print friendly version

Questions and answers

1446
I have received an email asking me for my username and password. What should I do?


The short answer is:  NEVER RESPOND TO EMAILS LIKE THIS.

Any email asking you - either directly or indirectly - for your username and password, no matter how genuine it looks, has criminal intent and you must NEVER respond.

Introduction

Most of us at some time or another will receive an email claiming to be from an IT support service or an account manager, and asking you to provide your username and password, and sometimes other personal details.  Frequently, the emails claim that your email storage limit has been reached or exceeded or that your account will be closed if you do not respond.

The email may ask you to respond directly to disclose your username and password (and perhaps other personal information), or it may make an indirect approach by providing a clickable link to a website which may ask the same.

THESE EMAILS ARE ALWAYS FRAUDULENT.  They are known as "phishing" emails and they are very common and widespread.  Some may even appear to be from the University of Sussex IT Services.  They may look genuine at first glance, but a closer look at the emails (particularly the sender's email address) will show that they will not have been sent by any genuine IT service but by someone fraudulently posing as such a service.   See what could happen if you responded.

DON'T BE FOOLED!  Sussex IT Services would never ask you to send your password through email or by any other means.  The same will be true of any other reputable email service provider you may be using.

REMEMBER!  Your password is for your use alone and you must keep it secret.

The University's Regulations forbid you from sharing your password with anyone, including IT Services staff.  IT Services will not ask you for your password over the phone, by email, or by any other means.

If you ever receive an email asking for your username and password details, NEVER RESPOND to it, and NEVER open any attachments it contains.  NEVER provide your details through any website linked in the email.

What to do

See the sections below to find out more.

  1. What could happen if you responded to phishing emails
  2. How to protect yourself
  3. What we do to help protect you
  4. How you can help us
  5. Sussex Exchange quota warnings (for staff and researchers)
  6. Reporting phishing emails
  7. More information

What could happen if you responded to a phishing email

The possibilities for personal, academic and professional damage are almost limitless.  Think about it!  Once your username and password have been obtained by a hacker, they could do any of the following:

  • read your email;
  • use your email account to send out spam, or fraudulent, phishing, abusive or obscene emails in your name (possibly in vast numbers);
  • delete your email;
  • delete or modify your Contacts (address books);
  • change your reply address or set up forwarding so that your emails are delivered elsewhere;
  • access your personal pages on the Sussex website and view or change your personal and confidential information;
  • view, change or destroy any of your files on the networked storage media;
  • do almost anything else that you can do using your username and password.

Unfortunately, despite our best efforts over many years to publicise this problem, individuals at Sussex still respond to phishing emails, and this had led to a number of embarrassing and troublesome incidents, and attempts at financial fraud.  Other email accounts have been used directly to send out spam or more phishing emails (in some cases to tens of thousands of email addresses).  If this happens to you, you may find your address blocked by other institutions and services, which could seriously impede your work.

How to protect yourself

  1. LOOK CAREFULLY AT WHO THE EMAIL IS FROM.  The top will usually show the sender's email address.  If it is clearly not from a Sussex address (for example, it shows an external email address) then it wasn't sent by IT Services (do not be fooled by any title or name claiming to be IT Support or similar).  Even if it has been sent from a Sussex address (possibly from another hacked account) you still MUST NOT RESPOND to any request for your password or confidential details.
     
  2. NEVER disclose your password to anyone - not even IT Services, who don't need to know it anyway.
     
  3. If you think you have responded to a phishing email, change your password IMMEDIATELY using the IT Services My IT Account facility.  Then tell us (with as much detail as possible) so that we can investigate and monitor the situation. When changing your password, use as secure a password as possible, by following our guidelines at FAQ 839.
     
  4. Avoid using the same password on different internet services external to the University.  In particular, be very careful with your University password, with passwords that you use for financial systems or services, and for email systems.
     
  5. REMEMBER that the only person who should know your password is YOU.
     

What we do to help protect you

When we discover phishing emails or they are reported to us (see below), and they are sufficiently widespread, we normally do the following:

  • We may block further email from the 'phisher' to prevent delivery of more email from them.
  • We may set up a block against replies to the phisher, so that no-one can reply to such emails (although we cannot do anything about replies sent before the block was set up).
  • We try to block any active phishing websites that come to our attention.  NOTE however that we can only block access from computers on the campus network. We cannot block access from off campus or access via other service providers.
  • If we discover that anyone has already replied to a phishing email, or we discover that their account may already have been compromised, we'll disable their password so as to prevent further access to the account.  This may cause short-term inconvenience, but consider the even greater inconvenience that could result from unauthorised access to a person's account.
  • We maintain a Security Alerts page, giving details of the most widespread phishing emails and other scams.   The website is updated (manually) in response to reported or observed phishing activity.

None of the above can happen instantly,  and often it may be too late to prevent a security breach.  That is why we need you to play your part in helping to keep your account secure.

How you can help us fight phishing

As well as being vigilant yourself from now on, please help us spread the message by telling your friends and colleagues about this problem.  You can send them the website address of this article, which could apply to any email service, not just that at Sussex:

www.sussex.ac.uk/its/phishing

Sussex Exchange quota warnings (Staff and PhD Students only)

The only time that Staff or research students will receive email to warn about their mailbox quota will be an email sent directly by the Sussex Exchange system itself, and labelled as from 'Microsoft Outlook'.   This is described in detail in FAQ 2350 under the heading  "How Exchange tells you". Note that the email only tells you how much mailbox space you're using and that you're close to or over your allocated limit.  It gives no other information and does not ask you to reply with any information, nor does it contain any attachments, nor provide any clickable web links.

Reporting phishing emails

If you are a Sussex student or a member of Sussex staff, you are welcome to report or forward instances of phishing emails received by your Sussex account.   You can forward them to IT Services Online Support at support at its.sussex.ac.uk (please replace the ' at ' with '@').   It will be a great help to us if you forward the suspicious message complete with its FULL headers: the reasons why, and how you can do it, are described in FAQ 1080.

Note that we cannot help you with phishing email sent to your private email addresses: those are a matter for your email service provider only.  However, the general advice given in this article applies equally to any email service you are using.

Note also that if we receive many reports about the same phishing email, it may not be practical for us to acknowledge each report and so you may not get a reply from us (this is simply a matter of practicality - we're not ignoring you).   We will, however, act on the reported phishing attempt if it is sufficiently widespread, and we'll also post an alert about it in our Security Alerts page, so please check this regularly.

More information

A very good article about phishing scams can be found on the Hoax Slayer website at:

www.hoax-slayer.com/phisher-scams.html

See also the Anti-Phishing Working Group (APWG) website at

www.antiphishing.org/

Phishing scams about income tax are quite frequent.  HM Revenue & Customs (HMRC) have a useful website giving security advice about online security (including an email address to which to report tax-based phishing emails) at  www.hmrc.gov.uk/security

Interesting article (by a victim) in The Guardian newspaper website (13 November 2013):

http://www.theguardian.com/money/2013/nov/13/stranded-traveller-phishing-scam

 

Help us to improve this answer

Please suggest an improvement
(login needed, link opens in new window)

Your views are welcome and will help other readers of this page.

Categories

This is question number 1446, which appears in the following categories:

Created by Sandy Radford on 9 May 2008 and last updated by Sandy Radford on 13 September 2016