Phishing IT and Library Services

Phishing is a term used to describe a fraudulent attempt to acquire information such as usernames, passwords and credit card details by pretending to be a trustworthy source in an electronic communication.

E-mail or instant messaging, purporting to be from banks and building societies, popular social networking websites, auction sites, online payment sites or IT administrators are commonly used.

Phishing e-mails often contain links to websites that are infected with "malware" malicious software used to gather sensitive information such as passwords

Phishing usually takes place through spam e-mails sent to millions of addresses.  The e-mails fall into two broad categories: those which offer something that sounds too good to be true or those which urge you to update security information threatening account closure or suspension if you don't comply with them.

Both types direct you to fraudulent sites with the specific intention of getting you to supply personal information which then can be used for illegal purposes. This can be done by either accessing your accounts directly or pretending to be you in order to steal goods and services (which you are then liable for!).

Phishing attacks are not restricted to e-mail, they can also be sent by instant message and text but they will still direct you to enter your information (password, bank details, date of birth, security information, etc.) at a fake website which may look and feel entirely genuine.

Every year, we receive a number of calls from people who have passed over their personal details in response to these types of requests - to make sure you avoid the inconvenience and distress this can cause, please read on!

You can often tell a spam e-mail because:

  • the sender's e-mail or web address is different to the genuine organisation's addresses
  • the e-mail is sent from a completely different address or a free web mail address
  • the e-mail does not use your proper name, but uses a non-specific greeting such as 'dear customer'
  • the e-mail threatens that unless you act immediately your account may be closed
  • you're asked for personal information, such as your username, password or bank details
  • the e-mail contains spelling and grammatical errors
  • you weren't expecting to receive an e-mail from the company that appears to have sent it
  • the entire text of the e-mail is contained within an image rather than text format
  • the image contains a link to a bogus website

How can I spot a phishing website?

  • You may be able to tell a website isn't genuine because:
  • The website's address is slightly different to the genuine company's
  • There are spelling and grammatical errors on the page the site isn't secure.
  • A genuinely secure web address where you're being asked to send sensitive personal information should always start: https://. Websites that start http:// aren't secure.
  • The padlock for secure sites isn't in the website browser, at the top or bottom of the page.

Padlock security

Is it really a 'secure site'? If you visit a secure page you will see the URL change from http:// to https:// and the Secure Sockets icon (the small padlock) appear in the address bar. Some phishing sites will include this on the page but often get the position wrong: it should be at the top (or bottom) of the browser, in the browser, not on the page itself.

Only valid certificates issued by approved authorities are trustworthy.  If you're still unsure, check if the name on the certificate matches the name of the company behind the website.

What happens if I reply to a phishing e-mail?

If you give away your password, the criminals will have access to e-mail and other University services.

Your e-mail could be read, deleted and replies to junk mail could fill up your inbox.

If you give away other information such as personal data this could be used to commit theft and fraud using your identity.

Your identity could be used to falsely take out loans, or credit cards in your name.

False identity documents in your name may be created and used by criminals and you could be held responsible for their actions.

What happens if I click on a link in a phishing e-mail

If you click on a link in a phishing e-mail you may be taken to a fake website which will try to get you to input personal information such as your username and password, or other personal data such as your date of birth.

If you give away your password, the criminals will have access to e-mail and other University services.

If you give away other information such as personal data this could be used to commit theft and fraud using your identity.

I have received an e-mail telling me my account was over quota and I needed to provide my password, is this genuine?


IT and Library Services (ILS) NEVER lock you out of your account or require you to provide your password if you are over quota!

You do receive an e-mail warning that you are approaching or reaching your mail quota.

When you reach your quota you won't be able to send or receive e-mail, or save any new or changed files, but you will still be able to login and see your e-mails and documents.

You need to either delete or archive some e-mails before your service will return to normal.