Phishing advice

Sometimes you'll get an email that appears to come from your bank, the IT Service Desk or similar, but in fact it is trying to trick you into revealing important information such as your username and password, bank details etc. This is phishing.  

Read our advice on how to avoid getting caught by a phishing scam. If you have clicked on a suspect link in an email and/or entered your username and password, or think you may have replied to one, please contact the IT Service Desk.

To report a phishing / spam email, please forward it (as an attachment, using the keyboard shortcut Ctrl + Alt + F) to spam@leeds.ac.uk

For more information, see our Email quarantine and spam page.

Links in University emails

Automatic emails from many University systems (such as SIPR and COSTA) do not contain hyperlinks to web pages which ask for your username and password. Instead, the links appear just as plain text. 

How does it work?

You may receive an email with a message like this:

'We suspect an unauthorised transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.'

Or

'During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information.'

The emails or pop-ups claim to be from a business or organisation that you might actually deal with - for example, the IT Service Desk, an internet service provider, a bank or an online payment service. The message may ask you to 'update,' 'validate,' or 'confirm' your password and/or account information, and some phishing emails threaten a dire consequence if you don't respond.

The messages direct you to a website that looks just like a legitimate organisation's site - but it isn't. It's a bogus site whose sole purpose is to trick you into giving away your personal information so the operators can steal your identity to access your data, run up bills or commit crimes in your name.

Neither the University nor any other reputable organisation will ever send you emails asking you to input, confirm or validate account and/or personal details.

Tips to avoid getting hooked by a phishing scam:

  • Even if an email requesting account information appears to have come from an official and/or trusted sender do not trust it;
  • don't reply to email or pop-up messages that ask for personal or financial information, and don't click on links in the message;
  • don't cut and paste a link from the message into your web browser - phishers can make links look like they go to one place, but they actually send you to a different site;
  • if you are concerned about your account, contact the organisation using a phone number you know to be genuine, or open a new internet browser window and type in the company's correct web address yourself;
  • don't email personal or financial information - email is not a secure way to send information;
  • review credit card and bank account statements as soon as you receive them to check for unauthorised charges;
  • be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them

Related pages

Related downloads