Skip to main content

October is Cybersecurity Awareness Month. All month long, the Information Security Office is sharing ways you can protect yourself — and the University — online. Discover more Cybersecurity Awareness Month events, or for tips on strengthening cybersecurity year-round, visit Safe Computing at UNC. 

A doodle drawing of a person holding a giant envelope with a phishing hook in itPhishing — where scammers try to trick you into sharing your personal information or sending money — is one of the biggest cybersecurity threats to you and the University.

You’ve probably heard that. But do you wonder why phishing emails get through at all? And do you know what to do with phishing emails when you get them? Here are all your answers in one place.

By the numbers

First, a little perspective about phishing at UNC-Chapel Hill. On an average weekday, UNC receives about 1.5 million emails. While most of these emails are to-and-from campus users, we receive a few hundred thousand a day from external senders.

Messages from external senders can be from many legitimate places, like partners at other universities or government agencies, newsletters and prospective students or employees. But external senders also represent the bulk of junk mail and phishing attempts.

On an average day, UNC receives about 300,000 inbound emails — and IT systems block 200,000 of them as either junk or phishing.

How to report phishing

While email filters remove most junk and malicious email, some get through. This means you should know how to spot phishing (which we’ll cover later) and how to report it.

When you know — or strongly suspect — an email is phishing, report the message in Outlook. Reporting a message as phishing alerts Microsoft to review and potentially remove the email from other inboxes. Removing the email before they see it can help keep other Tar Heels safe.

Depending on which version of Outlook you’re using, you may navigate to slightly different places to report phishing.

For Outlook online (Heelmail) and desktop Outlook on Windows and Mac, first select the phishing email, then click the Report button in your toolbar. You can find the toolbar directly above your inbox — it includes commonly used actions like deleting or marking items as read.

In Outlook online, the report phishing button is on the toolbar, just above the inbox. It includes a dropdown arrow with the options to report phishing and report junk

Can’t find the report button? Depending on your toolbar’s layout, Report may be hidden under a three-dots menu or dropdown menu. If you’d like to make Report easier to find, you can customize your toolbar to rearrange your toolbar buttons.

Depending on your toolbar's layout, the report phishing option may be hidden under additional menus

In the Outlook mobile app, tap the three-dots menu at the top of the message. In the dropdown menu, tap “report junk,” then select “report phishing.”

What’s the difference between junk and phishing?

After reading the instructions on how to report phishing, did you ask yourself what’s the difference between reporting “junk” and “phishing”? If you did, you’re not alone.

“Junk” is another word for email spam, or unsolicited and unwanted mail. Phishing, on the other hand, is malicious mail meant to steal or trick you into sharing personal information or money.

When you “report junk,” the message is moved to your Junk Email folder. You still have access to the email and future similar emails are routed to your Junk Email folder.

When you “report phishing,” Outlook deletes the message from your inbox and passes along a report for further investigation.

How to spot phishing

Many phishing emails follow similar patterns. Here are a few things to watch out for:

  • The “from” address doesn’t match the sender name or is an attempt to look like someone affiliated with the University, like
  • The “to” field includes a bunch of other people, or it’s blank and you are blind carbon copied (bcc’ed).
  • The email has poor spelling and grammar. It may also feel stilted or like it’s written by AI.
  • There’s a sense of urgency or emotional manipulation. Common ploys are you must act now or bad things will happen or that you’ll miss out on an opportunity if you wait.

And keep in mind that just because a message is from — or appears to be from — a UNC email address, that doesn’t mean it’s legitimate. Not only do phishers spoof, or fake, email addresses, phishers often use compromised UNC accounts to send out emails. When an account is compromised, the phishers can access the account and do anything an account owner could do — including sending email.

Phishers love sending emails from compromised accounts for two reasons. First, because recipients are more likely to click links or download attachments from people inside their organization. Second, because emails from real people are less likely to get trapped by spam filters. For this reason, you need to always be careful, even if you know and trust the sender.

If you are suspicious of an email and need help determining if it’s phishing, contact the ITS Service Desk. You can call 919-962-HELP (4357) or use the Help Portal to chat live or submit a help request. Phishing emails almost always include a sense of urgency — that you must act now. But the reality is that there’s always time for you to get a second opinion from ITS before you respond.

Phishing can take many forms.

For tips on spotting job scams, which commonly target students, check out this recent ITS News article.


Comments are closed.