Know Your Opponent

Emails Can Be Spoofed

Email spoofing is the creation of email messages with a forged sender address. Often these phishing emails will come from names you know, or are familiar with and have an urgent request. Some may demand that you "update your account information" or "login to confirm ownership of your account".

Attackers may also set up web sites under their control that look and feel like legitimate web sites. If you enter your credentials into these illegitimate websites, you are sending your username and password directly to the attackers. Stop and...

How do I report a Phishing or suspicious email?

Reporting suspicious emails can dramatically reduce the duration and impact of an active phishing attack.

Using the bMail web interface:

Open the message To the right of 'Reply' arrow, select 'More' (typically denoted with three vertical dots) Then 'Report phishing'

Reporting through Google allows the email to be blocked from further attacks against and may prevent others from falling victim to the attack.

If you are unable to log into bMail, forward the message to...

What can I do to avoid Phishing attacks?

We encourage the UC Berkeley community to take an active role in protecting themselves against phishing attacks. Use our helpful tips in our Fight the Phish campaign to recognize and report phishing attacks.


If you are worried about an account, call the organization which maintains it (like your bank) Check the email address—does it really match the text of the email? Does it match the legitimate email of the organization it is supposed to be tied to? Check the security certificate of any...

Why is understanding the risk of Phishing important?

Phishing attacks are a constant threat to campus and are becoming increasingly sophisticated. Successful Phishing attacks can:

Cause financial loss for victims Put their personal information at risk Put university data and systems at risk All workforce members are responsible for protecting institutional data and complying with information security obligations stated in UC policy, laws...

How can I identify a Phishing scam?

The first rule to remember is to never give out any personal information in an email. No institution, bank or otherwise, will ever ask for this information via email. It may not always be easy to tell whether an email or website is legitimate and phishing emails are using social engineering tactics to make create sophisticated scams.

In the body of an email, you might see questions asking you to “verify” or “update your account” or “failure to update your records will result in account suspension.” It is usually safe to assume that no credible organization to which you...

Do I only need to worry about Phishing attacks via email?

No. Phishing attacks can also occur through phone calls, texts, instant messaging, or malware on your computer which can track how you use your computer and send valuable information to identity thieves. It is important to be vigilant at all times and remain suspicious of sources that ask for your credentials and other personal information.