Avoid Phishing Emails
Don't click on Phishing Links: it's the most common kind of attack. Learn how to spot them and avoid them.
If you believe you have been sent a phishing email, please report it to the IT Service Desk. DO NOT FORWARD the email to IT or anyone else. If you clicked on the contents of the email then please reset your University password and report it immediately to the IT Service Desk
How to contact the IT Service Desk is on the ICT webpage - see 'Where to Get Help'
How phishing attacks workWhen you click on a link, you expect it will take you to the web page, or open a document as intended. However it could:
- Download and run a program on your computer (including one that would install malware)
- Reveal something about you or your computer (that an attacker could use against you)
- Lure you to a website which looks legitimate but gets you to provide personal information, or to download and run malware
How to avoid being caught
- NEVER respond to an email asking you for your account details and NEVER disclose your password to anyone. The University or legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
- ONLY click on links from trusted sources. Malicious email links can infect your computer or take you to web pages designed to steal your information. Never click on a mystery link unless you have a way to independently verify that it is safe.
- DO NOT open unsolicited or unexpected attachments. Malicious attachments can infect your computer. If you cannot verify that an attachment is legitimate, delete it.
- DELETE all suspicious emails immediately. Do not forward it to colleagues or IT Support.
How to spot a phishing email
- Look-and-feel: Be wary of emails which contain obvious spelling mistakes, poor grammar, or inferior graphics.
- Urgent action required: Be wary of emails containing phrases like "your account will be closed," "your account has been compromised," or "urgent action required." The fraudster is taking advantage of your concern to trick you into providing confidential information.
- Generic greeting: Fraudsters use automated programs to send thousands of malicious emails simultaneously. They may have your email address, but they seldom have your name. Be sceptical of an email sent with a generic greeting such as "Dear Customer" or "Dear Member."
- The sender's email address: Is it similar to, but not identical to a company's official email address? (e.g. firstname.lastname@example.org instead of email@example.com) These email addresses are meant to fool you. In some cases fraudsters can forge the "From" address to look like a legitimate corporate address (e.g. @worc.ac.uk). Because of this, the "From" address is just one factor to consider when deciding if an email is trustworthy. (See also 'Tips to spot fake links' below)
- Links to a fake web site: Fraudsters often include a link to a fake web site that looks like the sign-in page of a legitimate web site. Just because a site includes a company's logo or looks like the real page doesn't mean it is! (see also 'Tips to spot fake links' below)
- Masked links: Links that look like they go to the real web site, but don't. For example, the link text may say "University of Worcester ICT Support" but if you hover your mouse pointer over it you will see the link's real destination.
What to do if you think your account has been compromisedIf you think your account has been compromised - Don't Panic
- Change your password immediately
- Contact the IT Service Desk immediately
- DO NOT forward the email to the IT Service Desk or anyone else as you will spread any viruses it may contain
Phishing and "social engineering"Whilst some malicious email is obvious, others can be quite sophisticated and it can be difficult to recognise what is genuine. Social engineering and Phishing are both about tricking you into revealing information. The differences are:
- Phishing works by targeting large numbers of people, in the hope that some of them will "click"
- Phishing usually comes as some kind of link, luring you to click on it
- Social engineering is much more deliberate, targeting one or just a few people to find their weak points
- Social engineering can come from anywhere, for example someone phoning pretending to be from your bank or the IT department
Two-stage phishing attacksIt is more difficult to avoid phishing attacks if they seem to come to you from a friend, colleague, or even student. This is why more sophisticated phishing attacks work in two stages:
- Stage One: Thousands of phishing emails are sent out with the hope that someone falls for them and responds by clicking on a link or attachment or reveals information such as a password
- Stage Two: The attacker gathers all emails addresses from a computer that was compromised and sends a more convincing phishing message to those addresses, often from the compromised email address.
The key to spotting phishing emails and websites is in the links and website addresses (otherwise known as URLs). Scammers can replicate legitimate sites down to the last pixel. However, while the links and website addresses they use can be deceptively similar, they can't be identical.
Here's how to pick an URL apart using Barclays bank as an example:
Barclays Bank URL is http://www.barclays.co.uk
The important bit (the domain name followed by the top-level domain) is marked in bold.
To make it easier, modern web browsers highlight this bit for you.
- As long as barclays.co.uk remains intact and is the last thing before the first single forward slash (or at the very end if there is no forward slash), you should be able to trust the URL. e.g:
- Be wary or dots and/or dashes after barclays.co.uk e.g. http://barclays.co.uk.log-in.com - the domain is now log-in.com
- Be wary of any forward slashes before barclays.co.uk e.g.
- Don't trust URLs using numbers instead of words (usually, these are domain names in their original IP address form, which effectively anonymises who owns the site) e.g.
- Don't let similar domain names trick you e.g.
As well as looking for fake web or link addresses there are several other useful tools and tactics you can employ to protect yourself from phishing attacks:
- Use the junk mail filter in outlook to block spam
- Make sure the link text inviting you to click through to a website is not disguising a rouge URL (hoover over it to display the URL in the bottom left corner of your screen, or follow the guidance if its a short URL such as Bit.ly or TinyURL, etc
- Don't follow links in emails that ask you to enter or change personal account information. If you want to verify or perform any requests, go directly to the website in question and log into your account in the normal way
- Never trust the sender name or the address in the 'from' field. Unlike true URLs, these are easily forged to mimic a genuine sender exactly
- Make sure you have the latest version of your web browser, as the most recent ones can help warn you of known phishing websites
- Before submitting personal details on any website, always check for the green padlock icon in the address bar at the beginning of the website address - this tells you that the connection is secure (i.e. - encrypted)
- However, criminals can still create encrypted scam websites, so a green padlock is not a guarantee of safety. You still need to be eagle-eyes about checking the address is exactly what you are expecting it to be (and not bbbbc.co.uk, barcleys.co.uk, amazOn.com, etc)
If you receive a phishing email that asks for University credentials such as your password, contact the IT Service Desk. Do not forward the email to anyone, including IT, unless they specifically ask you to.
The University will never ask for your password or other details, either by email or by phone
Delete all other phishing emails and/or report them to the organisation they were masquerading as - links are available below for some of the most commonly targeted sites.
You can often report fraudulent sites using your web browser (Mozilla Firefox has this functionality) or service provider
If you have given away a password, PIN, your banking details, or other sensitive data, change the password and inform the relevant service provider immediately.
Edward Elgar Building
University of Worcester
Worcester WR2 6AJ
Tel: 01905 543032/ 01905 855014