar/ribbon located at the top of your page. This action will send the questionable email to the UW–Madison Cybersecurity Operations Center (CSOC).

Non-Outlook users:

If you do not see the “Report Phishing” button, then forward the message as an attachment (Source: KnowledgeBase 34567) to Please do not simply forward the questionable email, as this will prevent us from seeing the header of the message and make it difficult to take appropriate action.

For additional information, please refer to: Office 365 – Submit a message as spam/phishing (Source: KnowledgeBase 45051).

If you are ever unsure whether an email message is legitimate, or what you should do with it, DO NOT RESPOND to it! Instead, contact the DoIT Help Desk (Source: for advice.