Tuesday, 8 July 2014

Someone wants your password

Joanne Casey would like to know how we make everyone a little bit more suspicious.

There's always someone trying to steal people's passwords...

...and sadly, there are always people who allow them to do it.

A recent phishing email.
The URL doesn't link to mail.york.ac.uk -
your best bet is to mark it as spam.
It's pretty normal these days for emails to arrive in our inboxes purporting to be from 'York Admin', 'System Administrator Team', or similar.

These messages may warn you that your account needs to be validated, alert you to withheld emails, offer you an upgrade, or give you access to a shared Google doc. They include a link, which might appear to be a genuine University URL, and if you click on it you'll be asked enter your username and password.

These emails are always a scam - their sole aim is to steal your password.

Lots of people already know that, and lots more are suspicious enough to check with us before they respond. But each time one of these phishing emails is targeted at University email accounts, we see people hand over their username and password, which means that we have to disable their account as soon as we become aware that it's been compromised.

Our phishing advice poster:
click to view full size
We take various approaches to this:
  • If possible, we block access from the campus network to malicious websites - but this doesn't help if people are at home or elsewhere when they click on the link.
  • We include information about spotting and dealing with email scams on our website, in our user guide, and in flyers handed out at Freshers' Fair and Staff Induction events.
  • We post advice on our Twitter and Facebook feeds
  • When there's a phishing attack underway, we send warnings to departments for circulation to staff and students
  • We've produced a poster that departments can display on their noticeboards
But we know - because we keep having to block accounts - that people keep falling for these emails, and we'd love to find out what else we can do to make sure this message reaches everyone in the University. How do you think we can tackle this? What's the right way to make sure everyone is able to spot a potentially dodgy email? We'd welcome your thoughts and comments below.

Find out more about spotting phishing attacks and other email scams at:


  1. I still can't believe that anyone would fall for an email that says "Management has mandate you to validate your account". But then, I am still waiting for a very kind Nigerian prince to share half his fortune with me after I helped him transfer it to Switzerland so his wicked stepfather can't steal it from him.

  2. But if English isn't your first language, it can be harder to spot those nuances of odd phrasing and grammar. That might be one reason why people think they're genuine.

  3. Have you looked at any correlations between the accounts you've locked and users age range / nationality/language (even if it's just a punt from their directory photos / surname / departmental profile, and are staff or students falling for the emails more?

  4. The emails use bad English deliberately. They are trying to catch the most gullible, and making the English perfect will give them too many false positives to cope with.

    One solution might be to make Google's two-step verification mandatory for UofY accounts. But that might make IT more unpopular than the spammers!

  5. How about running a campaign on Managed PCs for a while which shows example of what the spammers email looks like when users start up their PCs and log in?

  6. Could you make it a mandatory yearly test like the online fire safety training? I'm not a particular fan of having to complete these types of tests (or being nagged to remind me to complete them) but it does make them hard to ignore.

  7. I think that's a great idea, Paul.

  8. McAfee have a quiz which gets you to spot the phishing emails and the genuine ones: https://phishingquiz.mcafee.com/

    I'm clearly too suspicious, as I marked two genuine ones as phishing...


Anybody can comment on this blog, provided that your comment is constructive and relevant. Comments represent the view of the individual and do not represent those of The University of York Information Directorate. All comments are moderated and the Information Directorate reserves the right to decline, edit or remove any unsuitable comments.