Learning to avoid phishing
Don't click on links or open documents in phishing emails: it's the most common kind of attack. Learn how to avoid them
If you are reading this page because you have received an email and think there is something suspicious about it then our advice is to assume that it is phishing and report it to the IS Helpline using the process below. It may turn out not to be phishing, but if it is then you have helped the IS Helpline protect you and the rest of the University community.
What is phishing?
“Phishing” is sending lots of emails to lots of people at once usually pretending to be a company or organisation asking people to fill in a fake login form, or open a malicious document, or do something that results in information – say a username and password – being sent back to the people behind the phish. Essentially they are casting out lots of fishing lines and seeing if someone will take the bait – “phishing”. Sometimes attacks can be more targeted, using information gathered from public sources in order to target a smaller number of people – for example, using the public company structure to pretend to be your manager asking for something to be done. This is sometimes known as “spear phishing” and although it can be harder to detect some of the same clues will be present.
How can I recognise phishing emails?
Often a phishing attack is easy to spot, but sometimes they can be more sophisticated. There often is something about a phishing attack which will make you suspicious - it might be something in the list of clues below but it may also be that you feel that something is just not right. It's important that you act appropriately on your suspicions - if in doubt, act as if it was definitely phishing, don't click on or open anything, and report it.
When reading an email it's wise to always keep the following clues in mind.
Phishing messages often:
have a generic or incorrect greeting rather than being specifically addressed to you
request personal information such as passwords, bank details, date of birth, personal ID numbers, etc
are short, vague and look or sound a little odd – even if they apparently come from someone you know
contain unexpected attachments or links to online documents
contain poor spelling or grammar, or incorrect references to University services
try and create urgency - "your account will be disabled in 24 hours", "this needs to happen by 5pm today" - in the hope you'll act without thinking
come from someone that you would not expect to be contacting you - not just because you don't know them but also perhaps you do not normally have any communication with the kind of contact they are or claim to be
try and claim false authority - government agencies, police forces, central administration, senior staff members, etc
ask you to do something that you would not normally do
Reporting phishing emails
If you receive a suspicious email to your University account that encourages you to click a link or open an attachment, you can report it with the following process:
On the email itself, next to the ‘Forward’ button, you have the option to “forward as an attachment” - click this (it may be under a "More" button).
Send it to email@example.com
You will receive an automated email back with guidance on what to do if you have clicked a link or opened an attachment from the suspicious email.
If you have already clicked on a link and then realise that the email is suspicious then please reset your University password and report it to the IS Helpline.
Phishing is a form of social engineering – trying to make you do something by using social norms, emotions, and information. In phishing it’s largely untargeted and relies on numbers – ask enough people to do something in a generic way and perhaps a few will do it. Social engineering can be extremely targeted however, using public information and a good story to pretend to be your bank, your IT department, your manager, or even a friend or relative. Often they will use little bits of information you yourself provide to build a picture of how to best target you or make you trust them. It can be very difficult to guard against social engineering, but asking yourself “is this person who they say they are?” and “is this something that I would normally be asked to do?” can help. As an example, if the call is from your “bank” the best thing to do is end the conversation as soon as something makes you suspicious and contact the bank via a contact route that you have found for yourself – don't use the phone number the person gave, for example, get the number from the bank’s website. They will be able to confirm if the initial contact was genuine and can take action if it was not.
As noted above our advice is that if there's something suspicious about an email do not click on any links or attachments. However, sometimes you may want to just check and see exactly where a link goes to.
It's worth noting, however, that a lot of marketing email uses underlying links that are individual to each recipient so that they can track engagement, and this can make judging if a link is correct or not very difficult - they will, by design, be different from what the text says. As always, if in doubt do not click.
- Instead of clicking on the link with your main mouse button, hover over it and click with the other mouse button.
- Select [Copy Link] (or [Copy shortcut]) from the menu which pops up.
- Paste a copy of the link into a safe window. (We recommend you use a Notepad window for this, or any basic text editor. )
- Look at the link carefully to see if it looks credible. For example, if the hyperlink seems to be from your bank, make sure it would go to your bank’s website, and not to something with a different name.
If in doubt, do not click.
There is lots of good advice on the web that can help you avoid phishing. Here is a selection: