A phishing attack is a fraudulent message purporting to be from a reputable source and encouraging you to reveal personal information – such as passwords and financial details.

Common examples include scammers posing as police, HMRC or even essay mills. Some might even appear to come from the university, so please be careful about the messages you open.

Malicious emails including spam, viruses, malware and phishing attacks can potentially cause significant damage to university data and could also have significant personal impact, including financial consequences.

It is very important that you do not click any links, open suspicious attachments or respond to these types of emails, and never supply personal or bank details to people you do not know.

Always check any websites (URL/web address) you log into. Cyber criminals can fake the log in page of banks, Microsoft and other online services. If you are unsure, do not log in. Always go to the official website.

Recent example - uniyearbook’ phishing scam

A website named ‘uniyearbook.com’ has recently targeted students at universities across the UK via direct email, including University of Nottingham students.

The email subject line was: ‘Confirmation for University of Nottingham 2022/23 YEARBOOK REGISTRATION’.

Please note – this is a phishing scam and the university has no affiliation with the company Uniyearbook.

If you have registered with ‘uniyearbook.com’ and paid any money, we advise you contact your bank as soon as possible to report this and seek further advice.

You can also report fraud and cyber-crime via the Action Fraud website.

How to spot a phishing email

• Are you expecting to receive an email from this person/company? If not, treat it with caution.
• Is the email addressed to you or is the greeting something more generic such as ‘Dear customer’? Treat the latter with caution.
• Check the email sender’s domain name (the last bit of the email address) – something like enquiries@homeoffice.gov.uk is likely to be trustworthy while UKhomeoffice@gmail.com is certainly not.
• Be wary of suspicious looking URLs in emails – again, an unbroken domain such as gov.co.uk or gov.co.uk/login would be trustworthy whereas login-at-gov.co.uk would not.
• Look out for poor spelling and grammar – most companies employ professional copywriters to write their emails. Scammers usually do not.
• Any email asking for personal information such as a PIN, password or financial details should be treated with extreme caution, as should an email that asks you to download something.
• Common phishing emails include delivery companies (DHL etc), invoice, and emails that look like Microsoft. If you are unsure, do not click any links.

Further help

If you receive any suspicious messages asking you for your university credentials, please report it to the IT Service Desk.

More advice around spotting phishing messages can be found on the IT Services webpages.