Sometimes the easiest way for a criminal to take control of your computer or steal your password (or money) is to simply ask you! Phishing normally occurs when criminals send convincing looking but fraudulent emails (although they have also been known to use phone contact). These emails are often sent to thousands of individuals in the hope that some will be tricked into supplying personal information. This may include but is not limited to: user names, email addresses, passwords, bank account and credit card details
Emails claiming to be from HMRC are being reported in a variety of forms and are playing on your concerns about the approach of the new tax year, so you may be more likely to be engaging in legitimate correspondence with HMRC. Don't fall victim to these scams, you potentially could infect your machines with malware and/or could reveal University financial information.
Please circulate a warning to your users, especially to those who you feel may be at particular risk from these scams.
A particularly convincing phishing email is doing the rounds. This targeted phishing attack has recently been sent out to a small number of Oxford users. The mails in question accurately replicate the University webauth pages (below), and purport to come from
firstname.lastname@example.org, with a subject of "
Reactivate library account ":
Always check the URL before you enter your password - in this case, you see what you expect to see
webauth.ox.ac.ukbut also a suffix which should not be there:
What makes you trust high street banks/shops?
The fact that they are usually:
- In a physical location and may have been there a long time.
- Well known organisations and easy to recognize.
- It's difficult for someone to set up a fake high street bank.
But, would you trust?
- Individuals on the street?
- The gas man?
- A phone call from your bank?
- A phone call from someone wanting to fix your computer?
Be extremely cautious in whom or what you place your trust!
Want to know how to spot phishing emails? Then carry on reading and better still come along to one of our courses.
What is the worst that can happen?
- Someone could use your account to send emails
- You could lose access to your account
- Your emails could be deleted
- Someone could steal money from you
- Someone could install malware on your machine
- Someone could hold you for ransom
Spotting phishing scams
- You receive a fake email pretending to come from your bank or your email provider, saying there is a problem and asking you to send details about your account in reply (e.g. username and password). Never reply to these emails.
- A website looks like your standard bank log-in screen, but it is actually an impostor and is intended solely to collect your information (e.g. username and password).
- 'If you don't respond within 48 hours, your account will be closed' - creating a false sense of urgency, it could even claim that your response is required because your account may have been compromised.
- An email claims you have won a raffle/Ebay item/lottery/fortune but they need your account details to send the winnings. Remember, you can't win a lottery you haven't entered.
- An email claims that an overseas fortune can be 'laundered' through your bank account and you can keep a share for your help.
If it is too good to be true then it almost certainly isn't.
How to avoid being caught by phishers:
- Never share your password with anyone. IT Services and your local IT support staff will never ask for your password, especially not by an email or a phonecall.
Use the filter in your email client to block spam emails.
This is the easiest way to deal with phishers; however, sometimes genuine messages are treated as spam by mistake. So, we recommend that you have suspected spam messages diverted to a
Junk messagesfolder and check its contents periodically.
- This is the easiest way to deal with phishers; however, sometimes genuine messages are treated as spam by mistake. So, we recommend that you have suspected spam messages diverted to a
- But remember you can be phished on any website, over the phone (have you ever received a phonecall claiming to be from Microsoft support?), or on social media (sites like Facebook or Twitter)
Is the Web address (the URL which appears at the top of your web browser) the one that you normally use for this service? If no, then avoid the site.
To check the correct Web address, use Google (or your preferred search engine) to search for the service you are using. For example, typing
Barclays Bankinto the search box shows that web addresses for Barclays in the UK start with
- To check the correct Web address, use Google (or your preferred search engine) to search for the service you are using. For example, typing
It is very easy to make a link online or in an email display one thing but take you to a totally different place.
- For example, here is a link that says Yahoo, but it will really take you to Google.
- You can test a link to see if it is deceptive in Web browsers and email clients, for example if you hover your mouse pointer over the Yahoo link (above) you will see the URL for Google.
- The same process works in email clients such as Outlook, where hovering over a link will display the URL you are being directed to.
Most sites that require confidential information now have built-in security mechanisms. Look for
https://in the URL and the padlock icon in your web browser. If these aren't present, criminals may be able to read the information you send over the internet. However, the mere presence of a padlock does not guarantee that your information will be secure.
- How did you get to the site in the first place? Did you click a link in an unsolicited email message claiming to come from your email provider, bank, credit card company? If yes, steer clear of this site! Instead, type the site name yourself in the address bar or your search engine.
- Click on the padlock and check the site's certificate. For more information on secure sites see the Government and IT industry's Get Safe Online web pages.
Beware of site addresses that start with all numbers such as
- Make sure that your web browser is up-to-date.
Shopping online and phishing
- Look for clear signs that you are buying from a reputable company. Does it have a physical address? Does a search for the company in Google reveal user comments and reviews?
- If you are using eBay or a similar site, make sure that you read the basic help guides. If possible, check that the seller has a good reputation.
- Use safe ways to pay, such as PayPal or credit cards that insure you against some theft.
Plagiarism and phishing
You are strongly advised against the use of websites outside of the University claiming to check your work for plagiarism.
- The University provides the Turnitin Service to be used by students and tutors in detecting matched text on the internet.
- If you are concerned that your work includes plagiarised content you should recheck it, revisit your sources and check that quotes are referenced correctly.
- If you have used a plagiarism-detection website outside the university and you are concerned about it, you should contact your tutor or course supervisor immediately.
Guidance on avoiding plagiarism is available from your tutor and your department.
How to report a phishing attack?
If you get emails from "Webmail account update Service Team" or any other similar-sounding body that asks you to supply your password then you must not reply to it. These emails are fake and are malicious attempts to gain access to your account. If you reply to such a message, IT Services will have no choice but to disable your account for your own protection. Please just delete such messages. We will never ask you for your password. EVER!
If you receive a phishing attack that asks for University credentials like your password, report it to email@example.com. For more information on this, and for guidance on how to secure your email in general, see Email at Oxford.
Other Sources of Information
- Courses such as: Security and privacy online: Spotting phishing scams http://courses.it.ox.ac.uk/detail/TSBE
- Get Safe Online: Spam and Scam email https://www.getsafeonline.org/protecting-yourself/spam-and-scam-email/
- Turnitin Service: http://www.oucs.ox.ac.uk/turnitin/index.xml
- email at Oxford: http://www.oucs.ox.ac.uk/email/
- Welcome to IT: http://www.oucs.ox.ac.uk/welcometoit/