Phishing Guidance

Purpose of this Article

To ensure that IT systems continue to enable University business by increasing staff and student awareness about phishing attacks, thereby reducing the risk of adverse impact.


UWE receives millions of emails every month, and approximately 75% of these are automatically filtered out as spam by IT Services to reduce the threat of phishing and malware.  As threats constantly change, staff and students must be vigilant to phishing attacks and take steps to protect personal information.

A phishing attack

  • Is a malicious email designed to extort personal information, such as your username,  password or bank details
  • May appear to come from genuine sources e.g. IT Services, Finance, a colleague or external organisation
  • Often include attachments which appear to be normal files (e.g. Word, Excel or PDF files) but hold malware.

Impacts of a successful phishing attack

Your login details are used to access your email account and generate more spam.  Worse than this, your login details are used to attack University systems. 
The malware attachment you open infects your computer with malware, compromising the security of UWE systems and potentially causing widespread damage. 


  • Promptly contact IT Services if you have responded to this sort of e-mail or think someone has obtained your login details
  • Remember that other staff member’s accounts can be compromised
  • Forward any malicious messages to to help ITS investigate new threats, and then delete the email from your inbox
  • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them
  • Be on the lookout for warning signs that an email may not be legitimate, such as poor grammar or spelling

Do not

  • Act upon any email appearing to be from ITS that asks you to confirm your password
  • Trust emails from unrecognized senders
  • Trust any links or attachments in emails unless you already know what they contain
  • Be pressured into acting upon emails that demand an immediate response or threaten loss of accounts or services
  • Reply to dubious email messages or interact with their content
  • Comply with any email that asks you to confirm any personal or account details


IT Services will never send you an e-mail asking you to confirm your user name and password. You should therefore never respond to any e-mail which asks for your account details. If in doubt about an e-mail, forward it to and then delete it from your inbox.

ITS will always attempt to automatically detect and take action to mitigate the damage caused by compromised email accounts. However, the only guaranteed way for users to prevent these compromises is to ensure they always remain vigilant against these types of attacks, and take steps to protect their personal information. If you have responded to this sort of e-mail or think someone has obtained your login details, please contact the IT Support Centre.

Please visit the ‘Phish Tank’ for examples of phishing attacks and advice on how to recognise them.

Back to top