Skip to content

Cyber Security – Phishing

Cyber Security – Phishing

Phishing is a common type of cyber attack in which attackers use fake emails, websites, or messages to steal users passwords, credit card details, or institutional access credentials.

HKU will never ask you for your password, one-time code, national ID number, or banking details via email, SMS, or phone. If you receive such a request, it is a phishing attempt.

1. Signs of a Phishing Attempt

  • Urgency pressure: Phrases such as “Your account will be closed in 24 hours!” or “Verify immediately!”
  • Fake sender address: Even if the sender name appears to be “HKU Information Technologies”, the actual address may be outside HKU.
  • Spelling and grammar errors: Broken language rarely seen in official institutional emails.
  • Generic salutation: General phrases such as “Dear User” instead of your name.
  • Suspicious links: The address shown in the text may differ from the actual destination.
  • Unexpected attachments: .exe, .zip, .iso, password-protected PDFs, macro-enabled Office documents.

2. Common Attack Types

Type Description
Classic Phishing Email redirecting to a fake login page.
Spear Phishing Targeted attack crafted specifically for an individual.
CEO / Executive Impersonation (BEC) Fake email sent in the name of a rector / dean / unit head.
Smishing Fake link sent via SMS.
Vishing Social engineering via phone.

3. When You Encounter a Suspicious Email

  1. Do not click links and do not open attachments.
  2. Do not enter any information; do not use “verification” buttons.
  3. Before deleting the email, check the actual sender address via “Show original message” in Gmail.
  4. Forward the suspicious message as an attachment to kvkk@hku.edu.tr.
  5. Also use Gmail “Report phishing” button.

4. If You Clicked or Entered Information

  1. Immediately change your institutional password.
  2. Go to Google Account > Security > Sessions and sign out of any unrecognized devices.
  3. Confirm that two-factor authentication (2FA) is enabled.
  4. Open a “Security Incident – Critical” request via DESK.
  5. If you provided banking details, immediately block your credit card or bank account.

5. Preventive Behaviors

  • Keep 2FA enabled at all times.
  • Do not use the same password across different platforms; use a password manager.
  • Keep your operating system, browser, and antivirus software up to date.
  • Do not log in to your institutional account on public Wi-Fi networks, or always use VPN if you must.
  • Always verify IBAN change requests received via email by phone before acting.
  • Attend awareness training sessions organized by BIM.
Scroll to Top