Avoid email scams
Avoid email scams
Every year, criminals operating online use hoax 'phishing' emails to trick millions of people into parting with their passwords, credit card details and other critical personal information. The consequences can be devastating. Depending on the information you give them, they could take money out of your bank account, sell your information on to other scammers, or hijack your social media and email accounts to launch more phishing attacks on your friends. These fake emails and websites can be very difficult to tell apart from the real thing. Here are some useful tips to help you spot and deal with a scam.
At a glance
Never reply to any email asking for your passwords, PINs or other account details. Ever.
Make sure you know how to spot phony links and websites.
Don't open attachments unless you completely trust where they have come from.
If in doubt, always check with your local IT team, the helpdesk or your service provider (e.g. your bank) before responding to anything that looks a bit 'phishy'.
'Phishing' works because, well, the clue's in the title – it really is like dangling a hook in a big pond and waiting for someone to bite. Phishing emails can be extremely convincing and can easily catch you out, particularly if you're pushed for time and ploughing through a mountain of emails on autopilot.
- The bad guys can send thousands upon thousands of emails for next to nothing and they only need one or two replies to get a return on their investment.
- It's dead easy to masquerade as the genuine article when sending an email. Fraudsters can make an identical copy of a bona fide email from, say, your bank or email provider. And they can make links in emails look real.
- Websites can also be made to look just like the real thing. The only sign it's a scam may be the address in the menu bar.
There are several tell-tale signs that most (though not all) phishing emails exhibit. While these signs do not necessarily mean the message is phony, you should be suspicious of:
- Emails that ask for a password, PIN or other personal information.
- Emails that warn you about some problem or imminent threat (such as: "If you don't respond within 48 hours, your account will be closed").
- Emails containing technical jargon and an incentive to part with your data (an example might go something like: "We are asking you for your password because we are currently refreshing our database to create more space for you").
- Emails that ask you to open an attachment or make a donation.
- Emails relating to topical news items and upcoming events in the public domain (for example, tax return deadlines).
- Poor spelling and grammar.
- Emails claiming to offer something that is too good to be true.
- Generic greetings such as "Dear Bank Customer" or "Dear Email User".
The key to spotting phishing emails and websites is in the links and website addresses (otherwise known as URLs). Scammers can replicate legitimate sites down to the last pixel. However, while the links and website addresses they use can be deceptively similar, they can’t be identical. Here's how to pick a URL apart:
- Let's take Barclays Bank for example. Its URL is
http://www.barclays.co.uk. The important bit (the domain name followed by the top-level domain, if you want to get technical) is marked in bold. To make matters easier, modern web browsers highlight this bit for you.
- As long as
barclays.co.ukremains intact and is the last thing before the first single forward slash (or at the very end if there is no forward slash), you should be able to trust the URL. Even
http://evil-scam-at.barclays.co.ukwould still be a genuine Barclays address! As would
barclays.co.ukfollowed by a forward slash, as in
- However, be wary of dots and/or dashes after
barclays.co.uk, as in
http://barclays.co.uk.log-in.com/(the domain is now
log-in.com) and of a forward slash at any point before
- Don't trust URLs using numbers instead of words (usually, these are domain names in their original IP address form, which effectively anonymises who owns the site). For example,
https://188.8.131.52/barclays/login.html. (As you can see here,
barclays.co.ukis no longer intact in any case and comes after the first single forward slash, so this would suggest a scam.)
- Finally, don't let similar domain names trick you – for example,
barclays-realis no more 'barclays' than 'umbrellas' or 'unicorns'! Look the real website up on a search engine to make sure you know, down to every last character, what the genuine address should be.
If an email directs you to a completely random site, such as a Google spreadsheet for example, never put in your password or other data.
As well as knowing a phony web or link address when you see one, there are several other useful tools and tactics you can employ to protect yourself from phishing attacks:
- Use the 'junk mail' filter in your email client to block spam. (See how to do this for University email accounts).
- Make sure the link text inviting you to click through to a website is not disguising a rogue URL (hover over it to display the URL in the bottom left corner of your screen, or follow the guidance here if it's a short URL such as Bit.ly, TinyURL, etc.).
- Don't follow links in emails that ask you to enter or change personal account information. If you want to verify or perform any requests, go directly to the website in question and log in to your account in the normal way.
- Don't open attachments that you are not expecting, especially from senders that you do not recognise. These are often used by scammers to hide harmful viruses and spyware.
- Never trust the sender name or the address in the 'from' field. Unlike true URLs, these are easily forged to mimic a genuine sender exactly.
- Make sure you have the latest version of your web browser, as the most recent ones can help warn you of known phishing websites.
- Before submitting personal details on any website, always check for the green padlock icon in the address bar at the beginning of the website address – this tells you that the connection is secure (i.e. encrypted).
- However, criminals can still create encrypted scam websites, so a green padlock is not a guarantee of safety. You still need to be eagle-eyed about checking the address is exactly what you are expecting it to be (and not, say,
If you receive a phishing email that asks for University credentials such as your password, forward it immediately to firstname.lastname@example.org. Remember, the University will never ask for your password or other details, either by email or by phone.
Delete all other phishing emails and/or report them to the organisation they were masquerading as - links are available below for some of the most commonly targeted sites. You can often report fraudulent sites using your web browser (e.g. Mozilla Firefox has the ability to do this) or service provider.
If you've given away a password, PIN, your banking details or other sensitive data, change the password and inform the relevant service provider immediately.
Further information on:
- Get safe online on spam and scam emails
- Get safe online advice on 'Ransomware' (malicious software used for blackmail)
- Action Fraud
- Safe online and mobile banking
- Staying safe when you bank and shop online
Reporting phishing e-mails to common internet providers:
- Amazon website | email@example.com
- Apple website | firstname.lastname@example.org
- Barclays website | email@example.com
- eBay website | firstname.lastname@example.org
- HMRC website | email@example.com
- HSBC bank website | firstname.lastname@example.org
- Lloyds Bank website | email@example.com
- NatWest website | firstname.lastname@example.org
- Paypal website | email@example.com
- RBS website | firstname.lastname@example.org
- Santander website | email@example.com