Information Security

Learning to avoid phishing

Don't click on Phishing links: it's the most common kind of attack. Learn how to avoid them.

Phishing, and "social engineering"

Social engineering and Phishing are both about tricking you into revealing information. The differences are:

  • phishing works by targeting large numbers of people, in the hope that some of them will "click"
  • phishing usually comes as some kind of link, luring you to click on it
  • social engineering is much more deliberate, targeting one or just a few people to find their weak points
  • social engineering can come from anywhere, for example: someone phoning pretending to be from your bank or from the IT department.

Social engineering tricksters are very good at finding all kinds of ways of getting people to reveal small facts. They combine these to form an overall picture of how to attack you, trick you, or steal things from you.

If you believe you have been sent a phishing email, please report it to the IS Helpline. If you clicked on links in the contents of it, then please reset your University password and report it immediately to the IS Helpline:

Resetting your University password

How phishing attacks work

When you click on a link, you normally hope it would take you to the web page that you intended. However it could:

  • download and run a program on your computer (including one that would install malware)
  • reveal something about you or your computer (that an attacker could use against you)
  • lure you to a website which looks legitimate but gets you to provide personal information, or to download and run malware

Phishing links come to you via email, are on websites, or can be in any kind of document that contains active links including Word and PDF documents.


The University is now undertaking siumulated phishing training for staff, providing immediate training for those that interact with the emails and building resilience.

Further information on Simulated Phishing 


Identifying and avoiding phishing attacks

Most basic phishing attacks are fairly obvious, and you can easily avoid clicking on the links that they contain. You can recognise that the email message is none of your business. They often:

  • have generic greetings
  • request personal information such as your password or bank details
  • are short, vague, or odd sounding
  • contain unexpected attachments
  • contain poor spelling or grammar


How to examine links before you click on them

If there is anything suspicious about a link, you should examine it before you click on it.

  • Instead of clicking on the link with your main mouse button, hover over it and click with the other mouse button.
  • Select [Copy Link] (or [Copy shortcut]) from the menu which pops up from your mouse.
  • Paste a copy of the link into a safe window. (We recommend you use a notepad window for this, or a basic text editor. )
  • Look at the link carefully to see if it looks credible. For example, if the hyperlink seems to be from your bank, make sure it would go to your bank’s website, and not to something with a different name.

If in doubt, do not click on the link.


Two-stage phishing attacks

It is more difficult to avoid phishing attacks if they seem to come to you from a friend or colleague. This is why more sophisticated phishing attacks work in two stages.

  • Stage one: send thousands of emails, and hope someone clicks them
  • Stage two: gather all email addresses from a computer that was attacked and send a more convincing phishing message to those addresses, often from the compromised email address.

A recipient of a second stage attack is much more likely to click on a link that seems to have come from a friend. The person who designed the phishing attack knows this, and can make the second stage much more carefully crafted and convincing. This means that the attack can spread even further or deeper. So you need to be vigilant about links you receive, including when they seem to be from your friends and colleagues.




More advice

There is lots of good advice on the web that can help you avoid phishing, and you might find some easier to follow than the advice on this page. Here is a selection:

Training from

Advice from microsoft

Advice from Apple

Advice from British Telecom


Related links

Dangerous messages