Students Staff


May 16, 2019

“Are you on campus?” Beware of spear phishing emails asking you to buy something

Filed under: Email, Security — Dan Jolly @ 5:19 pm

We are currently receiving emails from external email accounts, such as Gmail, pretending to come from a Head of Department.

The emails typically are very short and the subject line will be something like “are you on campus?”.

If you reply, the sender will explain that they are your Head of Department , that they are in a meeting and can’t be contacted by phone, but urgently need you to buy some Amazon or iTune vouchers for them for a nephew’s birthday or a student prize.

Although these are quite targeted – which is why they are called “spear phishing” – they have many of the warning signs that ordinary phishing emails have:

  • It’ s an unusual request and it comes out of the blue
  • it tries to instill a sense of urgency
  • the emails often contain poor grammar and spelling mistakes – even misspelling the name of the person they are supposed to be from!

So unless you really do know your HoD well enough to be in the habit of shopping for presents for their family for them, then please delete these emails and make sure that your colleagues know to delete them too.

Sadly, if you do fall for the trick then it’s very difficult indeed to recover the money spent.

For more information on suspicious mail, see Spam and phishing emails.

The University of Essex will moderate comments and there will be a delay before any posts appear.

November 30, 2018

[Service Alert] New phishing email “help me get an iTunes card”

Filed under: Email, Security, [Resolved], [Service Alert] — Dan Jolly @ 4:54 pm

A new, targeted phishing scam is doing the rounds. This particular email asks for help to get an iTunes card. This is a scam. If you receive it, don’t action it, just delete it.

As always, if something doesn’t look quite right, it probably is a scam, so remain vigilant. You can report suspicious emails to


The University of Essex will moderate comments and there will be a delay before any posts appear.

October 17, 2018

A series of phishing emails targeting Essex accounts

Filed under: Computers, Email, Information security, Security, [Service Alert] — Trevor Smith @ 12:43 pm

A new round of phishing attacks have hit many of our mailboxes over the last 24hrs. The goal of these messages is to dupe our staff and students into providing their login credentials.

We would like to remind all staff and students once again to be aware of the dangers of clicking links within email messages, the source of which you are unsure of. In particular, messages which ask you to login and provide your username and password (or indeed any other personal information) should be treated with caution. More information on how to identify and report such messages can be found at the url below:

The University of Essex will moderate comments and there will be a delay before any posts appear.

January 19, 2018

Phishing simulation – what we did, why we did it, and the outcome

Filed under: Security — Sara Stock @ 2:28 pm

We’re all at risk from phishing scams, but there are things we can do to reduce the risk.

What we did

In December we used a respected cyber security company called Khipu Networks to create a simulated phishing campaign. Every member of staff, including student staff, received an email over the course of a day. The email pretended to be from the IT Helpdesk. Although we ensured that the phish looked realistic in terms of the fonts, logos, signature and language used there were some subtle clues to it being a phish. The email address it came from had a hyphen where a dot should be, and the web address, if you did a mouse over the link, was not one of ours (although it looked very much like it).

Anyone clicking on the link was taken to a web form and invited to enter their credentials. At this stage the biggest hint that this was a phish is that IT Helpdesk would never ask staff to share usernames and passwords in this way, and nor should any other bona fide organisation. Anyone submitting the form (whether or not they put in any credentials or their real credentials) then received a further email explaining that they had been phished and asking them to watch a short online video, with tips on how to avoid being phished, and take a quiz.

Why we did it

Phishing is the main way that malware, including ransomware, gets into an organisation. We’ve had recent phishing attacks that have led to ransomware and to individuals staff members having their email accounts compromised and people using those accounts to attempt to divert salary payments (in both cases processes have been changed to prevent future damage). Our main line of defence is the awareness of our users. We’ve run two awareness campaigns about the dangers of phishing this year and wanted to see how well they had worked and to assess whether we need more campaigns, more training or a combination of both.

What we didn’t do

We didn’t alert staff beforehand that this was happening in order to maximise the reach. That included IT Services staff, which is why the responses you received if you called were muddled in some instances. We bypassed our normal phishing procedure: we didn’t block emails, we didn’t allow mailscanner to flag mail (although it did in some instances), and we didn’t put out any service alerts.

What happened

We had unfortunate timing in that a real phishing and spam attack that came through a compromised Essex email account happened on the same day. This meant that there were some actual phishing emails in the system on the day, and, more importantly, that the follow-up email (received when anyone entered their Essex details into the fake website) came up to several hours after they hit submit, instead of within a few seconds.

The Helpdesk received a very high number of calls and emails. Various individuals used informal routes to alert colleagues, including email and email lists (Small-Ads). This was all useful as it means that there is a bit of a safety net in place that supports those who might not spot a phish for themselves.

What we learned

Although the number of people who were fooled by the phish was reasonably low – and certainly lower than the 32% reported elsewhere when other institutions have carried out this exercise – it was still substantially higher than the 1% we aspire to. It only takes one successful phish to cause serious problems. Although many people are aware of the fake phish, awareness of our most recent phishing campaign is still low.

We’ve also seen that the IT Helpdesk doesn’t the resources necessary to cope with such an influx of queries, and we’re looking into ways to ensure better support in future.

Looking at the number of calls to the Helpdesk against the numbers when a phishing attack is dealt with in the usual way (blocking emails, mail scanner, service alerts) we’ve been able to demonstrate that our usual countermeasures dramatically reduce the amount of phishing mails coming in and the numbers of people falling prey to phishing attacks.

What’s next

We’re looking at ways to provide better levels of support to the IT Helpdesk.

We will send simulated phishing emails to students over a period of three or four days, yet to be confirmed, in the new year.

We may run a further simulated phishing test for staff at some stage without warning.

What you can do
We will continue to be hit with real phishing attacks, so do please:

  • continue to be alert
  • make yourself aware of how to spot phish
  • report any phish you spot to
  • print out a phishing tips poster if there isn’t already one on a notice board near you..
  • remember: never respond to emails that ask for your username and password. The University will never email you to ask for your password.
The University of Essex will moderate comments and there will be a delay before any posts appear.

January 4, 2018

‘Serious’ computer chip flaw

Filed under: News, Security — Dan Jolly @ 3:10 pm

Update 19/01/2018

Work to patch all University-owned computers, servers and infrastructure is proceeding well.  Over half of the University’s digital estate has now been patched.

We haven’t observed any problems with the patches so far, however, if you do experience any problems with your computer or device that you think may be related to recent software updates, contact the IT Helpdesk.

Patching work continues.


Update 09/01/2018

Work to patch and test core University systems is ongoing.

Our advice for users with personal devices and computers is to check for updates and install them.


Original alert 04/01/2018

As you may or may not have heard in the news recently, researchers have discovered two major bugs in computer chips that could allow hackers to steal sensitive data.

One flaw dubbed ‘Spectre’ was found in chips made by Intel, AMD and ARM. The other, known as ‘Meltdown’ affects Intel-made chips alone.

Learn more about this story:

IT Services staff are taking this issue seriously.

We have assembled a small team to assess any potential impact, and work is already underway to test the various patches that have been made available by software vendors.

We are monitoring the situation closely and will publish an update as soon as we know more.

The University of Essex will moderate comments and there will be a delay before any posts appear.


Older Posts »