
Trust your gut. Don’t click on unexpected or unfamiliar links.
Ever click on an unfamiliar link and instantly regret it? You’re not alone, it happens every day.
Bad actors go “phishing” and trick us into revealing our personal information. They know how to convince us and catch us off guard to steal our data, money, or identity. We're so busy working, studying, and teaching that we may not notice.
Yale's security tools block hundreds of thousands of malicious messages per day. However, some are convincing enough to sneak through. We can help you stop them in their tracks. Educate yourself on phishing and simple steps to click with caution.
From July through September we are running our Click with Caution campaign! Use this page to educate yourself on how to Click with Caution then apply what you learned on our toolkit. Complete the toolkit activities for your chance to win exclusive cybersecurity swag!
Visit our Click with Caution toolkit
What is phishing?
Phishing messages try to collect our personal or sensitive information. This can include our usernames, passwords, or financial information, like credit card numbers.
Some criminals, or "phishers," are easy to spot. Messages will contain misspelled words and other bad grammar. Other phishers design legitimate-looking emails. These messages can look so authentic that you may mistake it for your bank or favorite merchant.
Report a phish
Be safe, not sorry—quick reporting benefits everyone. Reporting a phish is quick and simple using one of our options.
- Click on Report Message on the Outlook email banner and choose "phishing"(O365 users only).
- Send full message headers to helpdesk@yale.edu (EliApps, O365).
- Call the Help Desk at 203-432-9000 so the message can be quickly blocked.
Still not sure how to report suspicious messages? Click the button below to learn more about reporting any unwanted or suspicious emails (e.g. spam or phish).

Phishing DON’Ts
Phishing is a form of "social engineering". Phishing and social engineering most often come in the form of email but can come in other forms too. Follow these DON'Ts to safeguard your personal information.
- Don’t give out personal information on the phone, through websites, or in email.
- Never call phone numbers requesting personal information.
- Don’t click on unfamiliar or suspicious links or open attachments.
Remember, Yale ITS will never ask you to send passwords or personal information via email.
What should I do if I've submitted my Yale credentials to a site from a phishing email?
- Call the ITS Help Desk at 203-432-9000 and report that your credentials have been compromised. They will review your account to ensure information is not stolen.
- Change your NetID password. Password best practices can be found here.
Spot a phish
Use these three simple tips to outsmart phishers:
- Stay Alert: Be suspicious of unexpected email messages. Bad actors may use fear, intimidation, or urgency to extract details. Think: Would your boss ask you to buy gift cards or does this seem unusual? Trust your gut—if it doesn’t feel right, it probably isn’t.
- Hover to Discover: Hover over the email address to verify the sender is who they say they are. Bad actors may appear to be a familiar company or an @yale.edu email address. Inaccurate or misspelled email addresses offer a clue that something is wrong. For example, handsome.dan@gmail.com.
- Click with Caution: When in doubt, don’t click on links or attachments that are unfamiliar. Instead, please report it.
Determine if a webpage is secure
You can keep the bad actors at bay by ensuring you use “secure” pages.
Secure pages send your passwords, credit card numbers and other personal information safely. This is done using encryption.
Always check to be sure the page is secure. Here’s how to check:
- Look for the “https” in the URL address line at the top of the browser window. If you see “http,” the site is not secure.
- Verify that the site you are going to is legitimate. Review the website address (URL). If it doesn’t look legitimate, don’t open it.
In the example below, the link looks correct at first. It is actually a malicious url pointing you to a different site, not Yale's Single Sign On, "CAS". If you take a closer look, you see "ezproxie.in". This is sending you to the malicious site instead of CAS.
Too good to be true? Go straight to the source
Some bad actors are so good that it’s hard to tell an authentic message from a fake. When in doubt, don’t click the link- go straight to the source.
Services you trust
Next time you receive an out of the blue email from a familiar store or service you use, don't click right away. This could include your bank or favorite online store. These emails often mention a security warning or tell you there is an issue with your order or account. Instead of clicking on the email for more information, go straight to the source. Visit the online site or store the way you usually would. This will tell you if the issue is legitimate or the email is a scam.
Third parties
Did Microsoft or your Internet provider ask for access to your machine?
- Do not respond to unsolicited phone calls.
- Do not give Yale data or Yale device access to a third party without management’s authorization.
- Only allow access to a Yale device by the Yale ITS Help Desk or your support provider.
People you know
Did your boss or department head ask you to buy gift cards via email? Did they ask you for money right away? Does the request seem odd? Urgent? Before you do anything, make sure it is really them. Do not reply to the email you received. Call them to verify their request is real before falling for a potential phish.
The latest and greatest news
There always seems to be a new viral video or trend people are talking about. If someone sends you a link with breaking news or a link to a video, skip the link. Use a search engine (e.g. Google) to find the content yourself. Remember to determine that the website you click on is secure using the tips above.
Outsmart the Internet. With a little time and ingenuity, you can keep your personal data and Yale's information safe.