You are seeing this page because you clicked a link in an email that wasn't what it seemed.

Phishing emails entice you with offers, or scare you with threats of loss, to trick you into visiting a malicious site and handing over sensitive information. If this had been a real phish, attackers might now have your UT EID password, could have infected your device, or may have stolen sensitive University or personal data.

If you suspect you've received a phishing email, you can forward it to the UT Postmaster (at postmaster-abuse@utexas.edu) or use the "Report" button in your Outlook mail client. Please also notify your local IT staff.

Let’s learn how you can detect phishing attacks like these, so you don’t fall victim to a real attack.

Outlook and desktop mail clients

Here's a great example of what the most determined, skillful phishers could send. The message uses authentic UT graphics, references actual UT organizations, and relates to a topic that seems plausible.

A few clues should lead you to think twice: The presence of a soon-approaching deadline and mention of “delays in paycheck processing” are crafted to add a sense of urgency. Let's also look at the hard evidence:

Cross-reference what the hyperlink says it is vs. where it really goes.
  1. Though the sender’s name is “Financial & Administrative Services”, an actual campus organization, the sender’s address (finance@utexas.cloud) is not an official University account.
  2. Hovering over the link (or tapping-and-holding on a mobile device) reveals that the “re-submit timesheets” link points to a site in the utexas.cloud domain, which is not part of the University’s official utexas.edu website.

These clues should expose the message as a fraud. When you think a suspicious email or website is trying to trick you, check with your local IT support, the UT Service Desk, or the Information Security Office.

How do you know whether a link looks legitimate? See the Inspecting hyperlinks section, below.

Outlook Web App (OWA)

Like with Outlook or other desktop mail clients, hovering your mouse cursor over a hyperlink will expose the link's true path, but you'll have to look carefully…

In this screenshot, the bottom-left corner shows the true destination of the hyperlink.

It can be hard to spot at first, but a link's true path will always be revealed in the bottom-left corner of the browser.

For practice, take a moment and inspect these three links. You don’t have to click them; just inspect them and note which ones go where they say they’re going:

See the Inspecting hyperlinks section, below, for how to tell whether a link is legitimate.

Mobile mail apps

If you're checking your mail on your phone or tablet, instead of tapping the link, do a long press. When you press and hold on the link, it will just display where the link will take you, rather than actually taking you there. As before, think of what the link says it is vs. what its true destination is.

For practice, take a moment and long press these three links. Note which ones go where they say they’re going:

See the Inspecting hyperlinks section, below, for how to tell whether a link is legitimate.

Inspecting hyperlinks to determine their safety

When you're inspecting a link in an email, or on a website, how do you know if it's legitimate or a scam?

Links have lots of information in them. They can be daunting. We'll break it down, so you can focus on the most important part. Take this link, used in a real phishing attack:

That's a lot of information, and some of it looks legitimate. But, once you understand the structure of links, it becomes easy to see why this is a malicious link.

Websites are hosted on computers, much like the one in your office. The Host part of a link tells you the name of the computer.

And just as your computer has files and folders on it, websites have them too. The Directory part of a link is just like a folder path on your computer. The very last piece of a link is the File name. It tells you the file you’re looking at, just like a Word document or spreadsheet on your computer.

So, now we know what all this information means. What’s really important?

No matter how long and confusing a link is, the Host is all you need to focus on. Attackers can manipulate the Directory and File name to look like legitimate content, but they can never change their Host to perfectly match a legitimate one. Let’s look at a legitimate Host now:

Now that we know the Host is what's really important, let's focus even more. Find the first single (not double) "/" in the link:

Look at the two words to the left of it, separated by a period "." Those two words can never be manipulated; they always tell you a website’s true identity. In the image below, those two words are "utexas" and "edu":

Compare the two images above. In the first, utexas.edu is the true destination of the link, while the second one would send you to org.ru. Look at the rest of the org.ru link. You can see its File name is trying to impersonate the Host of the first link!

Take a look at your web browser to find the address of the site you’re on, right now. What is its true source?

Now, look at the phishing email that brought you here, and use all you’ve learned to identify it as a phish.

You’re now more prepared than you were before. Remember, when someone asks you for your EID password, personal info, financial info, or other sensitive info, slow down and verify. Beware of enticing offers and threats of loss; treat them as a signal to slow down and verify what’s really going on before you proceed.

When you identify a phishing email, report it to postmaster-abuse@utexas.edu and notify your local IT staff. The Postmaster will block any additional phishing emails from the attacker, and your local IT staff will spread the word about the attack, so others don’t get caught.

If you have any feedback, questions, etc., please contact us.

Back to top