Spam and Phishing Emails

Contents

Spam and Phishing are among the most common threats to your online security. Understanding how to recognise and respond to these messages protects not only your own accounts, but also the data and systems shared across HYMS.

Spam

Unsolicited, bulk email sent to large numbers of recipients — typically for advertising, spreading malware, or conducting phishing attacks.

Phishing

Fraudulent emails that impersonate a trusted organisation (such as a university or bank) to trick you into revealing your login credentials or personal information.

If your account is compromised

If IT Support suspects that your account has been compromised, your account will be locked or disabled until we have spoken with you and confirmed it is secure. If you find yourself unable to log in unexpectedly, please contact the IT Help Desk as soon as possible.

Act immediately if you've been phished

If you believe you have shared your credentials or personal details with a fraudulent site or email, contact the IT Help Desk immediately. The sooner we know, the more we can do to protect your account and others.

I think I’ve fallen for a phishing scam — What should I do?

If you, or someone in your department, has responded to a phishing email or entered credentials on a suspicious site, take these steps right away:

Contact your bank immediately if any financial details were involved.Call your bank’s fraud line and explain that your account details may have been compromised.

Change your HYMS account password without delay.Follow the guide: Changing or Resetting Your HYMS Password.

Contact the HYMS IT Help Desk.Our team will help you secure your account fully, provide tailored advice on the specific threat, and identify any other users who may have been affected.

What should I do if I receive a suspicious email?

Step 1 — Check whether the email is genuine

Before clicking any link or entering any details, pause and ask yourself:

Is the sender’s email address exactly right, or does it look slightly off (e.g. support@hyms-help.com instead of an official HYMS or York/Hull address)?.
Does the email create a sense of urgency — threatening to close your account or block access unless you act immediately?.
Are there spelling errors, unusual formatting, or a generic greeting like “Dear User” rather than your name?.
Is the link destination (hover over it without clicking) a legitimate URL?.

Never send your password in an email

HYMS IT Services, the University of York, and the University of Hull will never ask for your password by email. If an email requests this, it is a phishing attempt.

Not sure if an email is genuine?

Contact the IT Help Desk before taking any action. Some services used by the University — may send email requests that look unusual but are legitimate. We’re happy to check.

Step 2— Report the email to Microsoft

Report the email to Microsoft?

Reporting phishing and junk emails within Outlook helps Microsoft improve spam filtering for everyone at HYMS. Please report any suspicious emails rather than simply deleting them.

Reporting in Outlook on the Web (browser) and the Outlook desktop app (Windows, Mac,

Select the suspicious email in your inbox.
On the toolbar at the top, click the Report button (next to the Archive button) or on the email.
Select Report Phishing or Junk from the dropdown menu.
The email will be moved to your Trash folder, and Microsoft will be notified automatically.

How has HYMS been targeted?

How has HMS been targeted?

Scammers sometimes target HYMS students and staff specifically — either using inside knowledge or impersonating internal teams. Below are examples of real phishing attempts received at HYMS.

Fake IT Services messages claiming your email account will be closed unless you provide your username and password by reply.
Student Loans Company impersonations sent to students, requesting personal or financial information.
Highly targeted emails addressed to individual staff members by name, referencing their academic work or publications — and containing links that request login credentials to access papers or submit new research.
Emails apparently sent from a known colleague or contact — if a HYMS account has been compromised, it can be used to send spam or phishing emails to others. A message from a familiar name is not automatically safe.

Stay vigilant — even convincing emails can be fraudulent

Always be cautious with unexpected emails, particularly those asking you to click a link or log in somewhere. If something feels off, trust your instincts and check with IT Support.

What are the risks?

What are the risks??

Falling victim to a phishing or spam attack can have serious consequences, including:

Unauthorised access to your HYMS and university accounts.
Compromise of personal and financial accounts.
Identity theft.
Exposure of other people’s data held within your accounts.
Your account being used to send further phishing emails to colleagues and students.

What is being done to stop these emails?

What is being done to stop these email?

Microsoft 365’s built-in spam filtering blocks the vast majority of phishing and junk email before it reaches your inbox. However, because attackers constantly vary the content and source addresses of their campaigns, some messages — particularly the first in any new wave — may still get through.

If Microsoft detects that a HYMS account has been compromised, they will suspend it and alert the HYMS IT Services team, who will then contact the affected user.

The single most effective additional defence is prompt reporting: every time you report a phishing email via Outlook, you help improve the filters that protect everyone at HYMS.

Further guidance

More information and guidance can be found on the University of York’s IT Services help page via the following link: Spam and phishing email – York IT Services and on the University of Hull’s IT Services portal, accessible via the following link: Hull Staff & Student portal (login required).

Updated on 17/03/2026

Was this article helpful?

Yes No