Don’t get hooked: spot the signs of phishing scams

News | Posted on Wednesday 8 May 2024

We’ve recently seen an increase in the number of students receiving spam and phishing emails.

To help keep your personal information and money safe, it’s really important you learn how to spot these emails and phishing scams.

Phishing is when fraudulent emails or messages are sent to try and get you to share sensitive information such as your password or bank details. 

These emails can vary a lot but some things to look out for are: 

  • they’re unexpected and may ask you to validate or verify your account
  • they have a sense of urgency and suggest you could lose access to your account 
  • they can be poorly written and include spelling mistakes, odd formatting or poor quality images, though this isn’t always the case
  • they claim to be from someone you know or an official organisation such as the University or your bank
  • the sender’s email address might not match their name
  • they might be warning you that you’ve become a victim of a phishing attack already, and ask for your information to protect you
  • they might claim that you’ve been implicated in a crime and need to make a payment to avoid charge 
  • a link in an email might not lead where you expect it to - it might say ‘www.york.ac.uk’ but it could be coded to point anywhere. Hover over it to see whether the actual URL it points to is the same as the URL in the text.
  • they might claim to have access to your computer, and demand payment (sometimes in Bitcoin) to stop them sharing your information. They might try to prove this by giving you an example of a password that you’ve used before with other online services that have suffered a data breach.

Keeping yourself secure 

Never respond to a request to send your password or two-factor authentication code via email. The message should simply be deleted.

Before you login or enter your details into a website, make sure you’re on the correct site. Fraudsters can make convincing copies of other people’s websites, so you should always check the URL at the top of the page.

If you’re unsure whether a page asking for your University username and password is genuine, please contact IT Support. 

If you've already replied to a phishing email 

If IT Services suspect your account has been compromised in any way, they will lock/disable it until they have spoken with you and made sure that it is secure. If you are unable to log in please contact IT Support. 

If you, or your friends, fall for a phishing scam:

  1. If any bank details are involved, contact your bank immediately.
  2. Change your University account password. 
  3. Contact IT Support who will:
    • help you make sure your account is fully secured
    • provide advice specific to the particular compromise
    • track down other users who may have been affected