Email security and suspicious emails

Suspicious or unsolicited emails can be used to steal your electronic identity to compromise your personal information or access your computer system

Sometimes unsolicited emails don’t look suspicious. It’s important to know how to identify these emails and deal with them appropriately so that you don’t lose your data or access to your account.

Remember that the University will:

  • never ask you to pay via a third party
  • never ask you to disclose your password to a staff member
  • never ask you to send your password via email
  • never contact you from a non-University email address.

If you receive an email that threatens to remove your account or makes you suspicious for any reason, report it to the IT Security team or online via ServiceNow.


Phishing emails aim to trick you into handing over personal or sensitive information such as your password or credit card details. Malicious links or attachments can also infect your computer with malware or take you to a fake login page.

What to look for

  • A sense of urgency
  • A request to open an attachment or click a link
  • A request for sensitive information
  • A request for payment
  • Spelling or grammatical errors
  • The email address:
    • Be wary of emails that are not from e.g.
    • Check if the display name is different to the email address e.g. The University of Melbourne <>
    • Occasionally it’s possible a hacker may have gained access to a unimelb email account. Just remember the University will never ask you for your password.
  • The web address:
    • Looks different to the one you usually use
    • Is different to the display text when you hover over e.g.
    • Uses a subdomain e.g. is part of the site rather than
  • Phishing emails regularly use the words below in their subject line.
    • Always be very suspicious of emails asking to 'verify' or 'upgrade' your account.
    • Also be suspicious of emails saying that you have been detected as logging in from a random country.
    • Using ALL CAPITAL LETTERS is an indicator that the email may not be legitimate.
    • Phishing emails often give you an ultimatum, e.g. 'Verify your account or permanently lose it'.

Other steps to take

  • Take the time to consider if an email is real:
    • Does it make sense?
    • Does it look like other official communications from the University?
    • Does it use a familiar greeting or signature?
    • If in doubt, contact the sender to confirm
  • Type a website URL into the browser yourself (don’t just follow a link) or search for it using Google
  • Always navigate to sites from the University of Melbourne’s official website
  • Check for https:// when accessing sites that require a login or payment
  • Report suspicious emails to Student IT via email or ServiceNow

When dealing with unsolicited or suspicious email:

  • Never reply to suspicious emails.
  • Never forward suspicious emails to others.
  • Never send your password or sensitive, personal or confidential information via email.
  • Never click links in suspicious emails. Type links directly into your Internet browser yourself.
  • Never click or download attachments in suspicious emails.
  • If you're unsure whether an email is suspicious, contact Student IT for assistance.

Report a suspicious email