What is phishing?
Phishing is the term applied to email scams that attempt to obtain sensitive information such as usernames, passwords, bank account details and credit card numbers. These type of email will disguise as a trustworthy organisation, encouraging you to enter sensitive information which is then used to either gain access to bank accounts, sell your information on to other scammers, or hijack your social media and email accounts to launch more phishing attacks on your listed contacts.
Types of phishing emails
Be suspicious of any email that requests any confidential personal or financial information. These types of emails may present as:
- Imitating as official University communications, such as campus security, IT Helpdesk or HR/Payroll with a link requesting you to log in with your username and password
- Organisations requesting confirmation of bank details
- Claims that bank details have been compromised, or claim that you have been awarded a grant, entitled to a refund, rebate, reward or discount.
- Ask you to open an attachment or make a donation.
How to spot phishing emails
Emails received may look official at first glance with the display of a logo, company branding and subject line used. But please take care if you receive such an email and do not click on any links unless you are absolutely sure of the email source.
Several signs to spot if they are fake:
- Request personal information such as PIN, password
- Contains poor spelling and grammar.
- Claim to offer something that is too good to be true.
- Contain generic greetings such as 'Dear Bank Customer' or 'Dear Email User'.
- Suspicious link embedded in the email
Don't believe any emails informing you that you need to validate or reactivate your account and/or click on a link to avoid losing access to your account/mailbox or any email making similar claims. IT Services will only ever send you warning emails about account expiry, or high usage of mailbox/documents area, but these emails will never ask you to click a link to rectify the problem.
An example of how a phishing email may attempt to use the University URL may be: http://www.lboro.ac.uk.example.com/
Genuine emails - what to look for
Genuine Loughborough Univesity web pages start with the text, ie:
"something".lboro.ac.uk/ or "something".lboro.ac.uk/ The trailing forward slash character after .uk is very important!
If it is missing and especially if there is a ‘.’ in its place, do not log in! The address after .uk/ can and should vary
In addition, if the web page is a login screen for a University online service, the web address will begin with the five letters https - the s is very important: if it is absent do not log in!
The final test is the presence of a padlock icon
All web pages that allow you to log in with a username and password should display a padlock icon to represent a secure website. The padlock is displayed in different places in different web browsers, sometimes next to the address or at the bottom of the web browser window, but it will always be there somewhere. If you cannot see a padlock icon in the window of a web login screen do not log in!
What to do if you think you have received a phishing email
Do not respond to phishing emails in any way, ie:
Never click on any links
Never reply to the sender
Never open any unsolicited attachments
If you are unsure if an email is real or not, please don't hesitate to contact the IT Service Desk or your service provider (e.g. your bank) before responding to anything that looks suspicious.
If you have received a phishing email, clicked on the link and provided your university credentials (username and password), please inform the IT Service Desk email@example.com or 01509 222333 immediately.
If you have entered any bank account details from following the links within the email, please inform your bank as you may be subject to fraud as a result.