Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords and bank or credit card details by criminals masquerading as a trustworthy person or organisation in an electronic communication. Phishing attacks are most often launched by email, although some have been seen using other methods such as mobile phone text messages.

OUCS is particularly concerned about phishing attempts to gather usernames and passwords for University services, which have been an increasingly common target since late 2008. Many people have been tricked by these scams and in some cases, University accounts have been abused by attackers. Such account abuse may cause considerable inconvenience and/or damage to reputation for the account owner, their IT staff, their college and potentially for the University as a whole.

It is vital that OUCS is warned of any phishing attempts against University services as quickly as possible so that OUCS staff can act swiftly to limit the potential for abuse. We strongly encourage you report such attempts to us at phishing@it.ox.ac.uk; please see below for details.

1. Be alert

Neither OUCS nor anyone else within the University should ever ask you to reveal your password by email. If you receive such an email asking you to do so, it is undoubtedly a scam. Do not reply! [Please read our Fake Emails information too! ]

Some phishing attacks ask you to follow a link to a web page which then prompts you for a username and password. Be extremely wary of any such links even if an email appears genuine. Scammers may attempt to replicate the "look and feel" of legitimate and familiar University or College login pages. If in you are in even the smallest amount of doubt, you MUST NOT follow the link in the email but instead use existing bookmarks, follow links from trustworthy websites such as the OUCS site or your department or college intranet, or seek assistance.

You may periodically receive messages regarding password expiry, quota problems, etc from OUCS or other service providers within the University. Unfortunately these may be hard to distinguish from fake emails. Facilities are in place to allow you to reset your password or check your quota (choose the 'show email usage and quota' option).

2. Do not reply!

Never send any reply to a phishing scam. Do not attempt to question its authenticity (any attacker will naturally assure you that the message is genuine) or try to "bait" the attacker with false details. OUCS does not see the content of any emails, merely that correspondence was sent. We must therefore treat any reply to a known phishing scam as though it contains the sending user's login credentials and will have no choice but to temporarily disable access to your account, for your own protection.

If you are in any doubt as to the authenticity of a particular message, do not respond directly to the sender but contact your local IT support staff or the OUCS helpdesk for advice.

3. If you believe you may have responded

We appreciate that mistakes do happen and sometimes people may inadvertently reveal login details to unauthorised persons. If this happens to you, please take action promptly. Change your password as soon as possible, and let your IT staff know. Please do not be afraid to own up: we would rather you told us than tried to cover up your mistake. If you still have a copy of the email that led you to respond, please let us know so we can help others avoid making the same mistake.

4. What you can do to help us

If you recieve an email that is asking you to divulge your login details for a University service you can help OUCS by reporting these. We would far rather receive multiple reports of a particular scam than fail to receive any; user reports are vital to us in setting up appropriate countermeasures.

Please send emails to phishing@it.ox.ac.uk, but please note that as well as the message body, we require the 'full headers' of the email in order to trace the origins of a message. The full headers will include one or more lines starting "Received: ". Please see our instructions on how to view and forward full headers on a variety of common email platforms.

4.1. What to report

We encourage you to report any phishing attempts which might deceive others into revealing login information for one or more University services. Many scams do not specifically mention University services but use generic terms such as "your webmail account"; we encourage reports of these as some users may fall for them.

4.2. Other phishing

Please note that there is no need to inform OUCS of phishing scams which clearly directed at external services, such as online banking, Ebay, Paypal, Hotmail, Amazon, etc. While University members may fall for such scams, doing so does not directly place University services at risk. OUCS is not well-placed, and does not have the resources, to take action as a result of such scams.

External organisations are interested in reports of such scams and you may wish to report these to organisations such as Bank Safe Online (where a bank or other financial institution is being targetted) or directly to the organisation named in the scam.