Phishing Examples

Below you will find two examples of phishing messages sent to the Ithaca College community. Follow along with the numbered boxes for an explanation on specific red flags that can help you spot a phishing email in the future.

Example 1:

  1. The display name field of an email is often the best place to start. This field can be easily manipulated to falsify the actual sender. Here we see the address as "ITHACA.EDU@bucknell.edu", there are two red flags here. First, the email is coming from the bucknell.edu email system. Announcements to the campus will come from an address ending with "@ithaca.edu". Secondly, "ITHACA.EDU" is suspicious given that it appears in all caps.
  2. The message body is often the most difficult section to spot a red flag. Common red flags in a message body are: spelling and grammar errors, a false sense of urgency, and information that could contradict your general knowledge about the college. Here the author does not have very many spelling or grammatical mistakes, but the look and feel of the message differs from legitimate communications sent from campus departments.
  3. Scrutinizing links can be the best way to spot a phishing message. The key step is to not actually click a link, but to hover your mouse's pointer over the blue text. This will display the actual web address a link will take you to. If a link does not point to an ithaca.edu website, it may be malicious. An example of this is given in the second picture of this example below.


  1. The link actually went to an off campus website that was designed to look like MyHome.


Example 2:

This example is one of the more difficult messages to spot as a phishing messaging, but by checking the display name, analyzing the body for contextual clues, and hovering over links, you will be able to see it is a phishing email.

  1. The display name here is "Ithaca HR" with the email address "hrpayrollhr@ithaca.edu". Once again, the sender manipulated the from: field to make it appear as if this message was sent from an ithaca.edu email account. If you are ever unsure if a message actually came from a user or department on campus, take the time to call them and confirm that they actually sent the message. Here the minor clue is that the email address hrpayrollhr@ithaca.edu is odd, given that it says "hr" twice.
  2. The body of this message is free from spelling and grammatical errors, but two details stand out. Firstly, veteran members of the faculty and staff will know from experience that salary raises emails like this are not sent via email. Secondly, the valediction or farewell of the letter uses the word "faithfully", this is somewhat out of character for emails sent from most campus departments.
  3. The link here is once again the best indicator that this email is not legitimate. When you hover over the link you can tell this link actually links to a website hosted on the Russian domain system. On web browsers, you need to look in the lower left corner for the details on where a link actually goes. This is illustrated and enlarged in the next two images.


  1. Start by hovering over the link with your mouse cursor.
  2. The info box appears in the lower left with the actual website you will be taken to.


Enlarged example.