To better alert UA employees of possible phishing emails, OIT tags incoming emails from external sources.

All emails that are sent from an email account outside of the UA domain are labeled as [EXTERNAL] in the subject line. Phishing emails pose as reputable sources to trick recipients into giving up sensitive information. Often times, malicious actors pose as UA administrators, deans and vice presidents. OIT has introduced [EXTERNAL] tagging to help UA faculty and staff better determine the actual sender of the message.

Are all emails tagged as [EXTERNAL] malicious?

Not all emails marked with [EXTERNAL] are or should be considered suspicious, they are simply coming from a source external to UA. The message could be a friend, colleague, family member, vendor, service provider, etc. Below is an example of an email from a vendor flagged as [EXTERNAL].

External Subject Line

Why do I not see [EXTERNAL] labeling in my inbox?

Please note, this labeling is only applied to OIT-supported mail. OIT does not support email for the Culverhouse College of Business, UA Athletics or UA Law School.

Can I opt out of [EXTERNAL] tagging in my inbox?

No, [EXTERNAL] tagging is added to all OIT-supported mailboxes.

Are certain messages exempt from [EXTERNAL] tagging?

Yes, a few exemptions have been made for certain campus applications that are technically external, but are UA-approved systems. This includes Box, Blackboard, Qualtrics and others. If you find that an approved UA system is sending emails marked as [EXTERNAL], contact the OIT Security team at security@ua.edu.

What do I do if I received a message that I think is phishing?

As always, if you receive an email that you suspect to be phishing or a scam, please forward the message to security@ua.edu for review.