Phishing Emails

The Golden Rules to Follow

  • Mindset: All emails and phone calls are fake until you are satisfied they are genuine.
  • Do not be pushed or scared in to doing anything. That is not how legitimate organisations work. You are in control
  • When using the ‘Reply’ feature of email, always double check the ‘To’ field that auto populates is legitimate/as expected.
  • Assess what an email is asking you to do? Does it sound normal behaviour? It is far better to cause a delay for a security check, than fall for a scam.
  • If worried, contact the person/organisation involved directly by your usual method to confirm the request. Alternatively, forward any email to for an opinion.
  • If sending personal or special category data to anyone, put it in an encrypted file (password protected) and ask the receiver to phone you for the password. Details on encrypting common files can be found in these guides
  • If ever directed to a website from an email, always check the actual web address of the site you’ve landed on from the link. Is it genuine? Is it secure
  • Never feel stupid if you think you may have made a mistake; we all make them. Scammers rely on people not feeling strong enough to admit to possible mistakes  – do not let them win

It is important to remember that if at any time you feel you may have been compromised, the IT office are here to help. Contact them as soon as possible for help before the threat affects you/others more seriously.

What is phishing?

Phishing refers to unsolicited contact (e.g. via email or phone call) that tries to trick users into an action; often trying to impersonate an official individual or organisation. The requested actions can be giving out sensitive organisational information, account credentials to online accounts, install fake software/Anti Virus, click malicious links or even trying to get you to pay a fake invoice.


Cyber criminals operating ‘phishing’ scams trick millions of people into parting with their passwords, credit card details, critical personal information or even installing malware directly on to their devices every week. Depending on the information you give them, they could take money out of your bank account, sell your information on to other scammers, hijack your social media, use your devices for further cybercrimes (e.g. hosting child pornography), use your email accounts to launch more phishing attacks on your friends. The consequences can result in serious problems for yourself or the College.

Why does it work?

The truth is, in 99% of cases it doesn’t. It’s like dangling thousands of hooks in a big pond and waiting for just one busy person to accidentally bite on one. Phishing emails can be extremely convincing and can easily catch you out, particularly if you’re pushed for time and generally like to be helpful.

  • Cyber criminals can send thousands upon thousands of emails at low cost and they only need one or two replies to get a return on their investment.
  • It’s extremely easy to masquerade as the genuine article when sending an email. It is extremely easy to make a fraudulent copy of a genuine email asking you to reset your password for example and make it appear as if it originates from a known source.
  • Official website login pages can be easily replicated in look and feel but on a bogus hosting used by scammers – unless paying careful attentio0n to the URL/Address bar of the site you are visiting, you may be fooled in to thinking you are on the genuine site. Always check the actual web address of the site you’ve landed on from any link.

How can scammers be so successful?

The first email was sent in 1972 – security was not exactly in the ‘feature’ list. Here are two commonly exposed features:

  1. The ‘From’ field of an email we rely on to tell us who sent the email is actually editable & has nothing to do with the email address/account that sent the email.
    Below are two emails – they originate from the exact same external email account that anyone can sign up for. The first is a standard email;  the ‘From’ field defaults to the address associated with the email account that sent it. The second is from the same account but with an ‘identity’ to change the ‘From’ field. A signature has been added too. The first email would probably not catch you out, but the second might.Who an email is ‘From’, means nothing
  2. There is no relationship between ‘From’ and ‘Reply to’ fields of an email. It can be easy to think that if an email arrives ‘From’ email address X, that pressing ‘Reply’ or ‘Reply to All’ means the address that populates the ‘To’ field of your reply is the ‘From’ address of the original email – this assumption is wrong. If a scammer is faking an identity, then they do not have control of the legitimate account; thus they do not want your reply to be sent to the legitimate account they do not have access to. Below, the first image is an example of an email with a fake ‘From’ address;  the second image is what happens when you press ‘Reply’ – note the ‘From’ in the first email is different to the ‘To’ in the second.Always check where an email is actually going if you use ‘Reply’ or ‘Reply to all’ feature of email

Spotting fake/phishing emails?

There are several signs that most phishing emails exhibit.

  • Generic greetings such as “Dear Bank Customer” or “Dear Email User”.
  • Emails that warn you about some problem or imminent threat (such as: “If you don’t respond within 48 hours, your account will be closed”).
  • Poor spelling and grammar.
  • Emails that ask for a password, PIN or other personal information.
  • Emails that ask you to open an attachment, especially when the email is unsolicited.
  • Emails containing technical jargon and an incentive to part with your data (an example might go something like: “We are asking you for your password because we are currently refreshing our database to create more space for you”).
  • Emails claiming to offer something that is too good to be true.
  • Contain links to domains not relevant to the email (such as: – A video on how to spot fake links can be found here (Oxford users only)
  • Short URL’s in emails which mask the actual website link (such as: or