As security technology continues to advance, humans become the most vulnerable part of an organization. However, with a little knowledge and a careful eye, you can make yourself harder to crack than any password. 

Cyberattackers often try to trick people into installing malicious software by:

  • Disguising it as a useful update. 
  • Phishing: impersonating legitimate organizations or people via emails or text messages to trick users into clicking bad links, installing malware or sharing personal information.

Common warning signs of phishing

  • Offers that are too good to be true, for example: “You’ve inherited $300 million. Please send $49 for delivery.” 
  • Urgent, alarming or threatening language such as: “Failure to comply within 48 hours might lead to permanent shutdown.”  
  • Poorly crafted writing with misspellings and bad grammar: “We will play info we hold about you, so you ca be sure this is a genuine request.” 
  • Requests to send personal information: “To re-validate your account please provide your email address, user ID and password.” No legitimate organization will ever ask for your password via email. 
  • Unexpected or unfamiliar attachments or hyperlinks, especially ones that don’t lead where they say they will. Most mail clients will let you verify where a hyperlink goes without actually clicking on it Specific methods vary between mail clients, but a common method is to hover your mouse pointer over the link. 
  • Strange or abrupt business requests such as: “I’m stuck in a meeting, but I need you to make an urgent payment to our client’s new bank account ASAP or they won’t deliver on time.” 
  • Bizarre or unprofessional subject lines, for example: “MESSAGE FROM C.E.O” or “ATTN: MY DEAR FRIEND.” 
  • The sender’s email address doesn’t match the person or company purportedly sending the email. For example, an email from an MSU Denver colleague where the sender’s address ends in “[email protected],” instead of “” should raise red flags.

New phishing and junk email reporting 

Previously, MSU Denver users were encouraged to forward suspicious or spam messages to [email protected] for review. However, this method is outdated and doesn’t interface with modern security and email technologies 

Instead, users should report phishing or junk messages using the built-in reporting functionality in Office 365. The exact method will vary depending on how you access your email:

  • Outlook Web App ( 
    • Right-click the offending email. 
    • Select “Report”.
    • Select “Report phishing” or “Report junk” as appropriate. 
  • Outlook Mobile App 
    • Highlight the offending email.
    • Tap the three dots in the upper-right. 
    • Select “Report Junk”. 
    • Select “Phishing”. 
  • Outlook Desktop App 
    • Open the offending email. 
    • Click the Report Message button in the top ribbon. 

With this change, information on phishing attacks and campaigns will be collected faster, more efficiently and in greater technical detail, which will enable the University’s security team to better identify and respond to potential threats. Please note that reported messages will no longer be responded to unless additional information or action is required from the reporting user. 

If you suspect you’ve received a phishing email: 

  • Block the sender. 
  • Report the phishing attempt using this new method. 
  • Delete the email.  

This is part of a series of articles for Cybersecurity Awareness Month 2023. MSU Denver is proud to support the 20th year of this far-reaching online safety awareness and education initiative, which is co-led by the National Cyber Security Alliance and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security. For more information about Cybersecurity Awareness Month 2023 and how to participate in a wide variety of activities, visit