Skip to main content

Spam and Phishing

Online scammers use established communication methods (email, social media, websites) to lure individuals into providing them with personal information and or money. This is called phishing. If someone obtains your information, it can be used for identity theft or other malicious behavior. It can be difficult to distinguish between legitimate requests and these scams.

BYU–Hawaii will never send an email that requires you to verify your personal information, ask you for your username and/or password, or require you to send or loan money to an account. Banks and financial institutions will not ask you for this information either.

5 Ways to Spot a Phishing Email

Phishing emails are extremely common and an extreme threat to personal information. Here are 5 ways to spot phishing emails:

  1. The email asks you to confirm personal information.
  2. The web and email addresses do not look genuine.
  3. It is written poorly - many grammar mistakes and misspellings.
  4. There is a suspicious attachment.
  5. The message is designed to make you panic or designed to make you act quickly.

What Not to Do

If you have received a suspicious email, you should never give out personal information including social security numbers, passport information, bank account information, or physical address to an unknown source or organization.

What to Do

If you believe you have received a phishing email, do not click any attachments or links, and do not reply. Report the email as soon as possible by forwarding it as an attachment to or using the following the steps:

Outlook Client

  1. Open the email.
  2. Go to the "Home" tab.
  3. Click "More" in the "Respond" section.
  4. Click "Forward as Attachment."

Web Client (

  1. Click "New Mail."
  2. Drag the email you would like to forward to your new email draft.

Pre-2010 Outlook Express/Outlook

  1. Open the email.
  2. Go to the "Actions" menu.
  3. Go down and click on "Forward as Attachment."

Mac Computers

  1. Right click the email.
  2. Click "Forward as Attachment."


  1. Download the email from Gmail by clicking "Download message" in the dropdown menu next to the reply button.
  2. Before clicking save, change the file type to "all" and change ".eml" in the file name to ".txt"
  3. Upload this .txt file as an attachment to an email to .

The Office of Information Technology will assist by taking the necessary actions to ensure security of the issue. If you have questions about phishing or email scams, you may contact the IT security coordinator by calling (808) 675-4524 or emailing

Tips and Tools
Why Worry?
Tools, Tips, and Tricks

No, we aren't talking about the breakfast food or rod and real. Spam and phishing are actually multi-billion dollar industries aimed at exploiting and defrauding you.

E-mail is an indispensable communication tool, as it provides a reliable, fast, and free way to communicate with others. Unfortunately, it too has its downsides when you receive mail that is inappropriate, unsolicited, unwanted, or irrelevant. Spammers often flood your inbox with promises of free vacations, free credit repair, dramatic weight loss, advance loans, free adult entertainment, and much more. Some spam has become even more potentially damaging. “Phishing" is a form of spam that fraudulently misrepresents the sender as a trusted authority, e.g., your bank, a social networking service, even the University. The phisher's intent is to acquire sensitive personal information about you, such as your Social Security number, your birth date, or credit card and banking information. Spam and phishing are multi-billion dollar industries aimed at exploiting and defrauding you. You should use the tips and tools described in this section as well as your common sense to keep yourself safe while using e-mail.

Spam is an aggressive, ethically suspect form of marketing, similar in nature to telemarketing. Through various means, spammers assemble massive lists of email addresses to which they can send solicitations, advertisements, and other messages. If you have published your e-mail address on a website or discussion board, shared it in a chat room, or posted it in on an online membership directory, your address is probably on some spammer's list somewhere. Unlike telemarketers who have to call one number at a time, spammers can send millions of email messages with just one mouse click. Spammers use a variety of techniques to make you think the message is legitimate or from someone you know. Spam messages will sometimes include your name or imply that you asked to be contacted. Not only does spam clog your inbox, but the messages can also contain inappropriate content, even pornographic images. Spammers also use enticing messages to commit fraud and identify theft.

Phishing is spam that contains deceptive, enticing, or even coercive messages aimed at fooling users into sharing private, personal information with the sender so they can commit fraud and identity theft. Phishers generally send e-mail messages posing as valid and trusted entities such as banks, social networking sites, or even universities. The recipient is then instructed to reply either to the email or to follow a link in the message to login to their account. Sophisticated phishing messages can look very legitimate. Phishers have been known to replicate the design of banking, e-commerce and other websites down to the pixel to trick people into divulging their private information. Be wary of entering information on a website — no matter how official it may look — if you reached the site by clicking on a link in an e-mail message.

Here is an example of a phishing email that was recently sent to BYU students and employees by a spammer.

Dear email account user,
We are currently verifying our subscribers email accounts in order to increase the efficiency of our webmail features.
During this course you are required to provide the verification desk with the following details so that your account could be verified.
Email Username:……………
Country or Territory:……………
Kindly send these details so as to avoid the cancellation of your email account.
Thanks Team

This email did NOT come from BYU and its only purpose was to gather NetIDs and passwords for fraudulent purposes.

Websites & Pop-ups
Another tactic might be to use a website to gather sensitive information mentioned above. An email message or a pop-up window might ask you to click on a link. The link may look like it is the correct address, however it may be a disguise for a link to another website which the phisher has created to imitate and mimic the trusted website. Even when using server authentication, detecting a fake website may require great skill.

Dos and Don'ts

  • Avoid replying to email that solicit personal or financial information. Legitimate companies do not request this type of information by email.
  • Avoid emailing personal or financial information.
  • Avoid providing personal or financial information to pop-up windows on the Internet unless you absolutely trust the website.
  • Always check sites for a security certificate
  • Avoid calling phone numbers that require you to "update your account information" or "access a free refund" - if in doubt call the numbers that your bank has provided.
  • Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
  • Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
  • Forward phishing emails to – and to the company, bank, or organization impersonated in the phishing email. You also may report phishing email to
  • If you've been scammed, visit the Federal Trade Commission's Identity Theft website at

How can you reduce the amount of spam you receive in your inbox?

  • Before you submit your email address to a website, check the company policy agreement to make sure they will not sell your address to third-party companies.
  • Use an email filter. The email client you are using may offer a tool to filter out spam, or a way to send spam email to a bulk folder.
  • Decide if you want to have multiple email addresses. You could use one address for personal messages, and another email address for newsletters, special offers, etc.
  • Use a unique email address. A common email address such as may receive more spam than a unique email address.

What can you do with spam and phishing emails you receive?

  • Send a copy of the spam or phishing email to the Federal Trade Commission to
  • Send an email to the sender's Internet Service Provider (ISP). Many ISPs will remove the email address of the individual(s) who are sending spam or phishing emails.
  • Depending on your email provider, you may be able to mark the email as spam, or place it in a bulk folder.

Spam Filtering & Anti-Phishing Software

E-mail providers (e.g., Hotmail and Gmail) provide user-configurable spam filtering. You can adjust the stringency of spam filtering up or down to reduce the amount of spam that makes it into your inbox. While you might be tempted to set your spam filter to the most stringent level, doing so might send legitimate messages to your spam folder instead of your inbox. If you choose to strictly filter spam, you should occasionally check your spam or "junk mail" folder for messages that were over-filtered.

If you have a e-mail address, you will notice that most spam is filtered before it reaches your inbox. If you use an e-mail client (e.g., Outlook or Thunderbird) you can filter messages as you download them. There are additional options available in these tools filtering junk mail, including flagging particular e-mail senders as spammers, filtering words and phrases, etc. This software also allows you to hide images in e-mail messages until you choose to view them. This feature can be particularly helpful if you're receiving spam with objectionable or pornographic images.

Many community-based tools offer to check websites for malicious or suspicious content. They may provide helpful information to detect phishing such as displaying the site's security standards; detection of fraud emails/websites; displaying a site's hosting location - for example, a local bank hosted in south-east Asia might be fraudulent; and detecting potential phishing links.