August 16, 2021

By Katya Hrichak

You receive an email from your advisor.

It reads: “Do you have any free time now? I need you to take care of something urgently, send me your cell number where I can text you. Thanks.”

You are now faced with a dilemma, as you suspect this email might not actually be from your advisor. Do you send your cell phone number in case this is a legitimate request? Or do you ignore the email and risk potentially upsetting your advisor?

The correct response, according to IT at Cornell, is to check the authenticity of the email before making any decisions. The example above is one of many emails reported as phishing attempts and cataloged in the Cornell Phish Bowl.

By replying to a suspicious email that requests personal information, money, campus jobs, or research opportunities, graduate students have fallen victim to online scams. Some students have even lost thousands of dollars.

Individuals responsible for phishing scams are crafty and often use “from” addresses that resemble Cornell email addresses as well as URLs that open to pages mimicking real website log-in screens. According to IT, the first step a student should take upon receiving a suspicious email is to verify the source.

Campus contacts can be checked by using the search tool on Cornell’s website and using the “People” filter to confirm the contact’s Cornell email address. Emails from outside companies, such as banks or online shopping platforms, can be checked by navigating to their main websites using a trusted search engine and locating contact information there.

In the case that the information does not match, email recipients should check the Phish Bowl to see if anyone else has reported a similar email as an attempted scam and also forward the entire text of the received message and the email headers to the IT Security Office at itsecurity@cornell.edu.

“Scams are becoming more sophisticated, and the sender might know a little about you from web searches,” said Jason Kahabka, associate dean for administration. “For example, they may reference publications or current research that you’ve posted or appeal to you based on some other known affiliation.”

Luckily, there are often clues in phishing emails that students can look for when verifying authenticity. These emails often are poorly written and contain all capitalization, spelling and grammar errors, and fragmented thoughts and sentences; request personal information or money; use urgency conveyed through exclamation points, words like “immediately”, and threatening to close an account; or come from a “from” address that does not make sense.

By looking for these clues, hovering over URLs for their real destinations, and verifying senders, graduate students can better protect themselves and their assets.

“Never, ever, ever send funds using gift cards or cryptocurrency. Those are red flags and usually cannot be traced,” said Kahabka. “Real Cornell students have lost real dollars to these scams. The risk is not hypothetical.”

Learn more about how to protect yourself on IT@Cornell’s Spot Fraudulent Emails (Phishing) webpage.