Spot and Report Scams

While CUIMC has many security measures in place to prevent phishing and other malicious messages from reaching you, new attacks constantly evolve.   Business Email Compromises (BEC), phishing attacks targeting businesses and organizations that are "one of the most financially damaging online crimes" according to the FBI, saw a rise of 350% amid the COVID-19 pandemic. 

As with many other educational and medical institutions, CUIMC saw well-crafted, targeted email messages that appeared to be from important colleagues.  The screenshot below mimics one received over the summer, where the phisher used details found online to appear to be from a legitimate department chair (our screenshot uses a made-up name).

Example spear phishing message, "Quick request", appearing to be from a department head
  • The signature and non-CUIMC email address appear to be from a known colleague.
  • While the message doesn't have an attachment or link, it presents vague urgency.
  • The request for a cell number could initiate a "vishing" or voice phishing attack.
  • It preys on a recipient's desire to be helpful, especially towards a Department Chair.
  • The actual attack copied a signature from an email that was intercepted by the criminal, making it appear more authentic to those who correspond with the colleague's work email account.

How can I protect myself?

1. Identify the sender

This is the first thing you should do whenever you receive an email, especially if: ​ 

  • You don’t recognize the sender’s address
  • It is requesting sensitive information
  • It asks you to click a link
  • It contains an unexpected or unsolicited attachment

While CUIMC now uses an [EXTERNAL] tag to help you easily identify messages sent from an account from outside of the institution, it is still important to know what to look for if you aren't sure a message is legitimate.  The part of an email address after the @ symbol, called the domain, should match the sender's known business in most cases.  For example, a phisher may use a domain that appears accurate but is not on closer inspection:

  • abc1234@cumc.colombia.edu versus abc1234@cumc.columbia.edu  ("o" used in Columbia instead of "u")
  • support@nyp.biz versus support@nyp.org
  • help@microsoft-usa.com versus help@microsoft.com

If your email program doesn't show the sender's full email address, hovering your cursor (mouse) over the name in the heading of the message often shows a bit more detail, and you may be able to click on the sender's name to reveal even more.  However do not use this alone to confirm the sender's validity, since an email account may be hacked or the criminal may be skilled enough to completely mimic a valid address.  If other things about the message are still suspicious, such as poor spelling and grammar, or a vague sense of urgency, contact the sender through a known, good method.  Call or text their known phone number or manually type a known email address into the "To" field fo a new message instead of replying to the email.

2. Screen Links

Phishing messages often link to what looks like a valid website.  Like email addresses, this can be "spoofed" so you trust what you initially see; closer inspection can usually reveal whether the link is OK.

CUMC link with actual link to malicious site revealed

Hover your cursor over a link to see the actual destination.  The image here shows what appears to be a link to the  Medical Center's website, but the extra information that appears when your cursor hovers over it shows a different, bad URL (link).  This information may also appear in the corner of your screen/program instead of immediately next to the link; in general if it appears and disappears when your cursor hovers over or moves, you are seeing the actual link without the risk of clicking on it and going to a malicious website.

NOTE: Links in a message from an outside sender may be rewritten by the CUIMC security filter; hovering your cursor over the link will show it begins with https:​//urldefense.proofpoint​.com. Any clicks on the re-written link will first go through the security filter which can further detect malicious web pages. If the actual linked page is safe, you will reach the intended site; if not the page will be blocked and you will see a message explaining why.  If you need to retrieve the original, unaltered link, first review all information on our Email Link Protection and Decoder page and use the form at the bottom.

As with email addresses, being able to identify the domain in the link lets you quickly spot phishing attempts.  Using CUIMC's Office of the Chief Information Security Officer's website address as an example, you can focus on the part after and before the "forward slashes":  https://it.cuimc.columbia.edu/Information-Security-Office

  • https:// - this is how almost all web links begin (some may not include an "s"), and can be ignored
  • it.cuimc.columbia.edu - this is the domain.  Most businesses will have this "central" part of their website address in all of the webpages for their site
  • /Information-Security-Office - anything following the forward slash after the domain denotes a page or file within the website, as most websites contain more than one page (similar to keeping more than one file in a folder).

If a link contains a known domain, that isn't misspelled or has extra characters between the "forward slashes", it can typically be trusted.  Or, instead of clicking a link, manually open your web browser and type in just the domain to reach the company's home page, then navigate from there to any information you may need.  As with email addresses, there may be exceptions, so use this information as part of an overall strategy.

3. Don't Trust Attachments

NEVER open attachments blindly.  By clicking and opening an attachment, you may be immediately compromising your security and risk spreading an attack to your peers.  An attachment from someone you know, even when you have verified the email address, can easily become a risk if the sender's account was hacked and an infected attachment was sent from it.  Aside from verifying whether the sender intended to send it to you, you can check the type of file the attachment is  by looking at its file extension.

Email message with attachments including their file name and type

The image above shows attachments to a message displaying the full file name including extension: invoice.xlsx and Meeting Minutes.docx (it also shows a link rewritten by the CUIMC security filter, mentioned in Screen Links above).  The file extension is always the part after the period (.xlsx, .docx) and generally tells you what kind of file it is, although the file extension can be changed to appear to be a different type.  Common file extensions are: 

File Extension Expected* File Types
.doc, .docx Word document
.xls, .xlsx Excel spreadsheet
.ppt, .pptx PowerPoint presentation
.pdf PDF (Adobe Acrobat file)
.txt Text file
.png, .jpeg, .jpg, .gif Image/picture
File Extension File Types that can install/modify your computer!
.exe Executable
.bat Windows Script
.msi Windows Program Installer
.dmg Macintosh Program Installer
.js JavaScript

* Even if the file extension is safe, a hacker may have renamed it to appear safe (ex: from fedexshippinglabel.exe to fedexshippinglabel.pdf). If you are not able to otherwise confirm the attachment is safe and don't believe the message is suspicious, use your installed antivirus/antimalware program to save and scan the attachment before opening.

4. Report Suspicious Messages

Simply deleting a message will prevent your computer or device from being infected, but reporting it helps keep the CUIMC community safer.  Please follow these steps to ensure the message includes technical details we need to update the email security settings; simply forwarding a message does not include some of the information we may need.

  1. Begin a new message addressed to spam-abuse@cumc.columbia.edu
  2. Drag the suspicious message into the body of the new message (this will attach it to the new message)
  3. Add any brief subject line and body text to let us know (i.e. "Reporting a potential phishing message")

For more detailed steps and alternate ways to send the message please see Report Junk, Spam, Phishing, and Other Unwanted Messages.

5. Safeguard Protected Health Information (PHI)

This is a top priority at CUIMC. 

  1. NEVER use a personal email address for conducting university or hospital business.  This is a violation of Columbia University policy.
  2. Always encrypt messages containing PHI (including any attachments) when sending outside of the Organized Health Care Arrangement (OHCA) by putting #encrypt at the beginning of your message's subject line.
  3. Verify all email addresses you have put in the To, CC, and/or BCC fields of the message before sending (also required by University policy) to be sure you haven't added an incorrect recipient or made other errors.