Beware of Phishing

Never reveal confidential information unless you are certain that the person you’re telling is genuine, and even then ask yourself if they are entitled to the information.

What is Phishing?

Phishing is the process whereby someone attempts to obtain your confidential information, such as your passwords, your credit card number, your bank account details or other information protected by the Data Protection Act. Such attempts, often referred to as Phishing attacks, are usually primitive and obvious; however, please be aware that they are becoming more sophisticated. Don’t be fooled.

  • Be wary of emails even from people you know as email addresses can be faked.
  • Never reveal confidential information unless you are certain that the person you’re telling is genuine, and even then ask yourself if they are entitled to the information.
  • Check the address of websites you visit as it may be obvious by looking at the Address box that the site is not genuine.
  • Banks will never ask for your online bank details by email.

How is Phishing done?

A Phishing attack can be in the form of an official looking email or instant message, maybe directing you to an official looking website, or it could be an official sounding phone call. For example some phishing sites are replicas of well known companies such as Ebay and some of the site links actually lead to the genuine site.

Phishing by computer

Most Phishing attacks by computer will be by email but Instant Messages, Facebook and other Social Network sites are also sources. Please think twice about revealing information about yourself on Facebook.

An obvious attack is an email asking for your bank details to help someone to get money out of another country, and for your services you would supposedly receive a commission.

A less obvious attack is an email that looks like it’s from your bank asking you to visit a web page and login to confirm your bank details. And recently there have been emails that appear to come from IT Services asking for your username and password. Don’t be fooled.

Phishing by phone

Usually this is someone phoning you asking for information that they’re not entitled to. It could be someone pretending to be from your bank who asks for your online bank username and password. Another example could be a parent who phones asking for the university address of their daughter. Even if you can establish they are genuine, such information is confidential and should not be given.

Phishing in person or by post

Such attacks are less common but nonetheless you should be wary of any communications you receive that ask for personal information.

Recognising a Phishing attack

There are number of clues that may indicate an email or website is not genuine such as:

  • a suspicious email address or website address
  • a link to a genuine website which takes you somewhere else
  • spelling or grammatical mistakes
  • inappropriate use of capitals or exclamation marks
  • formatting errors etc.

However, you should always be wary as some Phishing attacks may be sophisticated and difficult to spot. You should refuse to disclose confidential information until you have checked to your own satisfaction that the request is justified and legitimate and has been made by a genuine person or organisation.  You could do this by contacting the person or organisation in question using an address or telephone number that you know to be genuine. Don’t be rushed or bullied.

Avoiding a Phishing attack

To avoid becoming a victim of a Phishing attack:

  • Be wary of emails even from people you know as email addresses can be faked.
  • Never reveal confidential information unless you are certain that the person you’re telling is genuine, and even then ask yourself if they are entitled to the information.
  • Check the address of websites you visit as it may be obvious by looking at the Address box that the site is not genuine.
  • Banks will never ask for your online bank details by email - you may wish to let your bank know the details if you have been sent a Phishing email.
  • IT Services will never ask for your username and password.

Share this page:

Request Information

To make a Data Subject Access Request, or a Freedom of Information Request, please contact IAS directly.