How to spot phishing emails
Please find information from the central IT services website regarding phishing here:
Below is an email sent out by Professor Paul Jeffreys, Director of IT Risk Management which provides guidance on phishing emails.
From: Director of IT Risk Management
* Don’t be tricked into giving away your password
* If in doubt - change your password
* Responding can have severe consequences
* Be wary of links in email messages
* Never reveal or email your password to anyone, not even IT staff
* If you are unsure, do not be afraid to ask for help
Don’t be tricked into giving away your password
You may recently have received fraudulent emails asking you to visit a website to supply your username and password or requesting that you send them by email. Such "phishing" email often contains some form of threat, such as imminent expiry of your account or your being over quota.
There have been a very large number of such emails sent recently. Some have been sent from University email addresses but are still fraudulent. Don’t be tricked into handing over your password as a result of these emails. If you respond, your account may be abused and cause great inconvenience to you and others.
If in doubt - change your password
Responding can have severe consequences
If you do reveal your password, either in a reply or via a website to which the message takes you, your account is at great risk of being abused by criminals, possibly to send hundreds of thousands of junk emails in your name, to steal your identity, or to steal personal or confidential information.
As well as your personal inconvenience as a result of such incidents, the University incurs significant costs in investigating and clearing up - typically hundreds of pounds per incident. Revealing your password to them may allow criminals to severely compromise the University's ability to conduct legitimate business for many days.
As we don't look inside people's emails, if you send *any* reply to such emails, IT Services will assume that you have given away your password and may act to prevent abuse of your account and the University's resources.
Be wary of links in email messages
While many phishing webpages look nothing like the login page for any University service, some carry University branding and closely resemble official services. Rather than trusting links in emails we strongly advise that you log in to systems via familiar routes, for instance bookmarks in your browser, links from your college or department intranet, or the IT Services homepage.
Never reveal or email your password to anyone, not even IT staff
Please bear in mind that IT Services will *never* ask you to reveal your password to anybody, especially not by email. University IT regulations state that you must not disclose your password to any other person.
If you are unsure, do not be afraid to ask for help
If you have *any* doubts as to the legitimacy of any email or website, please *do not* reply or enter your password. Instead ask your local IT staff or consult the IT Services general helpdesk.
For more information regarding fake or "phishing" emails, please see http://www.oucs.ox.ac.uk/email/fake/
If you have any queries, please contact .
Professor Paul Jeffreys
Director of IT Risk Management
Please also see below a helpful summary of some key features to look out for in a phishing email, reproduced by kind permission of Erik Wieland (Customer Engagement Manager at University of California San Francisco, IT Field Services).