skip to content
 

Spam and phishing

Spam, that is to say unsolicited or unwanted commercial email, is regretably a fact of life online. Sending email is approximately free, even to millions of potential recipients, if one uses hacked computers to (ab)use effectively stolen resources. Only a very small number of positive responses are required to make a profit, so people continue to send it.

Advice for dealing with spam:

  • Don't reply to obvious junk email or ask to be removed from a mailing list. This just tells the spammer that your email address is live.
  • Sometimes spam will appear to come from a Cambridge address. This does not necessarily mean that we have been hacked as it is easy to send an email claiming to be from a fake address.
  • Don't open an attachment you weren't expecting as it may contain a virus (even if the email really does come from a friend, their computer may have been infected).

Phishing and how to avoid it

Phishing is a type of spam where the spammer's objective is to trick you into typing your login name and password into a website that the spammer controls. For example an email purporting to be from your bank, saying that your account has been disabled and asking you to follow a link and enter your username and password to re-enable it. There have also been phishing attempts which specifically targeted Cambridge users.

If you get such an email and are unsure whether it is genuine, don't follow the link in the email. Go to the organisation's website via your bookmarks or Google and log in. If it was genuine then there will be a similar message on the website.

Some phishes will ask you to call a phone number instead - again, don't call the phone number in the email, look on the organisation's website, and if necessary, call the number you find there.

Occasionally a phish will ask you to reply to the message with confidential information such as your user ID and password or your credit card or bank details. Just as your bank will never ask for your PIN, University Computer Officers will never ask for your password (we may, however, need to ask for your username).

Some giveaways that an email is phishing (not all phishes will have all these problems):

Poor English, run-on sentences, eccentric capitalisation
English is often not a spammer's first language. However, some phishes contain chunks of text copied from genuine emails from the business they are impersonating.
Comes from an email address unrelated to the organisation which it claims to be from
A genuine email from Amazon will come from a clearly "Amazon" email address such as something@amazon.co.uk or something@amazon.com. Sadly the reverse does not apply as it is easy to forge an email from any address.
Asks you to follow a link which doesn't go to the organisation's website
Phishers get your account details by tricking you into typing them into a website which they control. Be careful here as there are various strategies the phishers can use to make their link look genuine. E.g. misspelled URLs such as www.paypai.com for www.paypal.com and misleading URLs such as www.natwest.phishersdomain.com (phishersdomain.com would be replaced by a less blatant name of a domain belonging to the phisher). This is why it is best to go directly to the organisation's website rather than following links in suspicious emails.
Tries to induce a sense of urgency
Phishing emails often say things like "please reactivate your account within 48 hours to prevent it being deleted". This is designed to panic you into acting before thinking.
Written in an impersonal style, addresses you as "Dear Customer" or "Dear Student" rather than by name
This is not an infallible guide, as sophisticated phishing software may be able to fill in the recipient's name, and sometimes a company will send out a genuine mass email in a similar impersonal style (however, this is less likely to request any action).

Useful Links