Spam: unwanted, junk email, typically sent to large numbers of people, for the purposes of advertising, phishing, spreading malware, etc.
Phishing: fake email messages that claim to be from an organisation that you may trust (eg universities or banks). Often ask you to provide your personal details by replying or clicking a link. They may suggest you'll lose your account if you don't do so.
1. Look after your password
Don't tell anyone your password
Library & IT Help Desk staff will never ask you for your password, and neither should any other organisation.
Don't log in to a website after following a link from an email
Visit the site separately, and check that it's legitimate.
3. Learn to spot fake emails and websites
A guide to recognising scam messages:
Can you tell the real websites from the phishing sites?
Watch our video:
To protect your own data and that of other people, it's vital that you learn how to spot phishing messages and other scams, and that you make sure your students and colleagues are aware of this too.
If you think you have given away your details to phishers, or you're unsure about a message, get in touch with us as soon as possible:
If you, or anyone in your department, fall for a phishing scam:
1. Report to your bank immediately if any bank details are involved
2. Change your University account password
3. Contact the Library & IT Help Desk, who will:
4. Follow our advice to protect your account:
Sometimes scammers target members of the University, either with specific details, or by pretending to be IT Services or other departments.
Always be wary of unexpected emails, no matter how genuine they seem.
We have seen cases where people have typed in their University username and password into a phishing site, and then discovered that someone had accessed their Google Mail account and set up their email to be forwarded elsewhere.
Other people have found that all of their email messages have been deleted.
At the University, we have seen instances where:
In both cases, members of the University were taken in by the messages, and provided details including bank account numbers and online banking passwords.
Giving this information can result in you losing control of your bank account.
Identity theft happens when someone has enough information about your identity (such as your name, date of birth, current or previous addresses) to commit identity fraud.
Identity fraud can have a direct impact on your personal finances and could also make it difficult for you to obtain loans, credit cards or a mortgage until the matter is resolved.
Fraudsters can use your identity details to:
Do not respond to a request to send your password via email. The message should simply be deleted.
You should always check the validity of a site before entering your details.
University of York sites asking for your username and password will password will generally begin one of the following:
Web pages which don't include www.york.ac.uk at the start of the url - for example 'https://www.yorkit.com/www.york.ac.uk/login/', or don't include it at all, are unlikely to be genuine.
There are always exceptions, for example the ComplyWise service used for online Health and Safety training - it's ok to check if you're not sure.
If a phishing message that you've received looks particularly convincing, please forward it to firstname.lastname@example.org, as we may be able to trace other University members who have unknowingly been caught out by it.
Google Mail's spam service stops most spam, phishing and other scam email from reaching your inbox.
However, because spammers constantly change the messages they are sending, and the email addresses that they send from, the first few messages sent in any run will often get through.
If Google become aware that an account may have been compromised, they will suspend it and alert IT Services.