Cyber-savvy staff can protect against phishing threats

26 Sep 2022
UNSW staff are becoming vigilant against phishing threats

Staff at UNSW Sydney are reporting more real phishing threats than ever, with positive implications for the University.

What is phishing?

Phishing emails are designed to coerce individuals into revealing personal information, such as passwords and credit card numbers. UNSW employs a variety of technical controls to prevent phishing emails from being delivered to staff mailboxes, but cyber criminals are skilled at circumventing even the most sophisticated phishing countermeasures.

A recent study from IBM indicated that the average cost of a data breach resulting from phishing is $7.3M. The costs of phishing include operational disruption, loss of business, and reputational damage, with the impact sometimes putting organisations out of business.

Phishing scams have become a common problem, both in our corporate and personal lives. It’s important to learn how to spot tell-tale signs to protect the University and your personal data.

What do I do if I see a suspicious email?

Stop, think and assess. Does it sound urgent? Is it making you want to react emotionally or irrationally?  Is it brief and does it leave you wanting to know more? Does it look familiar?

  1. Click on the Report Phish button in your Outlook mailbox menu bar (under the ellipsis) – this will alert the Cyber Security Operations team of a potential phishing campaign.
  2. Only delete or ignore the message after reporting it using the Report Phish button.
  3. Do not reply to the email or click any links/attachments within it.

As the threat of email-based attacks evolve over time, UNSW Cyber Security will continue to promote awareness of how to recognise these threats and respond appropriately.

What is the University doing to manage the threat of phishing?

The University uses regular phishing simulation exercises to help staff recognise phishing tactics and report them using the  Report Phish button in Outlook. The phishing simulations are intended to mimic real phishing attacks as closely as possible, with the objective of improving the University’s cyber security resiliency.

Since launching the phishing simulation campaign in June 2022, awareness of the issue has grown. An increasing number of staff are now able to identify phishing emails and know how to report them via the Report Phish button in Outlook.

Reporting phishing emails is important to alert the Cyber Security Operations team of the threat so that they can respond quickly. Once reported, the team can keep our systems safe by blocking the phishing attack and removing any other phishing emails that were delivered. Your prompt action in reporting phishing emails can save your colleagues from clicking on malicious links and losing private data.

From October 2022, UNSW is also taking steps to improve the resilience of our Microsoft 365 platform and will commence the implementation of additional technical controls to SharePoint, Teams and Outlook in line with the University Cyber Security and Acceptable Use policies.

Strengthening critical controls to our core collaboration tools will minimise the potential for accounts to be compromised and potential reputational damage.

Staff and students will notice alerts in SharePoint, Teams and Outlook , if suspicious attachments, links or websites are detected. 

The warning message below is what will pop up if a link that has been clicked is suspected to be a phishing attempt:

Phishing warning
Office 365 anti-phishing warning


Visit the Endpoint Security Management stream page for more information about the new changes.

Visit the Cyber Security Awareness Page or email the Cyber Security team for more information.