Avoid Phishing Emails

Don't click on Phishing Links: it's the most common kind of attack. Learn how to spot them and avoid them.

If you believe you have been sent a phishing email, please report it to the IT Service Desk.  DO NOT FORWARD the email to IT or anyone else.  If you clicked on the contents of the email then please reset your University password and report it immediately to the IT Service Desk

How to contact the IT Service Desk is on the ICT webpage - see 'Where to Get Help'

How phishing attacks work

When you click on a link, you expect it will take you to the web page, or open a document as intended. However it could:

• Download and run a program on your computer (including one that would install malware)
• Reveal something about you or your computer (that an attacker could use against you)
• Lure you to a website which looks legitimate but gets you to provide personal information, or to download and run malware

Phishing links come to you via email, are on websites, or can be in any kind of document that contains active links including Word and PDF documents.

How to avoid being caught

• NEVER respond to an email asking you for your account details and NEVER disclose your password to anyone. The University or legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
• ONLY click on links from trusted sources. Malicious email links can infect your computer or take you to web pages designed to steal your information. Never click on a mystery link unless you have a way to independently verify that it is safe.
• DO NOT open unsolicited or unexpected attachments. Malicious attachments can infect your computer. If you cannot verify that an attachment is legitimate, delete it.
• DELETE all suspicious emails immediately. Do not forward it to colleagues or IT Support.

How to spot a phishing email

• Look-and-feel: Be wary of emails which contain obvious spelling mistakes, poor grammar, or inferior graphics.
• Urgent action required: Be wary of emails containing phrases like "your account will be closed," "your account has been compromised," or "urgent action required." The fraudster is taking advantage of your concern to trick you into providing confidential information.
• Generic greeting: Fraudsters use automated programs to send thousands of malicious emails simultaneously. They may have your email address, but they seldom have your name. Be sceptical of an email sent with a generic greeting such as "Dear Customer" or "Dear Member."
• The sender's email address: Is it similar to, but not identical to a company's official email address? (e.g. info@worrc.com instead of info@worc.ac.uk) These email addresses are meant to fool you. In some cases fraudsters can forge the "From" address to look like a legitimate corporate address (e.g. @worc.ac.uk). Because of this, the "From" address is just one factor to consider when deciding if an email is trustworthy. (See also 'Tips to spot fake links' below)
• Links to a fake web site: Fraudsters often include a link to a fake web site that looks like the sign-in page of a legitimate web site. Just because a site includes a company's logo or looks like the real page doesn't mean it is! (see also 'Tips to spot fake links' below)
• Masked links: Links that look like they go to the real web site, but don't. For example, the link text may say "University of Worcester ICT Support" but if you hover your mouse pointer over it you will see the link's real destination.

What to do if you think your account has been compromised

If you think your account has been compromised - Don't Panic

• Change your password immediately
• Contact the IT Service Desk immediately
• DO NOT forward the email to the IT Service Desk or anyone else as you will spread any viruses it may contain

Phishing and "social engineering"

Whilst some malicious email is obvious, others can be quite sophisticated and it can be difficult to recognise what is genuine. Social engineering and Phishing are both about tricking you into revealing information. The differences are:

• Phishing works by targeting large numbers of people, in the hope that some of them will "click"
• Phishing usually comes as some kind of link, luring you to click on it
• Social engineering is much more deliberate, targeting one or just a few people to find their weak points
• Social engineering can come from anywhere, for example someone phoning pretending to be from your bank or the IT department

Social engineering tricksters are very good at finding all kinds of ways of getting people to reveal small facts. They combine these to form an overall picture of how to attack you, trick you, or steal things from you and potentially hack the University network.

Two-stage phishing attacks

It is more difficult to avoid phishing attacks if they seem to come to you from a friend, colleague, or even student. This is why more sophisticated phishing attacks work in two stages:

• Stage One: Thousands of phishing emails are sent out with the hope that someone falls for them and responds by clicking on a link or attachment or reveals information such as a password
• Stage Two: The attacker gathers all emails addresses from a computer that was compromised and sends a more convincing phishing message to those addresses, often from the compromised email address.

A recipient of a second stage attack is much more likely to click on a link that seems to have come from a trusted address. The person who designed the phishing attack knows this, and can make the second stage much more carefully crafted and convincing. This means that the attack can spread even further or deeper. So you need to be vigilant about links you receive, including when they seem to be from friends, colleagues and students.