Accessibility statement

Bit phishy?

Posted on 30 September 2018

At this time of year, we see a lot of email scams. Make sure that your information (and your money) is safe by learning to spot what's suspicious.

Image of a laptop computer on a banner image with the words Don't fall for phishing - learn to spot scams and stay safe

To protect yourself and your personal information, you need to be able to spot phishing messages and other scams. Make sure your friends know too!

What are spam and phishing?

Spam: unwanted, junk email, typically sent to large numbers of people, for the purposes of advertising, phishing, spreading malware, etc.

Phishing: fake email messages that claim to be from an organisation that you may trust (eg universities or banks). Often ask you to provide your personal details by replying or clicking a link. They may suggest you'll lose your account if you don't do so.

How do you spot them?

We all think we won't be caught out, but every year IT Services have to lock accounts when students or staff fall victim to scams. Try out this quiz to see how good you are at identifying the fake emails:

Scam emails vary greatly; look out for all of the following but bear in mind that a phishing attempt may only feature one or two of these signs:

  • They're unexpected, and may ask you to validate or verify your account.
  • They may have a sense of urgency and suggest you could lose access to your account.
  • They may appear to be from someone you know, or from an official organisation like the University or a bank.
  • They might be poorly written, with spelling mistakes, odd formatting or poor quality images.
  • The sender's email address might not match their name.
  • They might claim to warn you that you've become a victim of a phishing attack already, and ask for your information to protect you.
  • They might claim that you've been implicated in a crime and need to make a payment to avoid charges.
  • A link in an email might not lead where you expect it to - it might say 'www.york.ac.uk' but it could be coded to point anywhere. Hover over it to see whether the actual URL it points to is the same as the URL in the text.
  • They might claim to have access to your computer, and demand payment (sometimes in Bitcoin) to stop them sharing your information. They might try to prove this by giving you an example of a password stolen from you.

What should you do?

Do not respond to a request to send your password via email. The message should simply be deleted.

Before you login or enter your details, make sure you’re on the right website. Phishers can make convincing copies of other people’s websites, so you should always check the URL at the top of the page.

If you are unsure whether a page asking for your University username and password is genuine, please contact your DCO or the Library & IT Help Desk for advice.

If a phishing message that you've received looks particularly convincing, please forward it to itsupport@york.ac.uk who may be able to trace other University members who have been caught out by it.

There's even more advice from IT Services, including tips for spotting genuine University websites, at:

What if you've replied already?

If IT Services suspect your account has been compromised in any way, they will lock/disable your account until they have spoken with you and made sure that it is secure. If you are unable to log in please contact the Library & IT Help Desk.

If you, or your friends, fall for a phishing scam:

  1. If any bank details are involved, contact your bank immediately.
  2. Change your University account password.
  3. Contact the Library & IT Help Desk, who will:
    • Help you make sure your account is fully secured
    • Provide advice specific to the particular compromise
    • Track down other users who may have been affected
  4. Follow the advice from IT Services to protect your account:

For more hints on spotting dodgy emails, watch this video produced by IT Services:

Learn how to spot phishing and spam email

Search our social media for more #UoYTips.