Last updated: 19/09/2023 11:52
Email and phone scammers target UK universities, especially new students, with the hope of stealing your money, financial information or personal details.
Sometimes known as ‘phishing’, scam email attacks often seem to come from legitimate institutions and can be extremely convincing.
- often promise a reward of some kind if you click a link or enter login details. Remember, if it looks too good to be true, it probably is.
- often exploit a sense of curiosity, sense of urgency, or fear to prompt you to engage with them, threatening with negative consequences or promising to reveal something exciting or forbidden.
- may impose a time limit to fluster you and create a sense of urgency, referring to unpaid invoices, full inboxes or account validation.
Identifying a scam email
- The sender address may not match the sender name.
- The email signature may be overly generic or may not follow Cardiff University conventions.
- Scam emails usually contain errors in spelling, grammar or capitalisation.
- Always check the email address of the sender. If the email appears to have come, for example, from Amazon.co.uk, but the email address is not an Amazon email address it is probably a scam.
- If you hover your cursor over a link in an email, a box will appear showing the webpage it links to. If this does not match the supposed destination, it is probably a scam.
Never use any contact details or click any links provided in the email.
If you are unsure about an email, contact the company or person using the contact details from their legitimate website.
Internal scam emails
Scam emails can also appear to come from someone within Cardiff University. If you receive an email appearing to be from someone at Cardiff University and you are not sure if it is genuine, there are some things you can check:
- Would this person have any reason to send this email?
If you hover over the person’s name, you can see what school/department they are in, and what their role is (e.g. staff, visitor, postgraduate, undergraduate). This can help you determine whether they are likely to have sent the email to you. The email may say it's from one department but be sent from another.
- To whom is the message addressed?
If a message addresses you by your email address, rather than your name this is a sign that something is wrong. A genuine email from Cardiff University would never do this.
- Does the tone, style and terminology match the emails usually sent out by Cardiff University?
Cardiff University will never:
- email you asking you to validate your email account.
- warn you that your mailbox is full.
- ask you for your password
Scam phone calls and text messages
Over-the-phone scammers may pretend to represent a known or trusted organisation and can be very convincing. Scam phone calls are sometimes known as ‘vishing’.
Using publicly available information, scammers may even try to convince you that they are calling from within the university and ask for confidential details.
- Don't give out personal or financial information, like bank details or your PIN, over the phone, even if the caller claims to be from a known or trusted organisation, like your bank or the university.
- If you feel that the caller is harassing or intimidating you, or if they talk over you without giving you a chance to speak, do not feel you have to stay on the phone. Hang up and end the call if you become uncomfortable.
- Ring the company or bank they claim to be from if you’re not sure if the caller is genuine. Use a number that you find for yourself, never the one provided by the caller. Wait a few minutes after hanging up and try to use a different phone line or mobile to make sure the caller is not still on the line.
‘Smishing’ combines phishing with SMS text messages. These messages are used to attempt to gain access to your personal information, such as your bank or credit card, or sensitive information, and may contain links to fraudulent websites or URLs designed to trick you into downloading malware onto your phone. Be cautious of any unknown or unwarranted messages requesting data or unknown links.
To access many university systems, including Office 365, you will need to set up Multi-Factor Authentication (MFA) to ensure your data is protected. You will find instructions on how to do this on the student intranet.
Using anti-virus software is vital when using a computer to access the internet. Currently, you can download and use a copy of the Sophos Home anti-virus software for free.
- Make sure you install anti-virus software and keep it up to date. Simply log into the student intranet and search for ‘anti-virus’.
- Use unique passwords for each site you visit and never use your university password for non-university systems.
- If you suspect your password is compromised, immediately change your password and call the IT Service Desk.
- Consider using a webcam cover for your phone, tablet or laptop. These are increasingly included on newer devices and can be purchased for older devices
If you get a suspicious email:
- do not reply to it or follow any links within it, as the links are likely to be false. If you hover your cursor over a link in an email, a box will appear at the bottom of your browser window, showing the webpage it links to. If this does not match the supposed destination, it is probably a scam.
- do not open any attachments in the email. These attachments can contain malware that can harm your computer and capture your personal data.
If you're concerned that you have fallen for a phishing scam and you have entered your bank account details, contact your bank immediately to warn them of the threat. You should also change your password immediately and call the IT Service Desk.
Microsoft also has advice on identifying suspicious messages in Outlook.
If you have any concerns about any suspicious emails you receive, or if you have any questions or concerns about phishing, please contact the IT Service Desk: