Phishing is the act of tricking you into giving away sensitive information or downloading malicious software onto your computer or your company's computer network.
The University is regularly targeted by such attacks and the impact can be considerable including financial loss, personal and business data leakage, IT network outages, reputational damage and even fines from the Information Commissioner's Office (ICO).
Top Tips - stay safe on phishing
Help us protect yours and the University's data by looking out for the most commonly deployed phishing techniques:
The message contains a mismatched URL
The URL in a phishing message may appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address. If the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.
URLs contain a misleading domain name
People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. The last part of a domain name is the most telling. For example, the domain name "info.test.com" would be a child domain of "test.com" because "test.com" appears at the end of the full domain name.
Conversely, "test.com.maliciousdomain.com" would clearly not have originated from "test.com" because the reference to test.com is on the left side of the domain name. This trick has been used countless times by phishing criminals as a way of trying to convince victims that a message came from a company like Microsoft or Apple.
The phishing attacker simply creates a child domain bearing the name Microsoft or Apple for example. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.
The message contains poor spelling and grammar
If the message contains unprofessional spelling and grammar then it may not come from a professional establishment.
The message asks for personal information
No matter how official an email message might look, it's always a bad sign if the message asks for unusual personal information. Your bank doesn't need you to send it your account number. It already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.
The offer seems too good to be true
There is an old saying that if something seems too good to be true, it probably is. That holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.
You didn't initiate the action
If you get a message informing you that you have won a contest you did not enter, you can bet that the message is a scam.
The email indicates urgent action is required
Often scams will send the email with Actions Required in order to make the email seem important
Simulated Phishing emails
The University periodically sends simulated phishing emails to employees to see how they react upon receipt of a scam email i.e. if malicious domains are flagged, if users spot social engineering, and know not to enable macros or unexpected files. These phishing vulnerability assessments help us to evaluate our security posture and identify key areas to help protect the university from future (genuine) attacks.
- Users that fail a phishing test are required to take follow up awareness training and a test. This will need to be completed satisfactorily within 6 weeks of failing the test. Failure to comply will be reported to Human Resources and may be treated as a disciplinary matter.
- Repeated failures represent such a high risk to the University that they will be reported to Human Resources and treated as a disciplinary matter.