You have probably been directed to this page because your email account has been accessed by an unauthorised person. Firstly, don’t panic! You are not the first person this has happened to and there are some steps you can take to minimise the damage.

The most important thing you can do is change the password of the affected account, ensure you do this from a computer you know is safe to avoid the attacker finding out the new password.

  • As soon as possible, please inform your local IT support staff or the IT Services general helpdesk. For further details please see:

  • If your Nexus account has been affected, the same Oxford username and password will give you access to other University systems and services via Single-Sign On (SSO). If this includes critical business systems such as Financials or HRIS, or any other system storing personal or confidential University data, please ensure that IT Services are informed.
  • To help prevent your account being compromised again, do not give out your new password and make sure any device you use to access your account has any available software updates applied and, if applicable, anti-virus software installed.

For more detailed information, please follow these links:

1. How your account could have been compromised

You need to consider how your account became compromised. Frequently this happens when someone responds to a phishing email, have you recently received an email which directed you to a page where you entered you account details? Tips for recognising phishing emails can be found at:

Even if you are confident you have not responded to any phishing emails there are other ways a malicious person may have discovered your credentials. Consider the devices you have used to access your account, this includes personal and University computers, portable devices such as phones, tablets and laptops, and any publicly accessible computers in places like Internet cafes and libraries. Are you sure the software running on the devices you have used is up to date? Where appropriate, is anti-virus software installed and is it kept up to date?

2. What the attackers may have done

Once the attackers gained access to your account they may have stolen personal data from your emails. Some University systems use the same credentials as your Nexus email (your single sign on credentials), so if it was your Nexus email which was compromised the attackers may have accessed other systems as well. Information about which services use single sign on can be found at:

If the compromised email account is run by your college or department those credentials may still be linked to other systems, in this case please contact your local IT support staff for more information.

You will also need to consider any services which may send password reset or reminder emails to the compromised account, as the attacker may now have access to those accounts as well. These may include services within the University, other academic resources, and personal accounts such as those for Amazon, GMail, or Facebook.

If the attacker has reset a password it should be obvious as you will no longer be able to access that account. However be aware that if a service simply generates a password reminder email which the attacker has deleted, you may be unable to tell if they have access to that account. If in any doubt, set a new, unique password for the account in question.

3. What to do next

The most important thing you can do is change the password of the compromised account. This should be done from a machine you know to be safe, otherwise the attackers may pick up the new password and begin the cycle again. Any other accounts you know to use the same password, within the University or otherwise, should also be changed to new, different passwords. Do not reuse your compromised password for any account in the future, you have no way of knowing how long the attackers will keep this information for.

As soon as possible, please inform your local IT support staff, if that is not possible please contact the IT Services general helpdesk. The sooner we are aware of the problem the better. For further information please see:

To make it more difficult to assess how the attackers have used your account they may have deleted large amounts of emails or set up rules to forward new emails to places you aren’t expecting. You can start by checking your deleted items folder for the missing mail and disabling any mail filtering rules which you did not create. If you require any assistance with this please contact your local IT support staff or the helpdesk.

Apart from data theft, attackers often use email accounts they have gained access to to send spam. You may notice a number of emails from recipients of the spam, you may wish to respond to them letting them know that you are aware the account has been compromised and are taking steps to prevent further misuse.

It is also highly likely that your account will receive a large amount of junk emails, in the form of bounces and auto-replies from the addresses the attacker sent email to. Care should be taken not to delete legitimate correspondence when dealing with these emails.

Another consequence of the account being used to send spam is that your email address may have been added to blacklists which could cause your emails to be blocked in the future. These lists are numerous and controlled by organisations outside of the University. If you suspect emails from your account are failing to reach certain recipients, please contact your local IT support staff or the IT Services general helpdesk who will endeavor to assist you.

4. How to avoid your account being compromised again

To avoid your account being abused again in the future, please remember never to send your password to anyone in an email. Your local IT support staff and IT Services staff will never ask you to email your password for any reason.

Be sceptical about any email you receive regarding your password, particularly if you are asked to respond by email or if it contains a link to a form which requests your password. You will annually receive genuine password expiry notices from IT Services, however you will not be asked to respond directly to these notices.

Be wary of unsolicited phone calls claiming that your computer has a problem that the caller can fix if you allow them access. If the call is genuinely from your IT officer they will not mind verifying their identity with you.

Ensure you are running the most up to date software versions that you can on any systems you use to access your account, avoid accessing your account from devices you have no control over and may not be well maintained, such as from Internet cafes.

If in any doubt always contact your local IT support for advice, information regarding University IT support services can be found here: