If you checked the URL and knew you’d end up here then give yourself a pat on the back. Otherwise you could have fallen victim to the latest phishing scam.  But don’t worry, this was an authorised awareness exercise arranged by your department to help keep you and your data safe from cyber criminals. You may receive a few more of these and some of them are really mean – so keep your eyes peeled and spread the word!

Feeling duped?


Don’t worry, it’s all too easy to fall for phishing. It can be really difficult to tell the difference between what’s real and what isn’t. After all phishing emails are usually based on the real thing!  And when you’re pushed for time and ploughing through a mountain of emails on autopilot you could easily be caught out. However, 80% of all malware attacks occur due to phishing and your account could be used to get access to confidential information or launch more phishing attacks on your friends and colleagues. The consequences of this could even lead to the entire University email system being blacklisted.

That’s why it’s important to take a moment to think before you click and know how to sort the real stuff from the scams. So where do you start? Well, to begin with there are some common signs to look out for. These don’t always mean the email is phony, but you should look out for a combination of:

  • Generic greetings e.g. Dear Email User, Dear Bank Customer.
  • Poor spelling and grammar.
  • Requests to do something e.g. click on a link, enter a password or make a payment.
  • A pressure to act immediately.
  • Emails relating to world events such as the major sporting or political events and even major disasters.

How to spot fake emails


The real key to spotting phishing emails is in the detail.  Where did the email really come from?  Where is the link taking you? What are they asking you to do or give out?  So:

  • DO make sure you know how to spot fake links and websites.  Hover over all links so see where they’re taking you.
  • DO ask yourself if the content is familiar or expected and ask someone if you’re unsure
  • DO think about what you’re being asked.  An anonymous survey asking you to score a service are probably fine but think twice if you need to give out personal information.
  • DO go via your usual channels when changing passwords or logging in rather than clicking on links in emails.
  • DO check your email quota by logging in to your account before taking an email at face value.
  • DON’T take the sender of the email at face value – it’s very easy to send an email appearing to come from someone else.
  • DON’T be pressured into responding there and then

Who to tell


  • If you receive a phishing email that asks for University password, forward it as an attachment to phishing@infosec.ox.ac.uk then delete it. Remember, the University will never ask for your password or other details, either by email or by phone.
  • Delete all other phishing emails or scams (e.g. targeting bank details)
  • If in doubt ask a colleague, manager or local IT support staff

For further information, please check out the information security team’s guide to staying safe on email.