AVOID EMAIL SCAMS

Every year, cyber criminals use hoax 'phishing' emails to trick millions of people into parting with critical personal information. These fake messages and websites can be very difficult to tell apart from the real thing, and the consequences of clicking on them can be devastating. They could take your money, sell your details, or hijack your accounts to launch more phishing attacks on your friends. 

At a glance:

  • Never reply to any email asking for your passwords, PINs or other account details. Ever.
  • Make sure you know how to spot phony links and websites.
  • Don't open attachments unless you completely trust where they have come from.
  • If in doubt, always check with your local IT team, helpdesk or service provider.

Only as strong as the weakest link

The University is a prime target for email phishing attacks. University accounts can give attackers access to a whole host of personal and confidential data and nearly 80% of malware attacks globally come from email scams. Most people don’t fall for these attacks but it only takes a handful to have a significant impact. Just one compromised account being used to send out spam could result in the University’s entire email service being blacklisted. Here’s what to do to avoid and react to phishing attacks at Oxford:

Do

Don't

  • Give your password to anyone. IT Services will never ask you for your password.
  • Click on email links for University services. Go to the site manually instead.
  • Reply. Ever.
  • Think that https:// or the green padlock means it's safe by default- cheap trust certificates are easy to buy to bypass browser security measures
  • Report all spam and phishing attacks against other organisations (e.g. banks) to us – unfortunately, we can’t help in those situations.
  • Fret that your account will be disabled. If in doubt – contact the IT Services Help Desk.
  • Keep it to yourself. Warn colleagues when you notice new phishing attacks.

 

Why phishing works

Phishing really is like dangling a hook in a big pond and waiting for someone to bite. The emails can be extremely convincing, especially if you're ploughing through a mountain of emails on autopilot. The bad guys can send thousands of emails for next to nothing and only need one or two replies to get a return on their investment. It's also really easy to make emails and links look as though they come from, say, your bank or email provider. Websites can also be made to look just like the real thing and the only sign it's a scam may be the address in the menu bar.

What phishing emails look like

There are several tell-tale signs that most (though not all) phishing emails exhibit:

  • Asking you for a password, PIN or other personal information.
  • Warning you about some problem or imminent threat (for example: “If you don't respond within 48 hours, your account will be closed")”
  • Using technical jargon and an incentive to part with your data (for example: “We are asking for your password as we are refreshing our database to create more space for you”).
  • Asking you to open an attachment or make a donation.
  • Relating to news items and upcoming public events (for example, tax return deadlines).
  • Poor spelling and grammar.
  • Using generic greetings such as “Dear Bank Customer” or “Dear Email User”.

How to spot fake links and websites

The key to spotting phishing emails and websites is in the links and website addresses (known as URLs). Scammers can replicate legitimate sites down to the last pixel. However, while the links and website addresses they use can be deceptively similar, they can’t be identical. Here's how to pick a URL apart:

Tip

Example

 


The important bit (the domain name followed by the top-level domain, if you want to get technical) is marked in bold. Modern web browsers highlight this bit for you.

If barclays.co.uk remains “intact”, and is the last thing before the first single forward slash (or at the very end if there is no forward slash), you should be able to trust the URL. 

http://www.barclays.co.uk

https://evil-scam-at.barclays.co.uk 

http://barclays.co.uk/log-in

 


Be wary of dots and/or dashes after barclays.co.uk and of a forward slash at any point before barclays.co.uk

http://barclays.co.uk.log-in.com/

http://example.com/barclays.co.uk/login


Don't trust URLs using numbers instead of words

https://172.29.236.55/barclays/login.html


Don't let similar domain names trick you - look up the real website on a search engine to get the genuine address

More ways to protect yourself from phishing 

Use the 'junk mail' filter in your email client to block spam.

Make sure a text link is not “disguising” a rogue URL (hover over it to display the URL in the bottom left corner of your screen, or follow this guidance if it's a short URL such as Bit.ly).

Don't follow links in emails that ask you to enter or change personal account information. Go directly to the website and log in to your account in the normal way.

Don't open attachments that you are not expecting, especially from senders that you do not recognise.

Never trust the sender name or the address in the 'from' field. Unlike URLs, these are easily forged to mimic a genuine sender.

Make sure you have the latest version of your web browser, as the most recent ones can help warn you of known phishing websites.

Check for a green padlock icon in the address bar before submitting personal details on a website so you know the connection is secure. (But still check the URL is what you are expecting).

List of site pages