• From email address: Carefully check the email address to ensure that it is either a valid UCT email address or one you normally receive external messages from.

    In the case of spear phishing attempts, email addresses are spoofed so that it looks like it came from one of your contacts but the domain is different from what they would normally use. For example, you get an email from a UCT staff member, but their email address ends with “@outlook.com” or “@gmail.com”.
  • To email addresses: Ensure that it is addressed to you or a standard UCT mailing list. An empty field is another tell-tale sign that could possibly be a phishing attack.
  • Threatening or a sense of urgency: You are required to take some kind of immediate action to avoid facing a penalty. Additionally, you may be threatened with “evidence” such as they have naked photographs of you or that you were on dating website despite being in a relationship. They then threaten to leak the information if you don’t do what they say.
  • No formal salutation: There is usually no greeting, just instructions on what to do.
  • Spelling and grammar: There is no standard email structure, and there are often spelling and grammar mistakes.
  • Unexpected attachment: You receive an attachment asking you to download and install or provide information.
  • Personal information: You are required to send personal information or navigate to a website to enter your details.
  • Embedded links: Due to the way our security measures have been set up; you cannot always verify the actual link included in an email. We therefore recommend that instead of risk clicking on a link that could be malicious, rather send it to the IT Helpdesk to determine if the provided link is safe or if it will take you to malicious website or install something on your computer without your knowledge.
  • None or incorrect email signature: The email ends without a proper greeting or has an incorrect email signature.

Never action emails that tick one or more of the items listed below

As a member of the UCT community, you have a responsibility to protect the UCT network, its digital assets as well as your data. Remember you are UCT’s first line of defence and it only takes one wrong action to cause significant damage.

One way that you can take the necessary precautions is by scrutinising each email that you receive, to ensure that it is legitimate. Even if it comes from a staff member or contact that regularly emails you. You never know when their account could be compromised.

Go through the list of tell-tale signs and if anything seems unusual or contains one or more of the listed items do not action the request.

  • If you clicked the attachment or link in the email, DO NOT enter your details if prompted. Instead, run a full antivirus scan of your machine. Then, on a device that you know to be free of malware and infection, change your password
  • Log call with the IT Helpdesk informing them that you have either opened an attachment or link but haven’t entered your details. You also need to let them know you changed your password and they will then take the necessary action.
  • If you took no action and suspect that the email is a phishing attempt, check the phish bowl below to see if any such incident has already been reported to the IT Helpdesk. If not, create a new email message, attach the suspicious email you received and send it to the IT Helpdesk via email at icts-helpdesk@uct.ac.za.

Steps to take if you actioned the email

If you've entered your details, your account may be compromised. This puts the UCT network and UCT assets at risk. Please:

  1. On a device that you know to be free of malware and infection, change your UCT password. If you have stored any passwords on web browsers or systems and services that you usually use, you need to change those too. This kind of information can easily be harvested, so rather make the required changes.
  2. Send an email to the IT Helpdesk informing them that your details were compromised, but that you have changed your password.

NOTE: This reporting process applies only to your UCT email account. If you receive phishing attempts in non-UCT email accounts (e.g. Gmail), please follow the process specified by that email service provider. This can usually be found in the provider’s Help or Support pages and will help your service provider to minimise future phishing attempts to that email account.

  1. Run a full antivirus scan on the machine you used to enter your details.
  2. You can also view your UCT account activity via Outlook Web App.
    1. Go to https://myaccount.microsoft.com/ and log on with your UCT credentials if prompted to do so.
    2. In the My sign-ins block click Review Recent Activity. If you see any suspicious activity on your account, please report it to the IT Helpdesk.
  3. Most service providers offer similar offerings for online accounts. You can also do a Google search if you need to find your IP address.  


The IT Helpdesk will contact you if they suspect that your machine has been infected by a virus or some form of malware. Your device will need to be removed from the UCT network to reduce the risk of the UCT network and other machines on the network from becoming infected too.

It is therefore important that you follow the instructions provided by the IT Helpdesk as they are only taking the necessary precautions to protect the UCT network, its digital assets and your data.

The quicker the issue is addressed, the faster you will get your machine back.