'Phishing' is a criminal tactic used by cyber attackers to lure us into disclosing personal information such as bank and credit card details, our date of birth, passport details and/or account passwords.

Phishing is used to:

  1. Deliver file attachments that can infect your computer with malware.
  2. Entice you to click on links that take you to websites that may infect your computer with malware.
  3. Trick you into handing over your user credentials so that they can gain access to the RMIT network or other sites you access.

Phishing attacks can be sophisticated

Everyone that goes online is a potential target. It’s important to verify every email, SMS or voice message, especially those where you are being asked for personal information or money. A logo or email address of a trusted friend, family member or organisation may still pose a threat.

REMEMBER: Legitimate companies will never ask for passwords, tax file numbers or other sensitive data via email. Don’t disclose your login details through an email, SMS or over the phone to anyone.

If you receive an unexpected request for money or personal information, double-check the credibility of the request, even if it appears to be from a reputable source, such as someone you know or someone within RMIT. It can still be malicious.

  • Always check the URL of the site you are visiting.
  • Never enter your username and password into a website where you have been directed by a link in a message, particularly email and SMS messages.
  • Never give anyone remote access to your computer if they have contacted you out of the blue, even if they claim to be from a trusted company.

If a request seems suspicious, contact the person/business through a separate, legitimate source to confirm it. Don’t use a phone number within the email or SMS.

Forward all suspicious emails received in your RMIT mailbox to reportphishing@rmit.edu.au. If it is found to be malicious, our cyber experts will take the necessary action to contain the risk.

How to identify a ‘phishing’ email

There are tell-tale signs that can help you to identify a phishing message. Before responding to any emails, text, voice message and/or calendar invite, check if it is:

  • unexpected (both from known and unknown senders)
  • asking you to ACT, for example, act by clicking on a link, opening an attachment or confirming details
  • promoting a sense of urgency, for example, the sender is asking you to act within a timeframe otherwise you will lose system access, incur a fine, etc
  • playing to your emotions like greed (lottery win, tax rebate) or fear (access denied to an app)
  • a request for personal or sensitive information or money (bank account, passport details, registration, Tax File Number)
  • out of context, for instance, you receive a file named 'Payroll', yet you work in Student Services
  • an email address doesn’t match the sender name. The ‘reply to’ address is different from the sender’s address.
  • an email that has a generic signatory or a signatory that is inconsistent with company format and protocols
  • a piece of communication (email, SMS, invite) that has an inconsistent tone. The words used are not what you would expect

Check before you respond  

  • Check the email’s domain address. 
    • Don’t use any link in the email to check the domain address.  
    • When checking a domain address, the correct domain needs to appear after the https:// and before the first ‘/’.  In most cases, anything after the first ‘/’ can be disregarded and is often used by scammers to confuse you. 
    • If you hover over a link in an RMIT email attachment and see a URL with "...aus01.safelinks.protection.outlook....", please do not assume it is safe. Still take the necessary checks and precautions before responding. This message simply means the email was not identified in our email filter as being malicious. It is still possible for malicious emails to get through to your mailbox, so we need you to stay alert. 
  • If you have any doubt about the legitimacy of an RMIT email sent to you, validate the address via the RMIT directory search (contact details) or call the sender via teams to verify the request. If you suspect you have received a phishing email, do not use ‘reply’ on the email to verify the request. 

Remain equally vigilant against phishing attacks to your personal email. 


Ransomware is a type of malicious software that holds the contents of a computer hostage by infecting it in some way and demanding that the user pay a ransom to remove the restriction.

How can I protect myself from ransomware?

  • Don’t install programs from untrusted sources or click on unverified links. 
  • Regularly back-up your data to OneDrive or SharePoint or other secure location, such as a shared folder.    
  • Bookmark frequently visited websites to limit the chances of accessing fraudulent sites.
  • Verify email sources by independently checking the sender’s details.
  • Have the latest antivirus software installed on your devices
  • Never pay the ransom as there is no guarantee access to your system will be restored.
  • If the ransom relates to your RMIT account. Contact the Service and Support Centre for immediate advice and assistance: +61 3 9925 8888.