Phishing and scam emails

Phishing is a type of social engineering attack designed to trick you into sharing sensitive information or to download malware ('malicious software' designed to infiltrate your device without your knowledge). 



How phishing works

Posing as the university, someone you know or trusted companies, online fraudsters will use email, phone, text, social media and fake websites to get you to hand over your personal details, bank details, login details (usernames and passwords), or other valuable information. They can use this information to access your accounts and steal your identity, data and money or to carry out further attacks against your friends, family and colleagues.

Watch this short video that explains how and why criminals carry out phishing attacks.





How to spot and avoid phishing emails

We’ve worked hard to make sure the University is well prepared to face cyber criminals; putting IT systems and processes in place to ensure that you, your account and the wider University is safe from cyber attacks. Most phishing attempts will be obvious so you can easily avoid replying or clicking on links, but these scams are increasingly sophisticated and harder to spot.

Common things to look out for:

  • If it looks too good to be true, it probably is
  • If it's poorly written with bad spelling, grammar and formatting
  • Impersonal and generic greetings such as "Dear valued customer" or "Hi <email address>" 
  • If you're asked for your username, password, PIN or other personal information
  • A sense of urgency, for example a threat that your account may be closed if you don't act immediately or respond within a short time frame.
  • Unexpected pop-ups on your computer or mobile device asking if you want to allow software to run
  • If it includes suspicious attachments or links
  • Inconsistencies in email addresses, company domains and URLs. Some red flags are misspelled words, nonsensical strings of letters and numbers or display names that don’t match the mailto address. To get your personal information, scammers will often include a link to a fake website they've created that's designed to look like the login page of a legitimate website.



Things you can do to avoid phishing:

  • Don't allow yourself to be rushed. Stop and think before you click.
  • Check with trusted sources of information:
    • Check the email address carefully
    • Go to the company website by typing the web address directly into your browser or by searching for it in a search engine.
    • If it appears to be from a person or company you know, contact the original sender by phone or from a new email (don't reply to them through the original email) to ask if the email is genuine.
  • Be wary of clicking on links in emails, even if it appears to be from someone you know.
    • Hover over the link to reveal its true destination, displayed in the bottom left corner of your screen.
    • If you're taken to a log in page or website, check the website URL and look for a secure padlock icon in the address bar (so that you know the connection is secure) before logging in or submitting any personal details online. 



Watch this short video on how to avoid online scams.







What to do if you think you've received a phishing email?

If you receive an email to your University account that you believe may be a phishing attempt, report it to phishing@sheffield.ac.uk.
Reporting it allows us to investigate it further and prevent anyone else being caught out.




What to do if you think you have fallen for a phishing scam?

First of all, don't be too embarrassed to report it. Even the most tech-savvy people are caught out by common threats online.

If you have received a phishing email to your University account and entered any personal information, or opened/downloaded any attachments then you must change your password and contact the IT Service Desk immediately on +44 (0)144 222 111.