Phishing Scams

The following information will aid students and staff in protecting themselves from phishing scams at the University of Adelaide.

What is "Phishing"? »

A “phishing” scam is a fraudulent or fake email appearing to come from a legitimate source such as the University, a bank, Facebook, Paypal or eBay. Phishing emails are often used by criminals to solicit information from unsuspecting victims in order to achieve financial or technological gain. Phishing scams come in many shapes and forms but will typically use two components in order to deceive:

An authentic-looking (but fraudulent) email that asks you to provide personal information such as, passwords, credit card numbers, private information etc.
An authentic-looking (but malicious) email containing a (sometimes hidden) malicious web site link.

Attackers will often try and trick users into providing personal information such passwords, credit card numbers and other private information in order to commit identity theft. This personal information often enables criminals to access sensitive information such as bank accounts or gain control over email accounts in order to send spam emails.

Website links are another common method used by attackers to solicit information or compromise a computer system. Malicious websites will often masquerade as legitimate organisations and either request your personal information or attempt to download malicious software onto your computer.

How do I avoid phishing scams? »

The following steps are aimed at helping University staff and students avoid phishing scams.

1. Never share your password
The University of Adelaide will never request your password, even over the telephone. Your password should be kept secret and never shared (not even with friends or family). For more information on password best practices, please visit: http://www.adelaide.edu.au/its/it_policies/password/

2. Never share personal or financial information over email
Email is not a secure way to send information and should never be used to send personal or private information. No legitimate organization will ever request your password, credit card number or personal information via an email message. Personal information should only be communicated over the telephone or a trusted secure website.

3. Avoid clicking on links in email messages
Phishing scams will often entice users to click on website links in order to direct them to a malicious website. Unsuspecting to the user, malicious website links are often hidden within phishing emails. Caution should always be taken when clicking on website links within email messages (even from people you trust!). The legitimacy of links within email messages can be verified by one of two ways:

Copy (ctrl + c) the link within your email and paste (ctrl + v) it into your web browser.
Verify the link’s target address by hovering the mouse over the link.

4. Apply caution when opening attachments
Email attachments are often carriers of malicious software such as viruses and Trojans. Due care should always be taken when opening files attached to email messages. An attachment should always be considered hostile until proven otherwise, even if it has been sent by someone you know. If you know the person that has sent you an email, but you were not expecting an attachment, contact them and confirm that they sent the attachment before you open it.

Suspicious files can be submitted to VirusTotal to ensure they do not contain malicious software.

5. Exercise vigilance with ALL email messages
As phishing schemes become more sophisticated, it becomes increasingly important to be vigilant when dealing with email (even if the message comes from a family member or somebody you know well). If you receive a suspicious or unsolicited email, it is important to confirm the email is legitimate by calling the person or organization in the “From” field before you respond or open any attached files. All University of Adelaide staff members can be contacted by telephone via the University Staff Directory, found at: http://www.adelaide.edu.au/directory

6. Avoid responding to phishing emails
Spammers often blindly send their scams to hundreds, sometimes thousands of email addresses in the hope that some of them are active. Responding to spam or phishing emails informs spammers your account is indeed active, enticing them to send more spam your account.

7. Report ALL phishing emails
The University currently hosts services to block many phishing and spam emails before they get a chance to enter the University. To further help this cause, University members are encouraged to report phishing emails to aid in the prevention of phishing emails entering the University. To report a phishing scam to the University, please visit: http://www.adelaide.edu.au/its/security/spam/

How do I identify a phishing scam? »

Does the sender identity match the purpose of the email?
Emails relating to your banking or University account should come from the organisation and not from an arbitrary email address. All members belonging to the University of Adelaide have an email addresses ending in adelaide.edu.au. If you do not recognise the sender, it is more than likely the email is fraudulent.

Have I given my email address to this company before?
If you have never provided your email address to a purported organsiation, ask yourself: Why and how are they contacting me? Spammers will often randomly choose email addresses to target. If there is no good reason to receive email from a company with whom you have no affiliation, chances are it’s a scam.

Is the person or company contactable?
Phishing scams will often provide little information about who has sent the email. Spammers often do not want to give you too much information because validating their identity would foil their scam! Any email from a legitimate company will have a telephone number and postal address appended to the bottom of emails. Be vigilant with any suspicious emails and validate their authenticity by telephoning the company before responding or opening any attachments.

Does the email contain broken English?
Legitimate emails sent from the University of Adelaide, your bank or any reputable organization are written by English-speaking, educated professionals. Spelling and grammar mistakes are often a quick giveaway that an email is a phishing scam.

Does the email report a sense of urgency?
Scammers will often convey a sense of urgency in their emails so you will respond immediately without thinking. Be suspicious of phrases such as:

“If you don’t respond within 48 hours your account will be closed.”
“Failure to do this may render your account deactivated.”
“Reply soon so I can give you further information.”

Is the email addressed to undisclosed recipients or a large number of recipients?
A legitimate business you have dealt with previously will typically only address emails on an individual basis. If the text alludes to confidential or personal information, but is addressed to multiple recipients, it is most likely a scam.

Am I being offered something with little or no effort on my part?
What’s too good to be true is most likely too good to be true. If you don’t remember a relative, you probably don’t stand to inherit any money from him or her. If you don’t remember entering a lottery, you probably haven’t won anything. Exercise common sense before responding to unsolicited emails.

Is my email address listed in the From: address?
If so, it’s a scam.

Does the email contain valid website links?
Even though a website link may appear valid because it displays the correct web address, it could take you somewhere completely different. Avoid clicking on website links within emails without verifying their validity. To reveal a link’s true location, hover your move over the link (without clicking).

Am I being asked to provide personal information?
Email is not a secure way to send information and should never be used to send personal or private information such as passwords or credit card numbers. No legitimate organization will ever request your password, credit card number or personal information via an email message. Personal information should only be communicated over the telephone or a trusted secure website.

How do I report a phishing scam? »

Please refer to the Spam Submission Guide.

HELP! I have replied to a phishing scam! »

If you believe your University login details have been compromised, please change your password immediately at http://password.adelaide.edu.au.

If you believe your credit card details have been compromised, contact your bank immediately to ensure you credit card is cancelled. The credit card provider can then investigate the claim and potentially reimburse you for any monetary loss.