Guidelines for handling spam and phishing emails

We often get unwanted messages called 'spam', and malicious messages trying to trick us into revealing our logon details or other personal information, called 'phishing'. 

A summary of what you should do

If you get an email that you know is spam or phishing, please forward it as an attachment (using the keyboard shortcut Ctrl + Alt F) to one of the following addresses:

Please contact the IT Service Desk only if you have clicked on any links in the email or entered your details in response to it, or are unsure about whether the email is genuine.

Remember that you will never be asked to verify your password via email. More detailed information can be found below.

Phishing Advice

Sometimes you'll get an email that appears to come from your bank, the IT Service Desk or similar, but in fact it is trying to trick you into revealing important information such as your username and password, bank details etc. This is phishing. Read our advice on how to avoid getting caught by a phishing scam. If you want to report a phishing email or think you may have replied to one, please contact the IT Service Desk. 

Please also forward the email (as an attachment), using the keyboard shortcut Ctrl+Alt+F to 

How does phishing work?

You may receive an email with a message like this:

'We suspect an unauthorised transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.'


'During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information.'

The emails or pop-ups claim to be from a business or organisation that you might actually deal with - for example, the IT Service Desk, an internet service provider, a bank or an online payment service. The message may ask you to 'update,' 'validate,' or 'confirm' your password and/or account information, and some phishing emails threaten a dire consequence if you don't respond.

The messages direct you to a website that looks just like a legitimate organisation's site - but it isn't. It's a bogus site whose sole purpose is to trick you into giving away your personal information so the operators can steal your identity to access your data, run up bills or commit crimes in your name.

Neither the University nor any other reputable organisation will ever send you emails asking you to input, confirm or validate account and/or personal details.

Tips to avoid getting hooked by a phishing scam:

How to check a link before opening it

Windows laptops and computers

Mac laptops and computers  

iOS & Android phones and tablets

Links in University emails

Automatic emails from many (but not all) University systems (such as SIPR, COSTA and ServiceNow) do not contain hyperlinks to web pages which ask for your username and password. Instead, the links appear just as plain text. You need to copy and paste these links into the address bar of your web browser.

Managing your emails

You may find that an email is deemed by Microsoft to be spam and goes into your Junk folder when it is actually a valid message. If this happens, you will need to approve the email message or sender within Outlook.

To do this:

  1. Select the message in your Junk folder
  2. Choose the drop-down arrow from the Junk heading and select your desired option


In Outlook Web Access you can drag the email from your Junk folder back into your Inbox. For more information from Microsoft on your junk email settings, look at the content here

Spear phishing

We are seeing an increase in spear phishing, where a phishing email is targeting an individual. A common one is where they email you saying they have evidence you have visited porn sites or have compromising photos or videos of you. To ‘prove’ it, they may include an old password you have used. Do not reply to these emails, they are a scam. These passwords have come from sites which have been hacked, often several years ago. If you still use the password on any site, change it immediately. If you use it on any University site report it to the IT Service Desk. If you have any concerns that your University account has been compromised talk to the IT Service Desk.