Phishing, fraud and scams

What are phishing scams?

Phishing scams are a sneaky way cybercriminals try to steal your personal information, usually as a way to take money from you. They use various social engineering tactics to trick you, pressure or scare you.

They might: 

• ask for personal details, such as bank details and passwords
• create urgency, such as scaring you into clicking a link or downloading something quickly
• claim to have sensitive content, such as images or videos of you in compromising situations and demand a payment
• pretend to be someone you trust, such as your bank, university, friend or colleague
• promise something too good to be true, such as money, a job or a grant that you haven’t applied for.

Once sensitive information is captured, attackers can exploit it for various malicious purposes, including identity theft, financial fraud or ransomware.

• What to do if you've fallen victim to a scam or phishing email.

Phishing types

There are several types of phishing scams. Here are some common ways cybercriminals target University staff and students.

• Email phishing: you might receive emails that seem to be from trusted sources like your bank or the University, but they're traps. Opening links and attachments can harm your computer with malicious content. 
• SMS phishing: beware of suspicious text messages that might ask you to click links or provide personal information. 
• Voice phishing: watch out for phone calls from scammers who pretend to be from legitimate organisations.
• Social media phishing: cybercriminals often use social media platforms to target you with fake profiles or malicious links. They might try to befriend you or send you enticing messages to lure you into a trap. Learn more about social media risks and advice.
• QR code phishing: attackers could use QR codes (for example, in emails, social media, printed flyers or public spaces) to redirect you to malicious websites or prompt you to download harmful content. 
• Sextortion phishing: scammers might threaten to share intimate pictures, videos or information of you, unless you pay them or do something. 

Top tips to protect yourself 

• Never share personal information via email, text or phone calls. 
• Be wary of generic greetings like "Dear user".
• Check links to see the real destination before opening them. On computers, you can do this by hovering over the link.  On mobile devices, hold down the link until it's surrounded by a bubble.
• Don't click links or open attachments from messages that are suspicious or unexpected. Links often lead to fake websites designed to steal your data - always check the validity of a site before entering your details. Opening links and attachments can also infect your device with malware.
• Be cautious of unexpected messages and verify the sender. Search for the organisation or sender independently to find their official website, social media or contact details. Follow up with them separately to check if the message is legitimate. 
• If in doubt, contact IT Services or delete the message.

Report a phishing email

If you receive a suspected phishing attempt to your University email account in Gmail:

• Don’t do what the email says.
• Report it. Select the email and in the more menu (three dots), select report phishing. 

When you do this, Google receives a copy of the email and any attachments, which it uses to analyse and protect others. 

• Reporting phishing emails in Gmail (support.google.com).

If you open a link or reveal information 

If you or anyone in your department is tricked by a phishing scam, follow these steps immediately.

1. If you’ve entered or given financial details, contact your bank and tell them that you’ve been scammed. Do not wait to contact us before doing this.
2. Change your University account password (idm.york.ac.uk).
3. Contact IT Services. We’ll give you specific advice and track down others who may have been affected.
4. Follow these steps to secure a compromised or hacked account.