“Phishing is a trick in social engineering. Cybercriminals usually use phishing to trick the victim into some kind of expected behaviour. Social engineering is the core of all phishing attacks, especially via email. The advancement of information technology makes it easier to spread the phishing email. It is very fast, inexpensive and low-risk to set up and operate phishing attacks. Any cybercriminal can launch such attacks.

Before replying to any email, you must confirm the identity of the sender, especially if the email involves sensitive content such as money, personal information or account password, etc. please pay special attention. Usually, a phishing email will contain one or more characteristics as below:

1. Beware of the non-official email address domain. For example, a notice from ICTO Help Desk is unlikely to come from the following email addresses. Please note that if an email address is shown with a display name, it may not be used to verify of the sender’s identity. For this case, you need to verify the sender’s email address in “< >” or “[ ]”;

  • icto.helpdesk@yahoo.com — For official email, it is unlikely to come from third party email service, e.g. @yahoo.com;
  • icto.helpdesk@connect.um.edu.mo — @connect.um.edu.mo is used by the UM student and alumni service but it is not an official staff email address.

2. Beware of attachment— Email attachment is the most common platform for malicious software. When you get a message with an attachment, DO NOT open it unless you are expecting it and you are absolutely certain that it is a legitimate;

3. Urge to do something is one of the typical phishing characteristics, an urgent call to action makes you more likely to cooperate, e.g. urge to perform account verification, purchase some prepaid cards, money transfer, etc. If a message states that you must act immediately or you will lose access, so you must calmly deal with it. Cybercriminals often use intimidation and hope you will follow the action without thinking;

4. Incorrect URL link — it will take the recipient to a fraudulent website instead of the genuine links;

5. Fake email signature — Hackers may obtain the email signature from somewhere. Even if it looks real, you are not recommended to identify the authenticity of email with the email signature. However, if the sender’s email signature is unusual, you need to pay special attention;

6. Do not trust the sender’s photo — Hackers may obtain someone’s photo from somewhere, e.g. social media website;

7. Using different communication channels — for any suspicious request, you can use different communication channels to determine the authenticity of the email sender. For example, instant messaging apps, or voice call, etc.


  1. Office for Personal Data Protection, Macao
  2. Personal Data Protection Act, Macao
  3. Privacy Policy, UM
  4. Guidelines for Handling Confidential Information, UM
  5. Acceptable Use Policy on ICTO Computing Facilities Campus Network and Internet
  6. Guidelines for Mass Email and E-mail Groups
  7. How can I identify a phishing, fake email and websites?
  8. What you need to know about EU General Data Protection Regulation?
  9. Data Privacy in an Era of Compliance
  10. Beware of suspicious emails with intimidating contents!
  11. Other Information Security Tips