Avoid email scams

Every year, cyber criminals use hoax "phishing" emails to trick millions of people into parting with critical personal information. These fake messages and websites can be very difficult to tell apart from the real thing, and the consequences of clicking on them can be devastating. They could take your money, sell your details, or hijack your accounts to launch more phishing attacks on your friends. 

At a glance

 Never give your passwords to anyone

 Create strong passwords - at least 16 characters

 Create a different password for every account

 If you've had your password stolen, change it and report it immediately




Only as strong as the weakest link

The University is a prime target for email phishing attacks. University accounts can give attackers access to a whole host of personal and confidential data and nearly 80% of malware attacks globally come from email scams. Most people don’t fall for these attacks, but it only takes a handful to have a significant impact. Just one compromised account being used to send out spam could result in the University’s entire email service being blacklisted.

Here’s what to do to avoid and react to phishing attacks at Oxford:


  • Use the University mail filtering for spam
  • Always check the URL as well as the padlock before entering any credentials. The URL for Nexus is 
  • Use official channels to reset your password or check your quota (select ‘show email usage and quota’)
  • Report phishing attempts targeting University credentials to phishing@infosec.ox.ac.uk  and include the original phishing email as an attachment, with confirmation of whether you have divulged your credentials or downloaded any attachments
  • Report other phishing emails to the target institution
  • Delete phishing emails after reporting


  • Give your password to anyone. IT Services will never ask you for your password
  • Click on email links for University services. Go to the site manually instead.
  • Reply
  • Think that https:// or the green padlock means it's safe by default - cheap trust certificates are easy to buy to bypass browser security measures
  • Report all spam and phishing attacks against other organisations (e.g. banks) to us – unfortunately, we can’t help in those situations
  • Fret that your account will be disabled. If in doubt – contact the IT Services Help Desk
  • Keep it to yourself. Warn colleagues when you notice new phishing attacks





Why phishing works

Phishing really is like dangling a hook in a big pond and waiting for someone to bite. The emails can be extremely convincing, especially if you're ploughing through a mountain of emails on autopilot. The threat actors can send thousands of emails for next to nothing and only need one or two replies to get a return on their investment. It's also really easy to make emails and links look as though they come from, say, your bank or email provider. Websites can also be made to look just like the real thing and the only sign it's a scam may be the address in the menu bar.

What phishing emails look like

There are several tell-tale signs that most (though not all) phishing emails exhibit. For example:

  • Asking you for a password, PIN or other personal information
  • Warning you about some problem or imminent threat (e.g. 'If you don't respond within 48 hours, your account will be closed')
  • Using technical jargon and an incentive to part with your data (e.g. 'We are asking for your password as we are refreshing our database to create more space for you')
  • Asking you to open an attachment or make a donation
  • Relating to news items and upcoming public events (e.g. tax return deadlines)
  • Poor spelling and grammar
  • Using generic greetings such as “Dear Bank Customer” or “Dear Email User”
  • Using a fake ("spoofed") email address - perhaps even your own

Within the overall category of phishing, there are several common sub-types, such as:

  • Spear phishing: These typically appear to come from someone you trust, like a senior colleague. Replies might be answered in a convincing fashion, but often give themselves away by asking for something like a direct money transfer or purchase of gift cards
  • Sextortion: The sender will claim to have used a webcam to film you in a compromising position and demand a payment, probably in a hard-to-trace format like Bitcoin

Those sending the messages might be malicious individuals, but could also be working for organised crime groups or even rogue nation states.

How to spot fake links and websites

The key to spotting phishing emails and websites is in the links and website addresses (known as URLs). Scammers can replicate legitimate sites down to the last pixel. However, while the links and website addresses they use can be deceptively similar, they can’t be identical.

How to pick a URL apart

The important bit (the domain name followed by the top-level domain, if you want to get technical) is marked in bold. Modern web browsers highlight this bit for you. If barclays.co.uk remains “intact”, and is the last thing before the first single forward slash (or at the very end if there is no forward slash), you should be able to trust the URL.





Be wary of dot and/or dashes

Dots and/or dashes after barclays.co.uk and of a forward slash at any point before barclays.co.uk.




URLs using numbers

Don't trust URLs using numbers instead of words


Similar domain names

Don't let similar domain names trick you - look up the real website on a search engine to get the genuine address.



Money mule scam

Fraudsters may ask you to receive money into your bank account and transfer it into another account, keeping some of the cash for yourself. If you let this happen, this is classed as money laundering which is a crime. The Financial Fraud Action UK website offers further guidance on how to avoid unwittingly becoming involved in 'money mule' scams.

Students in receipt of UK government support who are concerned about being targeted by phishing scams can also access specific advice from the Student Loans Company on their webpages.

More ways to protect yourself from phishing 

Use the "junk mail" filter in your email client to block spam.

Make sure a text link is not “disguising” a rogue URL (hover over it to display the URL in the bottom left corner of your screen, or follow this guidance if it's a short URL, such as Bit.ly).

Don't follow links in emails that ask you to enter or change personal account information. Go directly to the website and log in to your account in the normal way.

Don't open attachments that you are not expecting, especially from senders that you do not recognise.

Never trust the sender name or the address in the "from" field. Unlike URLs, these are easily forged to mimic a genuine sender.

Make sure you have the latest version of your web browser, as the most recent ones can help warn you of known phishing websites.

Check for a green padlock icon in the address bar before submitting personal details on a website so you know the connection is secure. (But still check the URL is what you are expecting as this is not enough to guarantee your safety on its own).