IT and Library Services

Phishing, spam & social engineering

Cyber criminals often target people through email at times when their guard is down. They are after your data, and other people's data you may have access to.

We work hard to protect our systems and data from all types of malicious attacks, but no system is perfect. We rely on our colleagues to identify and report these messages so we can work together to keep you, your data and our systems safe.

There are many different types of email attacks. We've listed some here, but they can all be identified and reported by following the same advice.

Email phishing - Most phishing attacks are sent by email. Thousands of identical messages will be sent to large groups, so they are not personalised to the recipient.

Spear phishing involves targeting specific organisations by sending emails supposedly from a known or trusted source to specific individuals or all members of the targeted organisation. Spear phishing emails are more convincing compared to standard scams.

Whaling attacks are even more targeted, taking aim at senior leaders or individuals with enhanced system access, such as colleagues working in Finance or IT.

With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.

The above attacks are all designed to trick you into sharing login information or other data. Another type of attack tries to trick you into giving the attackers access to your account or device. This is called a Multi-factor authentication (MFA) fatigue attack.

During a MFA fatigue attack, MFA requests are repeatedly sent to the target’s email, phone, or registered devices. The goal is to pressure you into approving access, giving the attackers access to your account or device.

Follow these 6 tips to identify a malicious message

1. Stop and think

Scams and phishing messages rely on you clicking, replying or entering information without checking first. If you are unsure, don't do it until you have confirmed the message is genuine. This training course covers how to recognise the signs of a potential phishing scam, so you can critically assess emails to make sure they’re legitimate.

2. Check twice, click once

If you have any doubts about a communication, check with the sender or IT Service Desk to confirm it is genuine before clicking on links or acting on requests.

3. Be suspicious

Be suspicious of messages informing you of an issue with your device that needs fixing. Neither the university IT Service Desk, nor your Internet Service Provider will contact you to fix an issue unless you've logged a call. The university will not introduce a new IT solution or process unless it has first been communicated through official channels, such as an email from the IT Service Desk or an article on Staff News.

4. Be security conscious

Even when you're not studying or working. Hoaxers don't care how they get through to you. For example, WhatsApp have released guidance on hoax messages.

5. Think about what you send too

Remember to always check your messages before you press send – are you sending it to the correct recipients?

6. Log out of shared devices

If you're studying from home and sharing devices with family, remember to log out of university systems, don't leave them logged in.

Find out how to identify a phishing scam

This 8-minute LinkedIn Learning course teaches you how to recognize the signs of a potential phishing scam. It takes you through several phishing examples and explains how to look critically at the email you receive. It covers some of the most common scenarios used by hackers and other tell-tale signs of a phishing email and shows you how to protect your computer from email phishing scams.

You've identified a malicious message, what next?

Most importantly, don’t click on any links in the message and report it as soon as you can.

If you have clicked on a malicious link, don't panic. Change any passwords you entered in the site immediately. Use antivirus/malware software to check and remove virus or malware on your computer.

For your work accounts:

Delete the email or forward it to the IT Service Desk for advice.

To report suspicious messages or for support if you suspect you have clicked on a malicious link, please contact the IT Service Desk.

If you have any questions or comments on Information Security or Data Protection then please contact or

For your personal accounts:

If you receive a scam phone call, email or text to a personal account you can report it to Action Fraud online or by phoning 0300 123 2040.Contact your bank or relevant finance companies if you think your bank or payment card details may have been compromised.