New email notification in Outlook to help faculty and staff identify phishing attempts

November 25, 2020 Update 

As a result of feedback from our customers, the notification described below will only be presented when external emails from free services like Gmail, Yahoo and others also includes words or phrases commonly found in phishing emails. This update was made in October 2020 and should reduce the volume of notifications experienced our customers, especially those who frequently work with external partners.


As Iowa State University faculty and staff continue to navigate their new, more virtual environment, the Information Technology Services (ITS) security team has taken steps to proactively support security with a new email notification and message reporting add-in for Outlook accounts. With the dramatic increase in online communication and information sharing, the risk of cyber-attacks by scammers and hackers remains as present as ever. 

One such cyber-attack, called phishing, exploits the trust of an email recipient by impersonating someone they know or work with, to gain money, and also personal information or control over their computer, which can be even more damaging. At Iowa State University, some phishing attackers have impersonated vice presidents, department chairs and even university President Wendy Wintersteen. 

To help faculty and staff effectively identify and avoid phishing attempts, ITS has worked to implement an email notification within Outlook for all messages originating from free email services like Gmail, Hotmail, and others. The notification itself warns recipients that the email has come from a user outside the university and provides a link to learn more about reporting a phishing attempt. Faculty and staff who have opted into using CyMail for their ongoing email communications will not see this notification as it is only active in Microsoft Outlook. Likewise, emails from CyMail accounts will not generate this message as it is originating from an account.

Grey box with text reading "Message is not from an Iowa State email account. Learn how to report suspected phishing."

Additionally, the “Report Message” add-in will be pushed to all Outlook desktop application tool bars making reporting phishing to the IT security team a simplified, two-click process. Reporting a message as ‘phishing’ using this add-in will send a notification to the ITS security team automatically. This feature is already available to Outlook web application users and performs the same function. 

Report message add-in pull-down menu with phishing option highlighted.

For more guidance on recognizing and reporting phishing attempts, visit the Identifying and Reporting Phishing knowledge base article in the IT Portal.