Accessibility statement

Don't get hooked

Posted on 18 September 2023

At this time of year, we see a lot of email scams. Make sure that your information (and your money) is safe by learning to spot what’s suspicious.

To protect yourself and your personal information, you need to be able to spot phishing messages and other scams.

What are spam and phishing? 

Spam: unwanted, junk email, typically sent to large numbers of people, for the purposes of advertising, phishing, spreading malware, etc.

Phishing: fake email messages that claim to be from an organisation that you may trust (eg universities or banks). Often ask you to provide your personal details by replying or clicking a link. They may suggest you'll lose your account if you don't do so.

Your username and password are vital pieces of your University identity - you need to keep them safe. Never share your password, if anyone else does know it you need to change your password.

How do you spot tem? 

We all think we won’t be caught out, but every year IT Services have to lock accounts when students or staff fall victim to scams. Try out this quiz to see how good you are at identifying the fake emails: 

Scam emails vary greatly, look out for all of the following but bear in mind that a phishing attempt may only feature one or two of these signs:

  • They’re unexpected and may ask you to validate or verify your account
  • They may have a sense of urgency and suggest you could lose access to your account
  • They may appear to be from someone you know, or from an official organisation like the University or a bank
  • They might be poorly written with spelling mistakes, odd formatting or poor quality images
  • The sender’s email address might not match their name
  • They might claim to warn you that you’ve become a victim of a phishing attack already and ask for your information to protect you
  • They might claim that you’ve been implicated in a crime and need to make a payment to avoid charges
  • A link in an email might not lead where you expect it to - it might say ‘www.york.ac.uk’ but it could be coded to point anywhere. Hover over it to see whether the actual URL it points to is the same as the URL in the text
  • They might claim to have access to your computer, and demand payment (sometimes in Bitcoin) to stop them sharing your information. They might try to prove this by giving you an example of a password stolen from you

What should you do?

Do not respond to a request to send your password via email. The message should simply be deleted.

Before you login or enter your details, make sure you’re on the right website. Phishers can make convincing copies of other people’s websites, so you should always check the URL at the top of the page.

If you are unsure whether a page asking for your University username and password is genuine, please contact your DCO or IT Support.

If a phishing message that you've received looks particularly convincing, please forward it to itsupport@york.ac.uk who may be able to trace other University members who have been caught out by it.

There’s even more advice from IT Services, including tips for spotting genuine University websites, at:

What if you've already replied to a phishing email? 

If IT Services suspect your account has been compromised in any way, they will lock/disable your account until they have spoken with you and made sure that it is secure. If you are unable to log in please contact IT Support. 

If you, or your friends, fall for a phishing scam:

  1. If any bank details are involved, contact your bank immediately.
  2. Change your University account password
  3. Contact IT Support who will:
    • Help you make sure your account is fully secured
    • Provide advice specific to the particular compromise
    • Track down other users who may have been affected