Skip to content Skip to navigation

Anatomy of a Phishing Email

Phishing is a term used to describe email messages that appear to be from a trusted entity, but are actually from someone attempting to trick you into divulging private information such as passwords and financial account numbers. These messages typically encourage you to click a link that takes you to a fraudulent website where you are asked to login and/or submit private information which is then captured by the scammer. These scammers can then use this information to commit identity theft, withdraw funds from your financial accounts, or access password-protected sites as you.


Any time that you are directed to a site that appears to be a WebLogin site, check the URL before entering your username and password. To verify that you have not been directed to a fraudulent WebLogin site, always confirm that the URL appearing in your web browser's location bar begins with exactly

Phishing email example #1

Subject: Online Pay Statement Available to View

- Online Pay Statement Available to View

Your online pay statement for the upcoming payday is available on AXESS. You will generally receive this email and be able to view your online pay statement in advance of payday. Funds will be deposited in your account on payday.

University paydays are the 7th and 22nd of each month. If the 7th or 22nd falls on a weekend or University holiday, payday is the last business day prior.

Step-by-Step Instructions for Viewing your Online Pay Statement

  • Visit AXESS1
  • example of a disguised link
  • Press Login Enter your SUNet ID and password
  • Click Employee Info tab (if you are not already on this tab)
  • Click Pay Statement to view a list of all of your pay statements
  • Click the Check Date of the pay statement that you wish to view

Stanford University Human Resources2

What to look for in phishing email example #1

Some phishing atttempts are very difficult to spot. This email appears identical to an email from Stanford's Payroll Office except for the word: AXESS. In the original legitimate email, AXESS was not a link. In the phishing attempt, it is linked to a phishing site.

1 Disguised or modified link
When you hover your mouse over a link, the actual URL you are being directed to is displayed in a popup or at the bottom of your browser window. In this case, the URL goes to
The domain is actually instead of You can determine the domain by recognizing where the forward slash starts in the URL string.
2 Official looking logos or signatures
Scammers can easily access official looking logos or signatures from websites and include them in their phishing emails. Do not assume the email is legitimate simply because it includes an official-looking graphic.

Phishing email example #2

Subject: Webmail Account Alert!!!1
From: Stanford Webmail Team2

Dear Stanford Account User,

This message is from Stanford Admin Team, You're3 email account has exceeded its mail quota on our server database and your account will be inactive within the next 24-48 hours4 if it is not verified. You are advised to on click the link below and follow the instructions to verify your account5.
example of a disguised link

Thanks. Stanford Help Desk.

What to look for in phishing email example #2

Some phishing attempts are easier to spot:

1 Unprofessional email title
Note the three exclamation points in the subject line. Legitimate organizations do not typically use unprofessional formatting in the messages they send to clients.
2 Forged email address
The sender's email address may be forged, even if it looks legitimate.  This address is suspect because the sender (Stanford Webmail Team) does not match the name used in the body of the message (Stanford Admin Team).
3 Bad grammar and typos
Poorly written sentences, bad grammar, and misspelled words indicate that the email is probably a phishing scam.
4 Sense of urgency and account status threat
Phishing emails typically warn of a sudden change to an account and ask you to act immediately to verify your account.
5 Request for personal information
Be wary of any message that asks for your personal information — it is probably a phishing attempt.
6 Disguised or modified link
Even though a web address contains "" it may not be a Stanford website. When you hover your mouse over a link, the actual URL you are being directed to is displayed in a popup or at the bottom of your browser window. If the link in the email and the URL displayed are not identical, there is a possibility that you are being directed to a fraudulent site.

When in doubt about the legitimacy of a potential phishing email, contact the IT Service Desk at 5-HELP or submit a HelpSU request.

Last modified October 3, 2013