Avoid Phishing Emails

Don't click on Phishing Links: it's the most common kind of attack. Learn how to spot them and avoid them.

If you believe you have been sent a phishing email, please report it to the IT Service Desk.  DO NOT FORWARD the email to IT or anyone else.  If you clicked on the contents of the email then please reset your University password and report it immediately to the IT Service Desk

How to contact the IT Service Desk is on the ICT webpage - see 'Where to Get Help'

How phishing attacks work

When you click on a link, you expect it will take you to the web page, or open a document as intended. However it could:
  • Download and run a program on your computer (including one that would install malware)
  • Reveal something about you or your computer (that an attacker could use against you)
  • Lure you to a website which looks legitimate but gets you to provide personal information, or to download and run malware
Phishing links come to you via email, are on websites, or can be in any kind of document that contains active links including Word and PDF documents.

How to avoid being caught

  • NEVER respond to an email asking you for your account details and NEVER disclose your password to anyone. The University or legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
  • ONLY click on links from trusted sources. Malicious email links can infect your computer or take you to web pages designed to steal your information. Never click on a mystery link unless you have a way to independently verify that it is safe.
  • DO NOT open unsolicited or unexpected attachments. Malicious attachments can infect your computer. If you cannot verify that an attachment is legitimate, delete it.
  • DELETE all suspicious emails immediately. Do not forward it to colleagues or IT Support.

How to spot a phishing email

  • Look-and-feel: Be wary of emails which contain obvious spelling mistakes, poor grammar, or inferior graphics.
  • Urgent action required: Be wary of emails containing phrases like "your account will be closed," "your account has been compromised," or "urgent action required." The fraudster is taking advantage of your concern to trick you into providing confidential information.
  • Generic greeting: Fraudsters use automated programs to send thousands of malicious emails simultaneously. They may have your email address, but they seldom have your name. Be sceptical of an email sent with a generic greeting such as "Dear Customer" or "Dear Member."
  • The sender's email address: Is it similar to, but not identical to a company's official email address? (e.g. info@worrc.com instead of info@worc.ac.uk) These email addresses are meant to fool you. In some cases fraudsters can forge the "From" address to look like a legitimate corporate address (e.g. @worc.ac.uk). Because of this, the "From" address is just one factor to consider when deciding if an email is trustworthy. (See also 'Tips to spot fake links' below)
  • Links to a fake web site: Fraudsters often include a link to a fake web site that looks like the sign-in page of a legitimate web site. Just because a site includes a company's logo or looks like the real page doesn't mean it is! (see also 'Tips to spot fake links' below)
  • Masked links: Links that look like they go to the real web site, but don't. For example, the link text may say "University of Worcester ICT Support" but if you hover your mouse pointer over it you will see the link's real destination.

What to do if you think your account has been compromised

If you think your account has been compromised - Don't Panic
  • Change your password immediately
  • Contact the IT Service Desk immediately
  • DO NOT forward the email to the IT Service Desk or anyone else as you will spread any viruses it may contain

Phishing and "social engineering"

Whilst some malicious email is obvious, others can be quite sophisticated and it can be difficult to recognise what is genuine. Social engineering and Phishing are both about tricking you into revealing information. The differences are:
  • Phishing works by targeting large numbers of people, in the hope that some of them will "click"
  • Phishing usually comes as some kind of link, luring you to click on it
  • Social engineering is much more deliberate, targeting one or just a few people to find their weak points
  • Social engineering can come from anywhere, for example someone phoning pretending to be from your bank or the IT department
Social engineering tricksters are very good at finding all kinds of ways of getting people to reveal small facts. They combine these to form an overall picture of how to attack you, trick you, or steal things from you and potentially hack the University network.

Two-stage phishing attacks

It is more difficult to avoid phishing attacks if they seem to come to you from a friend, colleague, or even student. This is why more sophisticated phishing attacks work in two stages:
  • Stage One: Thousands of phishing emails are sent out with the hope that someone falls for them and responds by clicking on a link or attachment or reveals information such as a password
  • Stage Two: The attacker gathers all emails addresses from a computer that was compromised and sends a more convincing phishing message to those addresses, often from the compromised email address.
A recipient of a second stage attack is much more likely to click on a link that seems to have come from a trusted address. The person who designed the phishing attack knows this, and can make the second stage much more carefully crafted and convincing. This means that the attack can spread even further or deeper. So you need to be vigilant about links you receive, including when they seem to be from friends, colleagues and students.

The key to spotting phishing emails and websites is in the links and website addresses (otherwise known as URLs).  Scammers can replicate legitimate sites down to the last pixel.  However, while the links and website addresses they use can be deceptively similar, they can't be identical.


Here's how to pick an URL apart using Barclays bank as an example:

Barclays Bank URL is http://www.barclays.co.uk

The important bit (the domain name followed by the top-level domain) is marked in bold

To make it easier, modern web browsers highlight this bit for you.

Trustworthy URLs

  • As long as barclays.co.uk remains intact and is the last thing before the first single forward slash (or at the very end if there is no forward slash), you should be able to trust the URL. e.g:
http://evil-scam-at.barclays.co.uk would still be a genuine Barclays URL
barclays.co.uk followed by a forward slash, as in http://barclays.co.uk/log-in would be a genuine URL

Untrustworthy URLs

  • Be wary or dots and/or dashes after barclays.co.uk e.g. http://barclays.co.uk.log-in.com - the domain is now log-in.com
  • Be wary of any forward slashes before barclays.co.uk e.g. 

example.com is now the domain

  • Don't trust URLs using numbers instead of words (usually, these are domain names in their original IP address form, which effectively anonymises who owns the site) e.g. - in this example barclays.co.uk is no longer intact.  It has been replaced by numbers and comes after the first single forward slash, so this would suggest a scam.

  • Don't let similar domain names trick you e.g.
https://www.barclays-real.co.uk/ - barclays-real is no more 'barclays' than 'starfish' or 'pineapples'.  Look the real website up on a search engine to make sure you know, down to every last character, what the genuine address should be

If an email directs you to a completely random site, such as a Google spreadsheet for example, never put in your password or other data. 

As well as looking for fake web or link addresses there are several other useful tools and tactics you can employ to protect yourself from phishing attacks:

  • Use the junk mail filter in outlook to block spam
  • Make sure the link text inviting you to click through to a website is not disguising a rouge URL (hoover over it to display the URL in the bottom left corner of your screen,  or follow the guidance if its a short URL such as Bit.ly or TinyURL, etc
  • Don't follow links in emails that ask you to enter or change personal account information.  If you want to verify or perform any requests, go directly to the website in question and log into your account in the normal way
  • Never trust the sender name or the address in the 'from' field.  Unlike true URLs, these are easily forged to mimic a genuine sender exactly
  • Make sure you have the latest version of your web browser, as the most recent ones can help warn you of known phishing websites
  • Before submitting personal details on any website, always check for the green padlock icon in the address bar at the beginning of the website address - this tells you that the connection is secure (i.e. - encrypted)
  • However, criminals can still create encrypted scam websites, so a green padlock is not a guarantee of safety.  You still need to be eagle-eyes about checking the address is exactly what you are expecting it to be (and not bbbbc.co.uk, barcleys.co.uk, amazOn.com, etc)

If you receive a phishing email that asks for University credentials such as your password, contact the IT Service Desk.  Do not forward the email to anyone, including IT, unless they specifically ask you to.  

The University will never ask for your password or other details, either by email or by phone

Delete all other phishing emails and/or report them to the organisation they were masquerading as - links are available below for some of the most commonly targeted sites.

You can often report fraudulent sites using your web browser (Mozilla Firefox has this functionality) or service provider

If you have given away a password, PIN, your banking details, or other sensitive data, change the password and inform the relevant service provider immediately. 

Contact Details

Information Governance
Edward Elgar Building
University of Worcester
Henwick Grove
Worcester  WR2 6AJ

Email: infoassurance@worc.ac.uk

Tel: 01905 543032/ 01905 855014