Technology KnowledgeBase

How do I tell if this email is legitimate or not?

Spam and junk email makes up the majority of email traffic on the Internet and, despite all efforts, is impossible to completely block. Many of these are obvious spam (unless you really were writing someone for information on Viagra) but many of them are more difficult to detect. Most of those are "phishing" spam - emails trying to get you to give up personal information, especially passwords and financial account numbers.

Some of the messages appear to come from a valid service with whom you might do business, such as UPS, Paypal, Amazon, or a bank, webmail service, insurance company, or even another school district. They look just like emails from those sources and may even use graphics from the company web site. Other messages are not as elaborate but they try to include something that will sound familiar to you, such as "Zimbra mail" or " user" or "webmail account warning". The basic rule, though, is Don't trust any warning message that you weren't expecting! Check the message carefully first to see if its real (the same as those prize winning notifications you get in your home ground mail).

Many of these messages notify you of a possible problem and then provide a link to an online form you fill out to fix the problem. If you fill out the form, they use your username and password for robot spam servers that log back in a week or two later and send spam to other locations from your account. When this happens, our entire district can end up blacklisted and unable to send email to anyone else! In addition, they may search your emails for other usernames, passwords, or financial accounts to steal your identity. This is a Very Bad Thing.

Tips on identifying phishing spam
If you are not sure whether a message is valid or not, check for these signs of phishing spam:

DOES THE MESSAGE START "DEAR NSD.ORG USER" OR OTHER GENERAL GREETING? Real Technology email notices either specifically identify you by name or state what types of staff are receiving the message. We don't start out with "Dear <anything>" - not that we don't like you but that isn't how we do things. Messages that address " user" or "webmail user" or "nsd account user" are spam.

DOES IT HAVE A WEB LINK THAT GOES DIRECTLY TO A FORM? Banks took action very early in this latest attack and stopped sending out emails with links to forms. They now direct you to go to their web site, log in there, and tell you where to find the form. Most other companies have now followed that practice as well. Assume that any email from a financial institution telling you click on a link is fraud. You should call your bank if you have any question about whether an email is valid or not. Any email from anywhere else that takes you directly to a form should also make you suspicious.

IS IT A NOTICE YOU WERE EXPECTING? Even if it is a company you do business with, does the spam look reasonable? These messages try to send you something that will alarm you into filling out the form, either by claiming that your bill is much higher than expected or that there were problems with a delivery or your account is failing.

DO THEY CLEARLY IDENTIFY THEMSELVES? This is a common sign of webmail phishing spam - you receive a notice that your email/webmail account will be suspended because it is over quota or hacked in some way. Valid notices will clearly identify themselves as coming from your webmail provider. ALL DISTRICT NOTICES WILL BE CLEARLY IDENTIFIED AS COMING FROM SOMEONE AT NORTHSHORE SCHOOL DISTRICT.

DID THE EMAIL REALLY COME FROM AN @NSD.ORG ADDRESS? Many email clients don't show the email address of the sender, just the name. If you move your mouse cursor over the name, though, it will show the email address after a couple of seconds. If you aren't certain, reply to their message and ask them to verify that it is valid (that is MUCH less dangerous than filling out the form).

WAS THE EMAIL SENT TO YOU? A real notice will only be sent to your email account. If it is addressed to someone outside of the district, it is probably spam. In addition, major corporations send their notices to one person at a time. If a notice about a problem with your account is addressed to multiple district staff, it is probably spam.

IS THERE ANYTHING ODD IN THE MESSAGE ITSELF? For VerizonWireless, the spam messages have had an incorrect phone number format ("bill for your account ending in XXXX-X001"). With the shipping companies, they will likely have an incorrect shipping address. If anything is wrong, treat it as probable spam. Many spam messages don't have correct punctuation, spelling, grammar, or any uppercase letters (those are usually from foreign sites run through a translation application first). Valid notices from Northshore School District will use proper punctuation, capitalization, and mostly correct grammar and spelling.

DO THE LINKS GO TO THE COMPANY WEB SITE? If you move your mouse over a link to a location, most mail clients (including Apple Mail and Zimbra webmail) will show you the URL to that site. It should be something clearly from that company. If you click on the link, the top of your web browser will show the URL. Some of them trick you by including the company name in the URL, but going somewhere else, such as (which is in the Netherlands and not a valid VZW server).

IS IT ABOUT A WEBMAIL LIMIT? Northshore does NOT place any limits on your email account in terms of disk space or numbers of messages. Any warning that your account is over limit or about to hit a limit or is being monitored because it was used in another location is spam.

What to do when you receive a spam messages?
IF YOU THINK THE MESSAGE IS SPAM, redirect or forward it to so we have a sample to help us try to block these. If you are worried that it might be real, reply to the company or check your online account with the company first. Directions on how to send the email to junkmail and more about email filtering are in KB article 2 .

Why do these messages get through?
Unfortunately, the people sending these phishing messages have a lot of money, time, and staff to help them get around mail filters. Some get through because they look so much like the real company message. Others because the wording changes with every message and there is nothing so specific that it stands out to be filtered. Still others work by including huge amounts of hidden text that doesn't show to you but is seen by the mail filter and makes it look valid (often long passages from books or famous speeches).

If in doubt, ask before filling out a form! We would rather get additional questions than have staff continue to fall for these phishing scams (currently happens about four times a year).

Reserving your district email account for only work-related messaging is the best protection against phishing spam!

Attached Files
There are no attachments for this article.