Phishing describes the use of email and fraudulent web sites to perform a confidence scam so as to steal usernames and passwords, credit card or alternate financial details, and other valuable information. While most "phishes" come as email, phishing scams can also come in the form of text messages and phone calls.

Such an email message may look harmless. Posing as your financial institution or even the University of Queensland, it alerts you to a problem with your account and urges you to respond immediately by clicking a web link or replying and "verifying" or "updating" your account information. The email and the web site may appear official, with all the familiar logos and corporate phrases. But they're bait, presented to fool you into divulging your confidential information.

Criminals are continuously and extensively using the Internet to commit identity theft including stealing and abusing a wide variety of personal details. UQ mail systems identify extensive phishing attacks directed to our staff and students daily, with the overwhelming majority being discarded.  While some attacks can be readily identified as scams the attacks are becoming much more sophisticated and some can fool even knowledgeable and experienced people.

Spam filters provide some defense against phishers by intercepting their messages, but the target is elusive. The best defense is vigilance by  the individual user. Because things aren't always what they seem to be, you should be skeptical about any unsolicited emails.


Q&A

What is personal identity information?

Any piece of information which can potentially be used to uniquely identify, contact or locate a single person or can be used with other sources to uniquely identify a single individual is considered personal identity information. This includes, but is not limited to, Tax File Number, driver’s license and financial account numbers. It can also include user names and passwords, PIN numbers, street and email addresses, telephone numbers or biometric data (e.g., fingerprints, DNA).

Is it okay to give out personal identity information to the University via email?

No. Because it can be very difficult to identify counterfeit emails, it is important to remember that the University of Queensland won’t ask you to disclose personal identity information via email. Scammers will sometimes pose as "the University email service" or "the campus tech support service." Don’t be fooled! If you are asked to disclose your UQ Sign-In and password, Tax File Number, account information, or other identity information, don’t do it.

When in doubt, contact your local IT officer or the UQ ITS HelpDesk on 336 56000 to ask for advice, or visit the HelpDesk site for more contact details.

What happens if I do respond to a phishing scam?

If the University identifies any response by you to a known phishing address, you will have your credentials (i.e., UQ Sign-In and password) disabled and will not be able to access network resources until you have re-established your University identity credentials. If this occurs you will need to contact the UQ ITS HelpDesk.

Is someone other than me having access to my UQ Sign-In and password really that unsafe?

Yes. Someone with your UQ Sign-In and password now has access your personal information, including your payroll statements, home address, grades, and more. With a UQ Sign-In, someone can damage or destroy your data, steal and abuse your identity, change your course schedule, alter your research, and gain access to other UQ applications.

Stolen UQ accounts are often used to send vast quantities of spam messages to others as well as having the user's genuine email deleted. Many thousands of bounced message responses and complaints will then swamp your inbox in the aftermath.

Are there any instances in which UQ will ask me for personal identity information by email?

You will never be asked you to reveal your UQ Sign-In or password, or other restricted data through email. You may be asked to change or strengthen a password, but you will never be asked to disclose it outright.

How to Recognise Scams

Scam tactics are increasingly sophisticated and change rapidly. Even if a request looks genuine, be skeptical and look for these warning flags:

  • The message is unsolicited and asks you to update, confirm or reveal personal identity information (e.g., Sign-In password, account numbers, financial details, protected health information).
  • The message creates a sense of urgency.
  • The message has an unusual From address or an unusual Reply-To address instead of a "@uq.edu.au" address.
  • The (malicious) web site URL doesn’t match the name of the institution that it allegedly represents.
  • The web site doesn’t have an "s" after "http//:" indicating it is not a secure site.
  • The link in the pop-up doesn’t match the printed text.
  • The message is not personalized. Valid messages from banks and other legitimate sources usually refer to you by name.
  • There are grammatical errors.

Do's and Don'ts

  • Do be wary of unsolicited messages. Even though you may recognise the name of the sender, scam artists sometimes use these tactics to get personal information from you. Never give out your UQ Sign-In, password, credit card, date of birth or tax file number in response to an unsolicited request.
  • Do validate that you are connected to a certified, encrypted web site. If an organisation wants to have a secure web site that uses encryption, it needs to obtain a site certificate. Look for a closed padlock in the status bar at the bottom of your browser window or in the address bar near the top.  Also check for "https:" rather than "http:" in the URL.
  • Do use common sense. If it seems too good to be true it's probably a scam. If you have any doubts, don’t respond. Ask your local IT officer, or contact the UQ ITS HelpDesk on 336 56000 for advice.
  • Don't click the link. Instead, phone the company or do an Internet search for the company’s true web address.
  • Don’t use forms that are embedded in the body of an email (even if the form appears legitimate). Only provide information over the phone or on certified, encrypted Web sites (see above for help to identify these sites).
  • Don't open email or attachments from unknown sources. Many viruses arrive as executable files that are harmless until you start running them. .jpg file attachments have recently become a new format for spreading viruses.
  • Do keep your Internet browser and operating system up-to-date on your home computer with the latest security patches and updates.

Reporting a Phishing Scam

If you receive any email requesting your UQ Sign-In and password please follow these instructions and send the message to itsc@its.uq.edu.au. Do not respond to the Phishing Scam email or your account will be disabled.

If you wish to report a Phishing scam email that is not directly related to the University of Queensland please submit the details to the SCAMwatch Report a scam service.

More Information

To find out more about Phishing or Email Scams please refer to:

  • Stay Smart Online - Phishing (hoax) emails - designed to provide all Australian online users with practical tips and advice on e-security.
  • SCAMwatch - a site to help you recognise, report and protect yourself from scams.

Major portions of this page thanks to University Wisconsin-Madison. Used with permission.

 

Looked through our guides and still can't find the right answer?

Search all Help Guides  or  Submit new support job