Email scams
It's important to be aware of email scams to ensure your identity and UQ's data and systems remain safe.
Criminals impersonate trusted organisations to steal money and information. UQ will never contact you to demand payment or personal information. If you think you may have been scammed, contact IT support.
The security of your email account is your responsibility. Make sure you're able to recognise, prevent and report suspicious emails to help keep your account safe.
Recognising email scams
Look out for these warning signs to help identify an email scam:
- the email is unexpected or not personalised
- you're told you need to do something urgently
- the email is worded strangely with poor spelling and grammar
- when hovering over links in the email, you notice unusual URLs (see use secure websites for more information)
- the email has been sent from an unusual address or includes unusual 'Reply-To' addresses
- you're asked to enter personal information, open an attachment or link, or download a file
- you're repeatedly sent email requests to authorise access to an account which has multi-factor authentication (MFA) set up.
Preventing email scams
At UQ, we use robust security systems to detect and block suspicious emails. However, some unwanted emails still make it past our filters.
To prevent email scams from being sent to your UQ email account:
- don’t share your email address online unless you need to
- don’t provide your UQ email for personal activities, such as online shopping
- make sure you use your UQ email – rather than your personal email – for UQ work or study-related activities
- delete spam messages without opening them
- don’t respond to or unsubscribe from suspicious emails – scammers may use this to verify your email address
- follow the instructions to block suspicious email addresses in Outlook or Office 365.
Reporting email scams
If you receive a suspicious email in your UQ email account, don’t open any links or attachments or enter any personal or account information. Follow the instructions below to report the email through your version of Outlook.
If you have already opened an attachment, clicked on a link, downloaded a file or entered personal or account information, you should report it to the UQ Cyber Security Operations Centre immediately.
If you receive a suspicious message to your personal email address or phone number, do not open any links or attachments and report the details through Scamwatch's Report a Scam. This will allow the Australian Competition and Consumer Commission to stay aware of emerging online scams and concerns.
Outlook 365, 2019 and 2016
For staff
- Select the email.
- Select the 'Phish Alert Report' button on the top right of the screen.
- Complete the fields shown (optional).
- Click 'Phish Alert'.
For students
- Select the email.
- Click the down arrow next to the 'Report' button.
- Click 'Report phishing' or 'Report junk'.
- Click 'OK'.
The email will be deleted automatically from your inbox and reported to the UQ Cyber Security Operations Centre.
If you can't see a button:
- Select the email.
- From the top 'Home' menu in the 'Respond' section, click 'More', then select 'Forward as Attachment'. Make sure you select 'Forward as Attachment' instead of 'Forward'
- In the 'To' field, enter suspicious-emails@uq.edu.au
- In the 'Subject' field, enter Suspected phishing email
- Select 'Send'
- Delete the original email.
Outlook for Mac
For staff
- Select the email.
- Click the elipsis (3 dots) on the top right of the window.
- Select 'Phish Alert'.
- Complete the fields shown (optional).
- Click 'Phish Alert'.
For students
- Select the email.
- Click the down arrow next to the 'Report' button.
- Click 'Report phishing' or 'Report junk'.
- Click 'OK'.
The email will be deleted automatically from your inbox and reported to the UQ Cyber Security Operations Centre.
If you can't see a button:
- Select the email.
- Select the 'Message' toolbar menu on the top of the screen
- Select 'Forward as Attachment'. Make sure you select 'Forward as Attachment' instead of 'Forward'
- In the 'To' field, enter suspicious-emails@uq.edu.au
- In the 'Subject' field, enter Suspected phishing email
- Select 'Send'
- Delete the original email.
Outlook Web App
For staff
- Select the email
- Click the 'Phish Alert' button within the email
If you can't see the 'Phish Alert' button, click the 'Apps' button, then select 'Phish Alert'.
- Complete the fields shown (optional)
- Click 'Phish Alert'.
For students
- Select the email.
- Click the down arrow next to the 'Report' button.
- Select 'Report phishing' or 'Report junk'.
The email will be deleted automatically from your inbox and reported to the UQ Cyber Security Operations Centre.
If you can't see a button:
- Select 'New' from the top menu
- Hover over the phishing email in your inbox and drag it into the new email
- In the 'To' field, enter suspicious-emails@uq.edu.au
- In the 'Subject' field, enter Suspected phishing email
- Select 'Send'
- Delete the original email.
The above buttons are only supported in Outlook. If you use a different email client, you will need to continue to manually forward the email as an attachment to the UQ Cyber Security Operations Centre.
If you receive a suspicious email that is unrelated to UQ, submit the details through Report a scam.
Types of scams
Most email scams try to lure you into:
- clicking a link
- opening an attachment
- downloading a file
- entering account information.
If you do any of these things, the scammer can steal sensitive or confidential information, and your computer and UQ's systems can be compromised.
There are two main threats in email scams:
- phishing
- malware
Phishing
Phishing is a form of fraud used by scammers to steal your personal, work or UQ information.
Phishing emails are designed to look like legitimate emails from reputable organisations and people you trust. They may appear to be from another university, your bank, a government department, someone you know or even UQ. Scammers often copy the design, branding and logo of the organisation they claim to be from.
Phishing emails try to get you to click a link, open an attachment, download a file or enter your account information, so they can steal your data or infect your computer with malware.
Spear Phishing
If you’re a UQ staff member, keep an eye out for spear phishing emails. Spear phishing is a specific form of phishing scam that takes a more targeted approach, preying on an organisation’s employees using information specific to the recipient such as their name or role description.
A scammer may pose as a high-level executive and send emails to employees with an attachment or malicious link that they are advised to open. If the employee completes the action the scammer may then be able to steal data or have access to a network undetected.
Malware
Malware is used by scammers to infect your computer with malicious software.
There are many different types of malware, but they are all designed to damage or seize control of your computer. The goal is to steal your data or UQ's data.
If you open an attachment or link, or download a file from a fake email or website, you might infect your computer with malware.
Ransomware
Ransomware is a type of malware that locks access to your files. A scammer then demands money to restore your files.
If you pay the scammer, there's no guarantee your files will be restored.
Take the quiz to see if you can spot a phishing scam
Test your knowledge and see if you know how to spot a phishing scam by taking this quiz.