Safer Email Handling
In Spring 2019, Drexel began inserting notices into messages delivered to our email accounts from outside of our Office 365 email service. These notices help users recognize email coming from outside, even when the sender name may impersonate someone at Drexel or the server address is spoofed as a Drexel address.
External Message Sender
When email is sent to a Drexel mailbox from outside of Drexel's email service, the body of the message will be prefaced by a yellow bar describing its provenance, as shown below.
External messages are generally no cause for concern. Recipients of external messages should exercise caution before clicking links or opening attachments. Additionally, when a message is sent from outside of Drexel while claiming to be from a person or department inside Drexel, recipients should treat the message with suspicion before acting on the message.
Possibly Forged Message Sender
When a message is sent from outside of Drexel while claiming to be from a person or department inside Drexel, you should treat the message with a high degree of suspicion.
This form of phishing is becoming more common. A non-Drexel account, using a “From” name that looks like that of a University official, sends Drexel recipients a request to divulge or change sensitive information (or even send University funds). When a recipient looks at their Inbox, the sender’s “From” name is shown, but their email address—which would reveal that the account is not within @drexel.edu—is not shown.
To help protect against this kind of phishing, when external email is sent to a Drexel mailbox, the sender name will be checked against the names of Drexel officials. External email sent using the name of an official will be prefaced with a cautionary note.
You should treat such messages with suspicion before handling them. Until the suspicion can be removed, do not forward or reply to such a message and do not act on any instructions included in the message, particularly requests that would require spending University money, transferring funds, divulging University information, or changing records in important systems, like Banner, Blackboard Learn, or DrexelOne.
While that note could indicate a phishing message, it could also be a normal message sent by a person at Drexel who accidentally emailed you from their personal account. It could also be a message sent by someone who happens to have the same name as a Drexel official.
To remove suspicion about such messages, you need to confirm the sender's identity. You cannot confirm it by replying to the suspicious message, because your reply would go to the sender of whom you are suspicious! Instead, use one of these techniques:
- Send a message to the person's regular Drexel email address, asking about the message sent from the non-Drexel account and asking them to resend the message from their Drexel email account.
- If time is of the essence and you know the person's work or mobile phone number, call or text to ask if the message was theirs. You can look up Drexel phone numbers via the Drexel Directory.
Do not reply to or act on suspicious messages until you have confirmed the sender’s identity.