Understanding email and phishing scams can save you a lot of grief.


"Phishing" refers to scams that steal sensitive personal information through fraudulent emails, websites or phone calls.

Phishing emails may appear to be from your bank, the Australian Taxation Office, a legitimate business, or even UQ.

The emails are used as bait – they are designed to fool you into disclosing confidential information.

The scammers may claim there is a "problem" with your account and ask you to respond immediately by clicking on a link, or by reentering your password or account information. 

Phishing emails can be difficult to spot, because they are made to look authentic. Scammers often copy the design, branding and logo of the organisation they claim to be from. 

UQ email systems identify extensive daily phishing attacks on staff and students. The overwhelming majority of these attacks are discarded.

While many attacks are easily identified, phishing scams are becoming more sophisticated and can fool even knowledgeable and experienced people.

The best additional defence is for you to be vigilant. Things aren't always what they seem – be sceptical about any unsolicited emails.

More information is available from Scamwatch

Major portions of this page thanks to University Wisconsin-Madison. Used with permission.


What information do scammers want?

Scammers are focused on getting any piece of information that can potentially be used to uniquely identify, contact or locate you. They also want information that can be used to corroborate other information they might already have about you.

This information might include your:

  • tax file number
  • driver’s license details
  • bank account numbers
  • account username
  • passwords
  • PIN numbers
  • home address
  • email address
  • telephone number, or
  • biometric data (e.g. fingerprints, DNA).

Is it OK to give out personal information via email?

No and UQ will never ask you to disclose personal information via email.

Scammers will sometimes pose as "the University email service" or "the campus tech support service." Don’t be fooled! If you are asked to disclose your UQ username and password, or other information, don’t do it.

When in doubt, contact your local IT officer or the ITS Service Desk to ask for advice.

What happens if I'm tricked by a phishing scam?

Contact the ITS Service Desk as soon as possible.

If we identify a user has replied to a known phishing address, you will have your UQ credentials (i.e. UQ username and password) disabled and you will not be able to access network resources until you have validated your identity.

Is someone other than me accessing my username and password really that unsafe?

Yes. Your UQ username and password provides access to your personal information, including your payroll statements, home address, grades, and more.

With a UQ username, someone can damage or destroy your data, steal and abuse your identity, change your enrolment, alter your research, and gain access to other UQ applications.

Stolen UQ accounts are often used to send vast quantities of spam messages to others and scammers will often delete all of your genuine emails.

Many thousands of bounced message responses and complaints will swamp your inbox. It's not worth it. 

When will UQ ask me for personal information by email?

We will never ask you to reveal your UQ username or password, or other sensitive information through email. You may be asked to change or strengthen a password, but you will never be asked to disclose it outright.

How to recognise a scam

Scam tactics are increasingly sophisticated and change rapidly. Even if an email looks genuine, be sceptical. Look for these warning flags:

  • The email doesn't adddress you by name or isn't personalised. Authentic messages will usually refer to you by name.
  • The message is unsolicited and asks you to update, confirm or reveal personal information.
  • The message creates a sense of urgency.
  • The message has an unusual 'From' address or an unusual 'Reply-To' address, instead of a @uq.edu.au address.
  • The fake website URL doesn’t match the name of the institution it claims to represent.
  • The web site doesn’t begin with "https://", which is used for secure sites.
  • The link in the pop-up doesn’t match the printed text.
  • It is strangely or poorly written, with grammatical errors.

Do's and Don'ts

  • Do be wary of unsolicited messages. Even if you recognise the name of the sender. Scammers sometimes pretend to be someone you know in order to get your personal information. If you have received an unsolicited message, never give out your username, password, credit card, date of birth, or tax file number.
  • Do validate that you are connected to a certified, encrypted website. Look for a closed padlock in the status bar at the bottom of your browser window or in the address bar at the top. Also check the address begins with "https://" rather than "http://".
  • Do use common sense. If it seems too good to be true, or if it feels like a strange or unexpected request – it's probably a scam. If you have any doubts, don’t respond – or ask to call the person back. Then contact your local IT officer, or the ITS Service Desk.
  • Do keep your browser and operating system up-to-date with the latest security patches and updates.
  • Don't click any links. Instead, contact the organisation to verify what you are being told. Do an internet search to independently verify the company’s contact details – don't trust any contact details in the email. 
  • Don’t use forms that are embedded in the body of an email (even if they appear legitimate). Only provide information over the phone or on certified, encrypted websites. 
  • Don't open email attachments from any unknown sources. Many viruses arrive as email attachments (e.g. a PDF, Word docment or other files) that are harmless until you open them. JPEG (.jpg) files have recently become a new format for spreading viruses.

Reporting a phishing scam

If you receive any email requesting your UQ username and password, contact the ITS Service Desk as soon as possible. Your account will be disabled if you respond to the phishing scam. 

If you want to report a phishing scam email that is unrelated to UQ, please submit the details to Report a scam.

More information

To find out more about phishing or email scams visit: