Learning to avoid phishing

Don't click on links or open documents in phishing emails: it's the most common kind of attack. Learn how to avoid them

Be suspicious 

If you are reading this page because you have received an email asking you to do something and think there is something suspicious about it then our advice is to assume that it is phishing and report it to the IS Helpline using the process below. It may turn out not to be phishing, but if it is then you have helped the IS Helpline protect you and the rest of the University community. 

What is phishing? 

“Phishing” is sending lots of emails to lots of people at once usually pretending to be a company, organisation or even a contact asking people to fill in a fake login form, or open a malicious document, or do something that results in information – say a username and password – being sent back to the people behind the phish. Essentially they are casting out lots of fishing lines and seeing if someone will take the bait – “phishing”. Sometimes attacks can be more targeted, using information gathered from public sources in order to target a smaller number of people – for example, using the public company structure to pretend to be your manager asking for something to be done. This is sometimes known as “spear phishing” and although it can be harder to detect some of the same clues will be present. 

How can I recognise phishing emails? 

Often a phishing attack is easy to spot, but sometimes they can be more sophisticated. There often is something about a phishing attack which will make you suspicious - it might be something in the list of clues below but it may also be that you feel that something is just not right. It's important that you act appropriately on your suspicions - if in doubt, act as if it was definitely phishing, don't click on or open anything, and report it.  

When reading an email it's wise to always keep the following clues in mind. 

Phishing messages often have one or more of these signs: 

  • have a generic or incorrect greeting rather than being specifically addressed to you 

  • request personal information such as passwords, bank details, date of birth, personal ID numbers, etc 

  • are short, vague and look or sound a little odd – even if they apparently come from someone you know 

  • contain old email messages from the apparent sender which don't make sense in context

  • contain unexpected attachments, or unexpected links to online documents - even if the email comes from the online service itself

  • contain poor spelling or grammar, or incorrect references to University services 

  • try and create urgency - "your account will be disabled in 24 hours", "this needs to happen by 5pm today" - in the hope you'll act without thinking 

  • come from someone that you would not expect to be contacting you - not just because you don't know them but also perhaps you do not normally have any communication with the kind of contact they are or claim to be  

  • try and claim false authority - government agencies (for example tax offices such as HMRC), police forces, central University administration, senior staff members, etc

  • ask you to do something that you would not normally do  

Reporting phishing emails 

If you receive a suspicious email to your University account that encourages you to click a link or open an attachment, you can report it with the following process: 

  • You should "Forward as an attachment" the message. Depending on your version of Outlook there may be a button for "Forward as an attachment", or there may be an option under a "More" menu, or it may be under a menu button with three dots ("...") - if you cannot find it on your version, try typing "Forward as an attachment" into the "Tell me what you want to do" box.. 

  • Send it to is.helpline@ed.ac.uk 

  • You will receive an email back with guidance on what to do if you have clicked a link or opened an attachment from the suspicious email. 

If you have already clicked on a link and then realise that the email is suspicious then please reset your University password and report it to the IS Helpline immediately. 

Phishing is a form of social engineering – trying to make you do something by using social norms, emotions, and information. In phishing it’s largely untargeted and relies on numbers – ask enough people to do something in a generic way and perhaps a few will do it. Social engineering can be extremely targeted however, using public information and a good story to pretend to be your bank, your IT department, your manager, or even a friend or relative. Often they will use little bits of information you yourself provide to build a picture of how to best target you or make you trust them. It can be very difficult to guard against social engineering, but asking yourself “is this person who they say they are?” and “is this something that I would normally be asked to do?” can help. As an example, if the call is from your “bank” the best thing to do is end the conversation as soon as something makes you suspicious and contact the bank via a contact route that you have found for yourself – don't use the phone number the person gave, for example, get the number from the bank’s website. They will be able to confirm if the initial contact was genuine and can take action if it was not.  

As noted above our advice is that if there's something suspicious about an email do not click on any links or attachments. However, sometimes you may want to just check and see exactly where a link goes to - although due to changes in how links are presented in modern emails this may not give much information.

A lot of marketing email uses underlying links that are individual to each recipient so that they can track engagement, and this can make judging if a link is correct or not very difficult - they will, by design, be different from what the text says and may not refer to the site that they actually go to.

The University also uses a Microsoft service called Safe Links. This will actively check if the link is known to be malicious when you click on a link in an email, in Teams, or in Microsoft Office apps. Due to this in some mail clients the link may look different to what you may expect. Even with Safe Links you must still exercise caution and not click on a link if you are in any way doubtful of the message. As with all security measures it is important not to bypass it. You can find more information on our Microsoft 365 Safe Links page.

As always, if in doubt do not click

If you want to look at a link in an email:

  • Instead of clicking on the link with your main mouse button, hover over it and click with the other mouse button.
  • Select [Copy Link] (or [Copy shortcut]) from the menu which pops up.
  • Paste a copy of the link into a safe window. (We recommend you use a Notepad window for this, or any basic text editor. )
  • Look at the link carefully to see if it looks credible. For example, if the hyperlink seems to be from your bank, make sure it would go to your bank’s website, and not to something with a different name.

If in doubt, do not click.

Although email is still the most common form of phishing there are lots of other ways that you could be contacted. You could be sent an SMS with a phishing link in it - that's often known as "smishing" - and similarly any social media or communications platform where you could be messaged or where a phishing link could be posted is a potential risk. The advice is the same - if it doesn't feel right then don't engage. If in doubt, do not click.

More advice

There is lots of good advice on the web that can help you avoid phishing. Here is a selection (please note that these links are not endorsements of companies or products):

Advice from Microsoft

Advice from Apple

Advice from British Telecom

Advice from His Majesty's Revenue & Customs (HMRC) on how to tell if something from them is genuine

Police Scotland advice on Scams & Frauds (including "The Little Leaflet of Cyber Advice" and "The Little Booklet of Phone Scams")