Learning to avoid phishing

Don't click on links or open documents in phishing emails: it's the most common kind of attack. Learn how to avoid them

Be suspicious 

If you are reading this page because you have received an email asking you to do something and think there is something suspicious about it then our advice is to assume that it is phishing and report it to the IS Helpline using the process below. It may turn out not to be phishing, but if it is then you have helped the IS Helpline protect you and the rest of the University community. 

What is phishing? 

“Phishing” is sending lots of emails to lots of people at once usually pretending to be a company or organisation asking people to fill in a fake login form, or open a malicious document, or do something that results in information – say a username and password – being sent back to the people behind the phish. Essentially they are casting out lots of fishing lines and seeing if someone will take the bait – “phishing”. Sometimes attacks can be more targeted, using information gathered from public sources in order to target a smaller number of people – for example, using the public company structure to pretend to be your manager asking for something to be done. This is sometimes known as “spear phishing” and although it can be harder to detect some of the same clues will be present. 

How can I recognise phishing emails? 

Often a phishing attack is easy to spot, but sometimes they can be more sophisticated. There often is something about a phishing attack which will make you suspicious - it might be something in the list of clues below but it may also be that you feel that something is just not right. It's important that you act appropriately on your suspicions - if in doubt, act as if it was definitely phishing, don't click on or open anything, and report it.  

When reading an email it's wise to always keep the following clues in mind. 

Phishing messages often: 

  • have a generic or incorrect greeting rather than being specifically addressed to you 

  • request personal information such as passwords, bank details, date of birth, personal ID numbers, etc 

  • are short, vague and look or sound a little odd – even if they apparently come from someone you know 

  • contain unexpected attachments, or unexpected links to online documents - even if the email comes from the online service itself

  • contain poor spelling or grammar, or incorrect references to University services 

  • try and create urgency - "your account will be disabled in 24 hours", "this needs to happen by 5pm today" - in the hope you'll act without thinking 

  • come from someone that you would not expect to be contacting you - not just because you don't know them but also perhaps you do not normally have any communication with the kind of contact they are or claim to be  

  • try and claim false authority - government agencies, police forces, central administration, senior staff members, etc 

  • ask you to do something that you would not normally do  

Reporting phishing emails 

If you receive a suspicious email to your University account that encourages you to click a link or open an attachment, you can report it with the following process: 

  • On the email itself, next to the ‘Forward’ button, you have the option to “forward as an attachment” - click this (it may be under a "More" button). 

  • Send it to is.helpline@ed.ac.uk 

  • You will receive an automated email back with guidance on what to do if you have clicked a link or opened an attachment from the suspicious email. 

If you have already clicked on a link and then realise that the email is suspicious then please reset your University password and report it to the IS Helpline. 

Phishing is a form of social engineering – trying to make you do something by using social norms, emotions, and information. In phishing it’s largely untargeted and relies on numbers – ask enough people to do something in a generic way and perhaps a few will do it. Social engineering can be extremely targeted however, using public information and a good story to pretend to be your bank, your IT department, your manager, or even a friend or relative. Often they will use little bits of information you yourself provide to build a picture of how to best target you or make you trust them. It can be very difficult to guard against social engineering, but asking yourself “is this person who they say they are?” and “is this something that I would normally be asked to do?” can help. As an example, if the call is from your “bank” the best thing to do is end the conversation as soon as something makes you suspicious and contact the bank via a contact route that you have found for yourself – don't use the phone number the person gave, for example, get the number from the bank’s website. They will be able to confirm if the initial contact was genuine and can take action if it was not.  

As noted above our advice is that if there's something suspicious about an email do not click on any links or attachments. However, sometimes you may want to just check and see exactly where a link goes to.

It's worth noting, however, that a lot of marketing email uses underlying links that are individual to each recipient so that they can track engagement, and this can make judging if a link is correct or not very difficult - they will, by design, be different from what the text says. As always, if in doubt do not click. 

  • Instead of clicking on the link with your main mouse button, hover over it and click with the other mouse button.
  • Select [Copy Link] (or [Copy shortcut]) from the menu which pops up.
  • Paste a copy of the link into a safe window. (We recommend you use a Notepad window for this, or any basic text editor. )
  • Look at the link carefully to see if it looks credible. For example, if the hyperlink seems to be from your bank, make sure it would go to your bank’s website, and not to something with a different name.

If in doubt, do not click.

Although email is still the most common form of phishing there are lots of other ways that you could be contacted. You could be sent an SMS with a phishing link in it - that's often known as "smishing" - and similarly any social media or communications platform where you could be messaged or where a phishing link could be posted is a potential risk. The advice is the same - if it doesn't feel right then don't engage. If in doubt, do not click.

More advice

There is lots of good advice on the web that can help you avoid phishing. Here is a selection:

Advice from Microsoft

Advice from Apple

Advice from British Telecom