Suspicious emails

Atoms/Iconography/360-white@2xion-briefcase - Ionicons Copy@2xAtoms/Iconography/calendar-dark@2xAtoms/Iconography/calendar-pinkAtoms/Iconography/calendar-pinkAtoms/Iconography/calendar-dark Copy@2x3B13F687-6EB2-452A-B918-16B02FF86090@2xchevron-right - FontAwesome@2x81A2B1C2-3C1E-48C0-8EAB-2BB76C1052E1@2xchevron-right - FontAwesome@2xchevron-right - FontAwesome@2xchevron-right - FontAwesome Copy@2x18D48E51-758C-47E9-949E-1E58FC9454A3@2xAtoms/Iconography/close-red@2xAtoms/Iconography/close-white@2xion-android-cloud-circle - Ionicons@2xAtoms/Brand/connected-uni-logo-white@2xAtoms/Iconography-download-icon-white@2xdropdown-chevron-black@2xAtoms/Iconography/dropdown-form-chevron-white@2xAtoms/Iconography/email-icon-light@1xF93E1E4C-136C-41CA-8FC9-02353765C1C0@2xA14CB21F-CD96-450C-BBD7-6647B25B0D0D@1xatoms/Iconography/facebook-icon@2xAtoms/Iconography/facebook-iconAtoms/Iconography/google-plus-icon@2xion-ios-information-outline - IoniconsAtoms/Iconography/instagram-iconGroup@2xAtoms/Iconography/linkedin-icon@2xion-android-menu - Ionicons@2x934F565B-4D4A-4BBE-B4EA-29E0D367BC7F@2xAtoms/Iconography/minus-icon@2xAEC8A5E2-9638-45F8-9E94-3C320D2410A9@2xAtoms/Iconography/nav-icon-white Copy@2xAtoms/Iconography/pause-icon-white@2xion-android-person - Ionicons@2xAtoms/Iconography/phone-icon-white@2x5131105A-B2E1-443D-A44D-E6DCCBBF53DD@2xAtoms/iconography/pintrest-icon@2xAtoms/Iconography/play-button-white@2xAtoms/Iconography-play-button-white-2@2xAtoms/Iconography/plus-icon-black@2xAtoms/Iconography/print-icon-light@2x34CD08DE-22EB-4484-B0B4-48190645DEBC@2xsearch - FontAwesome@2xAtoms/Iconography/search-white@2xAtoms/Iconography/snapchat-icon@2xAtoms/Iconography/tick-green@2xAtoms/Iconography/twitter-icon@2xAtoms/Iconography/twitter-iconAtoms/Iconography/youtube-icon@2xAtoms/Iconography/youtube-icon@2xAtoms/Iconography/icon-tiktok-iconAtoms/Iconography/icon-tiktok-colour

In Email

In Email

‘Phishing’ is when attackers send scam emails which often contain malicious attachments, links to malicious websites, or ‘social engineering’ content to persuade the recipient to disclose sensitive or personal information. Although the motivations of the attackers can vary, they are generally aiming to obtain login credentials, financial details, or infect systems with malware.  

Sometimes this will only affect individual systems, however it is increasingly common for attackers to target organisations where they can affect multiple systems and deploy ‘ransomware’, which could potentially affect many university systems and render them unusable. 

How to Spot a Phishing E-mail

A typical phishing e-mail will have several tell-tale signs that you should be aware of, including:  

  • Sender address in 'From' field is spelt wrong or does not match sender name. Often, they impersonate co-workers and the sender name may say ‘Martin Jones’, but the sender address may be ‘martin.jones123@gmail.com’, rather than an official '@staffs.ac.uk' address 

  • Unspecified recipients in the 'To' field 

  • Vague subject line, and content which creates a sense of urgency, or demands that an action is taken quickly. They often make statements that are time limited, e.g. ‘Your account has expired, click here to renew it immediately’, or ‘You only have 24 hours left to claim this offer’ etc. 

  • Generic or non-personalised greeting (Dear Outlook User, Hello Amazon Customer, Greetings Account Owner, etc.) 

  • E-mail asks you to disclose personal or sensitive information (username, password, address, date of birth, bank account/PayPal details, etc.) 

  • Current events. If there are major events occurring (e.g. during COVID, or near to Black Friday) messages then often use this theme to appear more legitimate 

  • Embedded links which, when hovered over, point to a suspicious site. Sometimes the links point to domains that look similar at first glance, but are not the legitimate domain – for example, micros0ft.com (with a zero) instead of microsoft.com 

  • Attachments with a generic file names (Invoice_006.doc, RestoreAccount.html, Order_0924.zip) 

  • Generic signature or no contact information (System Administrator, Account Manager, PayPal Team, Apple Support, etc.) 

  • Additions like 'Message ID', 'Email ID' or 'Copyright ©' to make the e-mail seem official 

  • Use of official branding (e.g. the Microsoft logo/colour scheme) but with unprofessional layout (inconsistent fonts, low quality images etc.) 

  • Suspicious QR codes (known as ‘Quishing’). QR Codes are a quick way to share links, attackers will send e-mails including QR codes which (when scanned with a mobile device) will direct to malicious websites. If you are in any doubt regarding the legitimacy of a QR code, do not scan it 

  • Compromised e-mail chains. If someone you have previously contacted someone who has since had their e-mail account compromised, you may then receive unexpected e-mails from them out of the blue. Please consider if the e-mail is unexpected or references an old conversation, or if the tone of the e-mail seems unfamiliar. If in doubt, contact the sender using an alternative contact method to verify the legitimacy of the e-mail 

Poor spelling, grammar and punctuation can also be a sign of malicious e-mails, however attackers are now known to use AI applications (such as ChatGPT) to create convincing phishing e-mails. Whilst phishing e-mails with poor spelling do still exist, this can no longer be relied upon as a common indicator. 

Examples of Phishing E-mails

Below are some examples of typical phishing e-mails that we have receive within the university:



Special attention should be paid to the sender’s e-mail address as this may not correlate to the sender name. This is a common tactic where the sender name will attempt to spoof a legitimate service. (e.g. the university's IT team in the above example). They have also included a sense of urgency (‘set to expire today’). 


DocuSign is a company that provides electronic signature technology and allows users to send, sign, and manage documents electronically. The above example shows an e-mail with DocuSign branding which has not been sent from a DocuSign e-mail address, and includes a malicious link. 
The above e-mail is an attempt to impersonate HMRC by prompting a fake password reset in the hope that the recipient will click on a malicious link. There are multiple indicators within this e-mail, along with the fact that the e-mail has not come from a legitimate government address (e.g. @gov.uk). Hovering over a hyperlink will show you the full link - in this case, the link is to a WordPress site which, again, does not have a legitimate government address. 
A screenshot of a computer AI-generated content may be incorrect.
The above image shows an example of QR code phishing (with the malicious QR code replaced with a benign sample). Alongside common indicators such as the sender address not relating to the sender name, and brand impersonation, attackers use QR codes in order to make destination links harder to analyse at first glance. This is an issue because, when scanned with a mobile device, some older phones (or third-party apps) will automatically open the malicious website without further checks. Most modern phones/apps will include a preview of the destination link and will not automatically load the page, but the preview is often shortened and difficult to view in full. 

Always ask yourself the following questions:

  • Is the sender of the e-mail someone you know?
  • Do any links in the e-mail look legitimate? Hover over the links to check the real URL 
  • Were you expecting the e-mail and any attachments? 
  • Is the e-mail asking you to disclose any sensitive personal information?
  • Could I verify the legitimacy of the e-mail by contacting the sender using an alternative contact method? 

Report a Phishing E-mail

If you receive a suspicious email, do not click on any links, do not open any attachments and do not reply.

You should use the 'Report Message' button in Outlook and the Outlook Web App to report the phishing e-mail to Digital Services and Microsoft Security Center for analysis:

Outlook Desktop

A screenshot of a computer AI-generated content may be incorrect.

Outlook Browser

A screenshot of a computer AI-generated content may be incorrect.

Outlook Mobile

A screenshot of a computer AI-generated content may be incorrect.

Please note that shared mailboxes do not have a ‘Report Message’ button. Instead, these need to be reported via Solve. In order to do this, or to discuss any other concerns, please visit this page