Tips & Identifying Phishing

Scammers and spammers know that people are busy and will read their mail quickly without spending time looking at the message.   Identifying a phishing attempt can be easy, as long as you know what to look for and take your time to look at the message for the clues indicating it may be a phishing message. 

Determining if an email is legitimate can be difficult.  Below are a few hints that may help you to determine if email is legitimate or not.  But if you are still in doubt, and unable to verify, assume the email is not legitimate and do not take any action that the email may request you to take.  When in doubt - delete.

Microsoft maintains a site that provides information on how to recognize a phishing attempt, we strongly recommend you visit that site by selecting here.  Selecting this link will open up a new tab and redirect you to a Microsoft site.

Some quick clues are:

  • the "from" email address does not match the organization referenced to within the email
  • poor spelling and/or gammer
  • you never had any previous association with the sender or their organization
  • a sense of urgency

Other quick hints are:

Cleveland State never sends out emails whose contents are similar to those listed here:

  • emails informing you that your account is to be locked / deleted unless you verify information or select a link.  CSU does deactivate accounts, but only after an individual is no longer associated with the university.  Select here for more information concerning account deactivation.
  • emails stating that your account may have been compromised and you need to select a link or enter your sign in credentials to confirm your identity.
  • emails stating that the size of your mailbox has been increased / decreased. The size of your mailbox is set by Microsoft to 50 Gb, we cannot increase nor decrease that size.
  • emails requesting any type of personal information as verification.
  • emails requesting financial / confidential information related to university business.  If the email appears to have originated from an email address your are familiar with, please call the individual before supplying the requested information.

* If you ever receive an email that you were not expecting and/or from an address you normally do not communicate with, be very suspicious of the contents, especially if the email contains a link and/or attachments. 

* If the email appears to have originated from a CSU address, please call the person inquiring as to the email's authenticity.  It is not recommended that an email be sent inquiring about authenticity since the individual on the account may not be the owner of the account or the reply may not go back to the account it appears to have originated from, it may be redirected to the spammer.  To look up the phone number of a CSU employee, please visit the online phone directory.   Please note the following concerning the format of CSU email accounts:

  • those accounts that are assigned to a CSU employee (faculty & staff) will be in the format of
  • those assigned to a student will be in the format of
  • those assigned to a student from the College of Law will be in the format of
  • those assigned to an alumni will be in the format of

* If an email originated, or appears to have originated from an external email address and you do not know the individual, or if you are unable to verify its authenticity, it is best to play it safe and simply delete the item. 

* If the email contains a link, always verify the URL before selecting, by hovering over the link and checking the bottom left corner of your screen to see where the link leads to.

* Change passwords on any account you may have, be it personal or professional, on a regular basis.

* Do not use the same password for multiple accounts.

* Do not re-use old passwords.

* Consider a password that contains an easily remembered phrase versus a word.  Example: 1Lik3redApples ( I like red apples ); these tend to be longer, thus more difficult to guess, yet may still be easy for you to remember.

* If the organization, that you have an account with, offers Multi-Factor Authentication consider using it, especially on those accounts that contain financial and other personal information.  An example of this is when you sign into your account at a financial institution, after you have entered your sign-in ID and password you will be prompted to enter a unique code that you receive via a text message on your mobile device.  Not every company / organization offers this, however, it is becoming more popular.

* Keep your anti-virus software up to date, and run it on a regular basis.  You may want to set it to run automatically if your machine is on at the same time.  Enable auto updates for the product to insure the latest updates are downloaded to the product.  Information on downloading free Anti-Virus software from Microsoft (this link will direct you to a site managed by Microsoft).

* If a site that you have created an account at uses your email address as part of the sign in credential, never set the password for that account to the same (or similar) password as the one you use for your email account.  Should the site ever get "hacked" the password for your email account would then be exposed should you do set the passwords the same.

* Never reply to or call any phone number listed in the emails.  If you wish to contact the company to verify the authenticity, look the phone number, or email contact, up yourself by locating the organization's web site via a search engine such as Google or if you already know the URL, manually enter it your self.