The University of Otago's IT support staff will never ask for your password, and you should never provide your University (or any other) password to anyone.

Staff can report suspicious emails by clicking on the Report option, which is found in Outlook online under More Options (three dots) in the top right of an email, or the Report button at the top of the message window.

When the email is reported as suspicious, the email moves automatically to your "Deleted Items" folder, it gets logged with Microsoft, and is tracked by the IT Assurance and Cyber Security (ITACS) team.

ITACS can see how many times an email has been reported University-wide, move selected emails to the junk folder for everyone or quarantine dangerous emails. Use this function as much as possible as it helps improve our email security for everyone.

Phishing and spear phishing emails

A phishing email is one that tries to trick you into revealing sensitive information. They are unsolicited — you didn't ask for the email and you weren't expecting to receive it. The name "phishing" is given because the attackers are "fishing" for information in order to:

  • Access your email account or bank details for fraudulent or illegal purposes
  • Elicit private information, such as usernames and passwords, credit card numbers, or home addresses

The phishing email may:

  • Ask you to visit a website via a link
  • Contain basic spelling or grammatical errors (but still look like an official email)
  • Sound threatening or urgent

Spear phishing emails are specifically directed to an organisation (e.g. the University of Otago), and often claim to be from local IT support staff, or a senior staff member. A common example of this is the emails requesting the recipient purchase iTunes vouchers for the sender.

Don't feed the phish:

  • Never reply to an email requesting your password
  • Spelling, grammar, and formatting are telling. Phishers are often bad at them
  • Phishers use generic greetings (dear customer, etc.) rather than your name
  • Phishers often pretend to be a senior person wanting you to take urgent action outside of normal communication methods
  • Don't click unexpected links. Watch out for attachments that look too interesting to be true, totally unexpected, or not relevant to your role
  • Always check the URL:
    • Good: https//
    • Bad: http//

If you're uncertain about responding to an email, don't reply. Contact AskOtago for advice.

If you receive a phishing email that appears to come from the University of Otago, don't open any attachments or click on any links. Report it to AskOtago along with the email's full headers


Spam is email that:

  • Is not welcome or relevant
  • Is sent to many people
  • Often tries to sell you something

Most of the spam sent to University of Otago domains is intercepted by the University's anti-spam systems and forwarded to your Junk or Spam folder. You can often easily recognise spam without even opening an email by reading the message's subject header.

If the occasional spam email appears in your mailbox you don't need to report the message as outlined above. However, you should contact AskOtago if:

  • A large number of spam emails arrives in your Inbox instead of being sent to your Junk or Spam folder
  • You think that your email account has been hijacked to send spam to people in your address book
  • You think that your email address is being used to send spam

There are different types of spam, and while most spam emails won't harm your computer, they may contain links or attachments which do. If you are unsure if an email is legitimate, or whether a link or attachment is safe to click on, you can contact AskOtago for further advice.

Some spam emails may ask for personal information such as usernames and passwords, or bank details, or may even contain a threatening request for a payment. If you receive such an email, report this to AskOtago and provide the full headers of the suspicious email in your email to them. The full header contains information about the path an email took as it crossed mail servers, so it can be used by ITACS for tracking and troubleshooting:

Report phishing or spam emails

AskOtago SharePoint: Email Spam and Phishing Emails