Spam and phishing emails

Spam: unwanted, junk email, typically sent to large numbers of people, for the purposes of advertising, phishing, spreading malware, etc.

Phishing: fake email messages that claim to be from an organisation that you may trust (eg universities or banks). Often ask you to provide your personal details by replying or clicking a link. They may suggest you'll lose your account if you don't do so.

3 steps to staying safe

1. Look after your password

Don't tell anyone your password

Library & IT Help Desk staff will never ask you for your password, and neither should any other organisation.

Don't log in to a website after following a link from an email

Visit the site separately, and check that it's legitimate.

2. "Don't get hooked" - print the poster

Thumbnail of "Don't get hooked" poster. Click to download full size version.

3. Learn to spot fake emails and websites

A guide to recognising scam messages:

Can you tell the real websites from the phishing sites?

Watch our video:

Spam targeting York students and staff

To protect your own data and that of other people, it's vital that you learn how to spot phishing messages and other scams, and that you make sure your students and colleagues are aware of this too.

Contact us

If you think you have given away your details to phishers, or you're unsure about a message, get in touch with us as soon as possible:

I think I've fallen for a phishing scam. What do I do?

If you, or anyone in your department, fall for a phishing scam:

1. Report to your bank immediately if any bank details are involved

2. Change your University account password

3. Contact the Library & IT Help Desk, who will:

  • Help you make sure your account is fully secured
  • Provide advice specific to the particular compromise
  • Track down other users who may have been affected

4. Follow our advice to protect your account:

How has the University of York been targeted?

Sometimes scammers target members of the University, either with specific details, or by pretending to be IT Services or other departments.

For example:

  • Email messages appearing to be from IT Services, asking for your username and password, and saying that your email account will be closed if you don't reply.
  • Some students have received emails appearing to be from the Student Loans Company.
  • Some staff have received very targeted emails which address them using their name, and which refer to their academic or professional interests - for example, referring to papers that they've written. These messages include links which purportedly allow them to view useful information or submit new papers. The links request a username and password.
  • Compromised accounts are often then used to send spam emails. If you're sent an email, it may not be from the person it appears to be from
  • We've also seen Google forms used in phishing attempts, and you're reminded never to submit personal details like your password via a Google form (or other form service).

Always be wary of unexpected emails, no matter how genuine they seem.

What's the worst that could happen?

York account accessed

We have seen cases where people have typed in their University username and password into a phishing site, and then discovered that someone had accessed their Google Mail account and set up their email to be forwarded elsewhere.

Other people have found that all of their email messages have been deleted.

Bank account accessed

At the University, we have seen instances where:

  • students have received emails pretending to be from the Student Loan Company
  • staff have received emails about tax refunds.

In both cases, members of the University were taken in by the messages, and provided details including bank account numbers and online banking passwords.

Giving this information can result in you losing control of your bank account.

Identity theft

Identity theft happens when someone has enough information about your identity (such as your name, date of birth, current or previous addresses) to commit identity fraud. 

Identity fraud can have a direct impact on your personal finances and could also make it difficult for you to obtain loans, credit cards or a mortgage until the matter is resolved.

Fraudsters can use your identity details to:

  • Open bank accounts.
  • Obtain credit cards and loans
  • Order goods in your name
  • Take over your existing accounts
  • Take out mobile phone contracts
  • Obtain documents such as passports and driving licences in your name

What should I do if I receive a suspicious email?

Do not respond to a request to send your password via email. The message should simply be deleted.

You should always check the validity of a site before entering your details.

University of York sites asking for your username and password will password will generally begin one of the following:

  • https://www.york.ac.uk
  • https://shib.york.ac.uk
  • https://deptname.york.ac.uk
  • https://www.deptname.york.ac.uk
  • https://www.yusu.org (York Students' Union site)

Web pages which don't include www.york.ac.uk at the start of the url - for example 'https://www.yorkit.com/www.york.ac.uk/login/', or don't include it at all, are unlikely to be genuine.

Do I need to contact the Library & IT Help Desk?

If you are unsure whether a page asking for your University username and password is genuine, please contact your DCO or the Library & IT Help Desk for advice.

There are always exceptions, for example the ComplyWise service used for online Health and Safety training - it's ok to check if you're not sure.

If a phishing message that you've received looks particularly convincing, please forward it to itsupport@york.ac.uk, as we may be able to trace other University members who have unknowingly been caught out by it.

What is being done to stop the messages?

Google Mail's spam service stops most spam, phishing and other scam email from reaching your inbox.

However, because spammers constantly change the messages they are sending, and the email addresses that they send from, the first few messages sent in any run will often get through.

If Google become aware that an account may have been compromised, they will suspend it and alert IT Services.