Skip to content Accessibility statement
Menu
Close
Search
Close
IT Services
HomeIT ServicesCyber securityPhishing, fraud and scams

Phishing, fraud and scams

Never reveal your login details or personal information to anyone via email, text or phone. It may be a fraudulent attempt to steal your data.

What are phishing scams?

Phishing scams are a sneaky way cybercriminals try to steal your personal information, usually as a way to take money from you. They use various social engineering tactics to trick you, pressure or scare you.

They might: 

  • ask for personal details, such as bank details and passwords
  • create urgency, such as scaring you into clicking a link or downloading something quickly
  • claim to have sensitive content, such as images or videos of you in compromising situations and demand a payment
  • pretend to be someone you trust, such as your bank, university, friend or colleague
  • promise something too good to be true, such as money, a job or a grant that you haven’t applied for.

Once sensitive information is captured, attackers can exploit it for various malicious purposes, including identity theft, financial fraud or ransomware.

Phishing types

There are several types of phishing scams. Here are some common ways cybercriminals target University staff and students.

  • Emails: you might receive emails that seem to be from trusted sources like your bank or the University, but they're traps. Opening links and attachments can harm your computer with malicious content
  • SMS: beware of suspicious text messages that might ask you to click links or provide personal information. 
  • Voice: watch out for phone calls from scammers who pretend to be from legitimate organisations.
  • Social media: cybercriminals often use social media platforms to target you with fake profiles or malicious links. They might try to befriend you or send you enticing messages to lure you into a trap. Learn more about social media risks and advice.
  • Web push notifications: a web browser feature that allow websites to send you alerts – even when the site isn’t open. Scammers abuse them to send fake warnings and clickbait. Learn more about web push notification scams.
  • QR codes: attackers could use QR codes (for example, in emails, social media, printed flyers or public spaces) to redirect you to malicious websites or prompt you to download harmful content. 
  • Sextortion: scammers might threaten to share intimate pictures, videos or information of you, unless you pay them or do something. 

Top tips to protect yourself 

  • Never share personal information via email, text or phone calls. 
  • Be wary of generic greetings like "Dear user".
  • Check links to see the real destination before opening them. On computers, you can do this by hovering over the link.  On mobile devices, hold down the link until it's surrounded by a bubble.
  • Don't click links or open attachments from messages that are suspicious or unexpected. Links often lead to fake websites designed to steal your data - always check the validity of a site before entering your details. Opening links and attachments can also infect your device with malware.
  • Be cautious of unexpected messages and verify the sender. Search for the organisation or sender independently to find their official website, social media or contact details. Follow up with them separately to check if the message is legitimate. 
  • If in doubt, contact IT Services or delete the message.

Learn how to spot scams

How to spot suspicious emails

Simple ways you can verify whether an email is authentic. These practical steps will help you avoid becoming a victim to phishing attempts and keep information safe.

Real examples and clues

Universities are a target for scammers. Browse real examples that our staff and students have received (including scammers posing as Google, Netflix and other big companies) and the clues to look for.

Bite-sized training for staff

Training to improve your cyber awareness and confidence. Recognise common pitfalls and spot potential attacks before they happen. Courses are available through our training platform, MetaCompliance.

Report a phishing email

If you receive a suspected phishing attempt to your University email account in Gmail:

  • Don’t do what the email says.
  • Report it. Select the email and in the more menu (three dots), select report phishing

When you do this, Google receives a copy of the email and any attachments, which it uses to analyse and protect others. 

If you open a link or reveal information 

If you or anyone in your department is tricked by a phishing scam, follow these steps immediately.

  1. If you’ve entered or given financial details, contact your bank and tell them that you’ve been scammed. Do not wait to contact us before doing this.
  2. Change your University account password (idm.york.ac.uk).
  3. Contact IT Services. We’ll give you specific advice and track down others who may have been affected.
  4. Follow these steps to secure a compromised or hacked account.
Bite-sized training for staff
Online training is a great way to learn about common pitfalls.
Improve your cyber awareness
Protect your information
Simple steps you can take to protect your accounts and University information.
Stay safe checklist
Protect your device from digital threats
Defend your device against malware, such as viruses, and treat an infected device.
Secure your device