The University of Sydney takes a rigorous, standards-based approach to managing cyber risks across our teaching, research and operations. This is supported by ongoing investment in the technology and capability needed to keep our community safe.
Strong cyber security underpins the University’s ability to deliver world-class teaching and research.
We continue to invest in measures that help keep University data and information and communications technology (ICT) systems secure for all members of our community and those who work or partner with us.
Our standards-based approach is supported by a clear policy framework and dedicated resources. The University continues to strengthen its cyber security controls to improve our ability to identify and respond to potential threats.
Universities are high-value targets for cyber criminals due to the volume of personal, financial and research data they hold. The following advisories highlight scams and cyber threats targeting Australian universities, with practical guidance on how to recognise and respond.
A fraudulent website recently impersonated the University of Sydney, hosting a fake offer letter and attempting to mislead individuals. The site, which was registered overseas, was taken down following swift action by the University.
Scam websites like this are a known risk and continue to target trusted institutions- including universities– particularly around key times such as student application, enrolment and assessment periods.
Impersonation sites often mimic the University’s name and branding. Links to the sites may appear in phishing emails, social media posts, or misleading ads. They typically target students, staff and prospective applicants with fake offers, login pages or payment requests.
Similar tactics are also used to create fake online stores or tutoring services. In some cases, these sites may be linked to blackmail attempts or other forms of online fraud such as contract cheating (paying someone to complete your university work) which is a serious breach of academic integrity, and money muling (being recruited to transfer illegally obtained funds through your bank account) which is a criminal offence.
Many fake sites use look-alike domains which seem convincing at a glance:
Others use domain extensions from other countries, such as:
These are real country domains but are often used in impersonation scams. If a ‘University of Sydney’ website doesn’t end in ‘.edu.au’, research the site and organisation before deciding to engage with it.
Cybercriminals rely on people missing the small details, so a few extra seconds to check could make all the difference.
Cybercriminals are using fake CAPTCHAs to trick you into executing malicious code on your device. A legitimate CAPTCHA is a security challenge designed to verify you are human and not an automated bot. This may involve:
Fake CAPTCHAs prompt you to follow additional steps that install and run malware such as the Lumma Stealer and Amadey Trojan on your device. Once executed, the malware can steal passwords, cookies and sensitive data, allowing attackers to access your accounts and bypass security controls. They appear when you access an infected website, ad or popup.
Simply seeing the fake CAPTCHA does not install malware.
If you see a CAPTCHA that looks or behaves unusually:
Timely reporting helps limit the impact of cyber attacks and reduces risk to the University and the wider community. Anyone who becomes aware of a potential cyber security issue affecting the University is encouraged to report it as soon as possible.
Report these issues to us, even if they're just suspicions, via these email addresses.
University staff, students, affiliates and contractors:
Members of the public:
Report personal scams, fraud or cybercrime that do not involve the University to the appropriate organisation. These include:
scams targeting your personal bank accounts, identity, email, phone, or social media accounts
fraud involving personal purchases, payments or deliveries
any cybercrime unrelated to the University
For these issues, the following organisations can help. If money has been lost, contact your bank immediately and consider reporting the matter to your local police station.
Personal scams or fraud
ScamWatch
Report scams involving personal email, banking, shopping or payments to help authorities warn others and disrupt scam activity.
Website: https://www.scamwatch.gov.au/report-a-scam
Cybercrime or serious online fraud
Australian Cyber Security Centre
Use this service to report hacking, identity crime, ransomware, or other cybercrime.
Website: https://www.cyber.gov.au/report-and-recover/report
Phone: 1300 292 371
Identity theft or compromised personal information
IDCARE
Provides expert, free support, including a case manager, if your identity, personal accounts or data have been stolen or misused.
Website: https://www.idcare.org
Phone: 1800 595 160
Online abuse, cyberbullying or harmful content
eSafety Commissioner
For issues such as image-based abuse, cyberbullying, threats, harassment, illegal content or unsafe online behaviour.
Website: https://www.esafety.gov.au/report
If you're a student impacted by a scam, support is available from our Student Wellbeing Team.
Our approach is supported by a policy framework aligned with recognised international industry standards. These policies define responsibilities and minimum security practices for staff, students and partners.
The Cyber Security Policy (pdf, 216KB) defines the responsibilities and principles required within the University to protect the confidentiality, integrity and availability of ICT resources and digital information.
The Acceptable Use of ICT Resources Policy (pdf, 240KB) applies to all users of the University's ICT resources, and outlines user rights and responsibilities, the conditions of use of University ICT services, and penalties for misuse.
University staff and students:
ict.support@sydney.edu.au
Members of the public:
ict.askcyber@sydney.edu.au