Spam: unwanted, junk email, typically sent to large numbers of people, for the purposes of advertising, phishing, spreading malware, etc.
Phishing: fake email messages that claim to be from an organisation that you may trust (eg universities or banks). Often ask you to provide your personal details by replying or clicking a link. They may suggest you’ll lose your account if you don’t do so
Spam targeting HYMS students and staff
To protect your own data and that of other people, it’s vital that you learn how to spot phishing messages and other scams, and that you make sure your students and colleagues are aware of this too.
If we suspect your account has been compromised in any way IT Support will lock/disable your account until we have spoken with you and made sure that it is secure so if you are unable to log in please contact us.
How has the Hull York Medical School been targeted?
Sometimes scammers target members of HYMS, either with specific details, or by pretending to be IT Services or other departments.
- Email messages appearing to be from IT Services, asking for your username and password, and saying that your email account will be closed if you don’t reply.
- Some students have received emails appearing to be from the Student Loans Company.
- Some staff have received very targeted emails which address them using their name, and which refer to their academic or professional interests – for example, referring to papers that they’ve written. These messages include links which purportedly allow them to view useful information or submit new papers. The links request a username and password.
- Compromised accounts are often then used to send spam emails. If you’re sent an email, it may not be from the person it appears to be from
Always be wary of unexpected emails, no matter how genuine they seem.
What’s the worst that could happen?
HYMS account accessed
We have seen cases where people have typed in their HYMS username and password into a phishing site, and then discovered that someone had accessed their Office 365 Mail account and set up their email to be forwarded elsewhere.
Other people have found that all of their email messages have been deleted.
Bank account accessed
York University have seen instances where:
- students have received emails pretending to be from the Student Loan Company
- staff have received emails about tax refunds.
In both cases, members of the University were taken in by the messages, and provided details including bank account numbers and online banking passwords.
Giving this information can result in you losing control of your bank account.
Identity theft happens when someone has enough information about your identity (such as your name, date of birth, current or previous addresses) to commit identity fraud.
Identity fraud can have a direct impact on your personal finances and could also make it difficult for you to obtain loans, credit cards or a mortgage until the matter is resolved.
Fraudsters can use your identity details to:
- Open bank accounts.
- Obtain credit cards and loans
- Order goods in your name
- Take over your existing accounts
- Take out mobile phone contracts
- Obtain documents such as passports and driving licences in your name
What should I do if I receive a suspicious email?
Do not respond to a request to send your password via email. The message should simply be deleted.
You should always check the validity of a site before entering your details.
Do I need to contact the HYMS IT Help Desk?
If you are unsure whether a page asking for your HYMS/University username and password is genuine, please contact the HYMS IT Help Desk for advice.
There are always exceptions, for example the ComplyWise service used for online Health and Safety training – it’s ok to check if you’re not sure.
If a phishing message that you’ve received looks particularly convincing, please forward it to firstname.lastname@example.org, as we may be able to trace other University members who have unknowingly been caught out by it.
What is being done to stop the messages?
Microsoft’s Office 365 spam service stops most spam, phishing and other scam email from reaching your inbox.
However, because spammers constantly change the messages they are sending, and the email addresses that they send from, the first few messages sent in any run will often get through.
If Microsoft become aware that an account may have been compromised, they will suspend it and alert HYMS IT Services.