The University of Waikato - Te Whare Wānanga o Waikato
ICT Self Help
Home Waikato Home  >  ICT Self Help  >  Information Security Awareness  >  How to spot a phishing email Staff + Students Login |  - Logout

How to spot a phishing email:

Cyber-criminals are becoming increasingly sophisticated in their attempts to gain people's information, therefore spotting a phishing email can be problematic. points out some of the things to look out for in identifying phishing emails:

  • Spelling mistakes or bad grammar
  • Alarming threats, such as having your account closed
  • Dodgy looking graphics or logos
  • Incorrect or slightly different web site addresses (eg.
  • The date it was sent is recorded as outside of work hours (we don't work after hours)

ITS Service Desk tips and tricks for spotting a phishing/spam email:

  • Check the sender of the email. Are you expecting an email from this person?
  • Does the email address match the person sending the email?
    • In Outlook check the sender email by double clicking their name at the top of the window
    • In Gmail you can see the email next to their name. Check this matches with their known email.
    • If email does match the correct address, contact the sender to confirm if you are not sure.
  • Check the link before clicking it within the email
    • In Outlook hover your mouse over the link. A small pop-up window will appear after a couple of seconds. Does this link match what is being sent?
    • In Gmail you can check the link by right clicking the link in the email and selecting Copy Link Address. DO NOT click the link with the left mouse button.
      Once it has been copied, open an application such as Notepad and paste the link. This will show you the true location of the link. If it doesn't match what is shown/advertised in the email, report it to ITS.

In general be wary of any email that contains a web link, especially if it has come from an unknown source, or if something in the email does not seem quite right.

What to do if I receive one:

Don't panic. If you have received a suspicious email, contact the ITS Help Desk on extn 4008 or email Don't delete the email straight away, as the help desk may need to identify the source or nature of the email to identify if it is legitimate.

DO NOT click on any links. This is usually how the scammers will try to obtain your personal information. If you do click a link, close the browser immediately and let the Help Desk know.

DO NOT reply to the email. Replies may go direct to the scammers and may result in your own account being targeted and compromised. Also, the more positive results/responses the scammers get, the more they will focus their attacks on an organisation.

DO NOT forward the email to anyone else. Forwarding the email may spread the potential it has to do damage. Describe the email to the Help Desk operator and they will help to identify if the email is in fact a scam. They may ask you to forward it to them for investigation, after which you will probably be asked to delete it.

Alternatively, if the email has come from a UoW staff member and you are suspicious that their account may have been hacked (as occurred in September 2013 with the Google Drive emails, see below) you can contact that person directly. DO NOT email the person. If the hacker has control over their account they will receive all legitimate emails. Ring or talk in person to establish if the communication was from them.

More often than not, the University mail system 'Google Apps for Education' will detect spam or phishing emails and these will be quarantined before reaching your inbox. You will receive and email each day listing all emails in your quarantine folder. Check this list carefully for any legitimate emails that may have accidentally ended up here, but be careful before you deliver an email that looks suspicious. 

Previous UoW phishing attacks:

March 2014:

Symantec reported a convincing phishing spam campaign currently targeting Google Docs and Google Drive users. It all starts with an email labeled 'Documents' that tells potential victims that an important document is waiting to be viewed on Google Docs and can be viewed by following the offered link. The link directs the users to a legitimate-looking but spoofed Google login page.
"The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages," wrote Nick Johnston of Symantec in a blog post
Due to its convincing nature, people may enter their credentials without a second thought and these credentials will send to a compromised web server. The fake login page subsequently redirects to Google Docs documents.

Google accounts are high targets for phishers as they can be used to access a number of services including Gmail and Google Play, which can be used to buy Android applications and content.

September 2013:

Several UoW staff accounts were compromised and an email with the following subject line was sent to their contacts: "You have 1 new unread message on Google Drive!"

If you receive emails of the above nature, delete it immediately and contact the ITS Help Desk on extn 4008 or email

<< Email Phishing | NCSC Security Advisory on Spearphishing >>


How To Guides

Your step by step guide to various ICT services.

Help & FAQ's

View FAQs on our available topics.

Policy & Standards

View documented policies & procedures.

ICT Glossary

Site Map