Inside UCR

Beware of Phishing Scams Targeting the UCR Community

Wed, 02/12/2025 - 12:00
UCR Information Security Office
February 12, 2025

Phishing scams can trick anyone. Whether you are a student, faculty, or staff, you are at risk of being a target. Prevent phishing scams by following this simple and proven method: read and understand, then act.

The first step in spotting a phishing email is to read carefully. Refrain from taking quick actions, like clicking links (including QR code links), downloading an attachment, or even responding to the sender.

As you read your emails, be mindful of the following:

  • Sender information - Don’t rely on the display name alone, as this can be spoofed to look like someone you know. Be sure to view the actual email address that sent the message. When in doubt, contact the person directly to confirm the legitimacy of the email by calling them at their known number or sending a new email to their known email address. 
  • Grammar, spelling, and context - Scam emails often contain errors or poor sentence construction, however, generative AI has allowed scammers to generate more convincing messages. You should also stop to ask yourself whether the context of the message makes sense. Would this person really be asking this of you?
  • Pressure to act fast - Keep in mind that entities, like your bank or UCR, almost always provide advance notice if action is required on your part. If this message is the first time you’re hearing of this request, take a pause and look through your other emails and communication channels to determine whether this is something that has been communicated previously.  
  • Request for login details - Entities who value your privacy and security will never ask you to provide your login credentials via email or a link in an email, unless you prompted a request to reset your password or remember your login ID. A common scam is to send an email telling the recipient that their account will be deactivated/deleted if they do not click the link to verify their login credentials. UCR will never ask you for your password or sensitive information in order to keep an account active.  
  • Request for upfront payment - Some phishing scams, such as job scams, ask you to make a payment first in order to receive a benefit or reward. Remember that legitimate employers will never ask you to pay for anything upfront. As a general rule, don’t provide any financial information or bank account details to someone unless that person has a legitimate reason for requesting them (e.g., the HR representative at a company that has legally employed you has asked for the information via a secure employee portal).  
  • QR codes - These are ubiquitous and can be made by anyone, which makes them vulnerable to being exploited by bad actors. Learn how to check if a QR code is safe.

As you read, understand the information you are receiving. Some helpful questions to ask yourself are:

  • Is the sender’s email address legitimate?
  • Am I expecting this communication, link, or email attachment?
  • Does the message make sense? Can I verify this information elsewhere? Is this truly urgent?
  • Is this QR code coming from a trusted source? Why would they include a QR code in an email (when I am likely reading on my phone)?
  • Is the offer too good to be true? If I think I know this person, how can I contact them directly at a known number or email address to verify?
  • Did I apply for this job / position? This message appears to be random; why am I receiving it? How can I contact the employer directly?

Finally, take action. After exercising your best judgment, consider how you will respond. If you receive suspicious communication, report it immediately. Do not click links, scan QR codes, download attachments, or even respond to the sender.

Phishing emails can be reported through PhishAlarm, which will be forwarded to the UCR Information Security Office. You may also email the team at infosecoffice@ucr.edu. Another alternative is to report directly to the FBI Internet Crime Complaint Center at https://www.ic3.gov/. Click “File a Complaint” and then select “Other Cyber Crime.”

To learn more tips on protecting yourself from phishing and smishing attempts, read the full article in the ISO blog.