Two recent phishing campaigns targeting the IU community were successfully identified and blocked by UITS’ University Information Security Office, thanks in part to reports from faculty, staff and students.

These phishing emails were designed to mimic an official IU communication, amplifying their importance. Even when a message appears polished and well-informed, it should still be approached carefully.

Unlike more obvious phishing attempts, these emails originated from legitimate IU accounts that had been compromised, making it appear more credible. Recipients were instructed to download or update an application to access a document, which is a tactic that should always raise concern.

What made these phishing attempts different

These campaigns reflect a growing trend in cyber threats across higher education and beyond. Instead of using misspellings or suspicious external addresses, attackers are increasingly:

• Using real, compromised accounts.
• Tailoring messages to specific audiences.
• Creating urgency to prompt quick action.
• Embedding malicious links in seemingly routine requests.

Because of these evolving tactics, solely checking the email address of the sender is not enough to verify its legitimacy.

Related: How to spot a scam text

How to protect yourself

The University Information Security Office recommends everyone think before they click. In three quick steps, recognize, rethink and report.

It also encourages the IU community to follow these best practices:

• Pause before you click or scan: Urgent messages are designed to prompt immediate action without careful review.
• Be cautious, even with IU senders: When in doubt, verify requests through a secondary channel such as Microsoft Teams or a phone call.
• Never download or install software from an email: This includes applications, browser extensions or document viewers linked in messages.
• Report suspicious emails immediately: Prompt reporting helps protect the broader IU community.

What to do if you get a suspicious email

If you receive a suspicious email in your IU account, you can report it by selecting the Report Message icon in Microsoft Outlook under the Home ribbon. You can also report them to phishing@iu.edu. For more information on phishing, visit phishing.iu.edu.