Home / Threat Intelligence bulletins / Targeted Phishing Attacks on Universities

How to Identify Phishing emails in Higher Education

A new academic year brings a new set of students to target with phishing emails. We’ve all heard plenty of warnings about fraudulent emails so let’s take a bit of a closer look at the clues we can use to catch the bad guys in the act.

The Subject

Is the email trying to hurry you or threatening consequences if you don’t respond quickly? If it says it’s urgent, maybe a scammer is trying to panic you so that you won’t take the time to spot how suspicious it is. Some common examples would be an email telling you about an upcoming Zoom meeting, a payment you weren’t expecting, or a product you haven’t ordered. Other emails might pretend to be from your mail system, telling you your inbox will be deleted or you’ve missed a voicemail. The goal is to get you to click without stopping to think about it.

The Sender

This can be a dead giveaway. If the email says it’s from Microsoft but the address is clearly from some made up domain, then you can tell it’s a phish straight away.

Sometimes, to make it look more realistic, it may come from a real email address. This could be another student or staff at your university. When a password gets stolen or an account gets taken over, they can log in to it and use it to send phishing emails to contacts from the address book. Don’t trust a weird email just because it’s from someone you know.

Language Used

Often a phishing email will have spelling mistakes or poor grammar. This might be because the writer didn’t speak English as their first language, but spelling variations are sometimes intentionally used to bypass anti-phishing software that looks for phishy-sounding phrases.

Weird Symbols

Another giveaway is unusual looking letters or other strange writing. If they just asked for your password that might get picked up easily by a phishing detection algorithm. To get around this they can use different characters that look the same. For example, they might say they’re work for Äpple or ask you to enter your “passw0rd”.

This can be very hard to spot depending on the font. For example, the Greek character ‘Α’, or the Cyrillic ‘А’ are almost identical to the ‘A’ at the start of the Latin alphabet.

Malicious Links

Some email clients let you hover your mouse over a link to see where it will take you. It’s quite suspicious if the link preview doesn’t match the text of the email. When a link takes you to a login page it may look different from the regular university login page.

Unexpected Attachments

Have you received a file you weren’t expecting? Strange file types are suspicious, but even something innocent looking like an Excel spreadsheet can be used to deliver malicious code that can cause harm to your computer. One of the most common phishing types is a PDF that tells you to log in to a malicious site before you can see the contents. Don’t be fooled.

Reporting Phishing & Further Information

If you believe someone has attempted to use a phishing scam against you, report it. The perfect place to do this is at the National Cyber Security Centre (NCSC) website.

Customers of our Phishing Protection service can report any suspicious emails via Quorum Cyber’s Big Red Button service, this will allow us to provide expert analysis of the message and content.

Higher Education establishments have an IT Help Desk / Service Desk function for reporting spam or phishing emails. Please refer to your University or College’s own security guidance on processes for reporting suspicious emails.

From our Tech Blog you can check out our previous blog series on Email Security Hardening by setting up SPF, DMARC, DKIM and creating MailFlow rules. Criminals can impersonate an actual domain name, for more information on this specific type of impersonation read our Domain Based Message Authentication, Reporting and Conformance (DMARC).