Related links
Cyber security
Safeguarding our data and technology
The University of Sydney takes a rigorous, standards-based approach to managing cyber security risks for our staff, students, alumni, affiliates, partners and vendors, and all other organisations and individuals who support our commitment to excellence.
Cyber security is one of the University's highest priorities, and crucial to our core mission – to excel as a world-renowned research and teaching institution.
We have invested in a significant program of activities and safeguards to ensure your data, our data and our information and communications technology (ICT) are safe and secure – whether you are a member of our community or you work or partner with us.
Our standards-based approach to managing cyber security risks is supported by a policy framework and substantial resources. The University is continually improving our cyber control measures, to enhance our ability to rapidly identify and respond to any cyber threat.
A shared responsibility
Technological control measures are vital, but they are not enough. All members of our community have a shared responsibility to protect ourselves and the University against cyber security threats. For example, the University provides mandatory cyber security training to all staff. We urge you to report any suspicious activity or potential cyber security threats, by contacting us.
Cyber Security Awareness Month 2025
Cyber Security Awareness Month is a reminder that even the smallest online habits can make a big difference in staying safe from cyber threats.
This October, we’re focusing on simple, everyday actions that help keep your information secure.
Cybersecurity is a shared responsibility and together, we can create a safer digital environment
for everyone.
Make these three simple changes to strengthen your online safety
Tip 1: Use strong passphrases and a password manager. Make each passphrase long (at least 14 characters), mixing uppercase and lowercase letters with a number and special character for complexity (Blue KoalaSunshine99!)
Tip 2: Enable multi-factor authentication (MFA). We use Okta MFA when accessing University applications. It’s critical to also enable MFA on personal accounts too wherever it’s available. MFA provides an extra layer of security making it harder for an intruder to access your information. It requires something you know (your passphrase) combined with something you have (a code on your phone) or something you are (a facial scan).
Tip 3: Keep your software up to date. Install updates to protect your devices against vulnerabilities and cyber threats. Software updates are one of the strongest defences you can have in your toolkit and enabling automatic updates means you’ll receive the latest security patches and features as soon as they’re available.
Get involved with our cybersecurity events
Learn about the growing threat of information stealer malware and how to secure your devices with ID Support NSW. Register.
Case studies from eSafety’s investigation teams to help staff improve their understanding of cyber abuse risks impacting students. Register.
Discover the latest scam and fraud trends impacting Australians, especially students, and how to get help if you need it. Register.
Understand how attackers are using AI and how we are using AI to protect us. Register.
In-person lecture for cybersecurity students, hosted by Dr Suranga Seneviratne, with insights from Google and Mandiant. H70.1130, Belinda Hutchinson Building. ABS Lecture Theatre 1130.
In-person full-day secure code training for software developers. Choose from nine full-day sessions.
If you are interested in attending this specialist event, please contact our team at ict.cyber-program@sydney.edu.au.
In-person developer event with real-world cyber-attack scenarios to test secure code knowledge. D18.02.207, Susan Wakil Health Building. SWHB Lecture Theatre 207.
If you are interested in attending this specialist event, please contact our team at ict.cyber-program@sydney.edu.au.
Our Cyber Security team will be visiting buildings on campus with a sweet treat to say thank you for practicing cyber-safe habits.
Cyber security essentials – a one-stop guide
Fake websites impersonating the University
A fraudulent website recently impersonated the University of Sydney, hosting a fake offer letter and attempting to mislead individuals. The site, which was registered overseas, was taken down following swift action by the University.
Scam websites like this are a known risk and continue to target trusted institutions- including universities– particularly around key times such as student application, enrolment and assessment periods.
How fake sites work
Impersonation sites often mimic the University’s name and branding. Links to the sites may appear in phishing emails, social media posts, or misleading ads. They typically target students, staff and prospective applicants with fake offers, login pages or payment requests.
Similar tactics are also used to create fake online stores or tutoring services. In some cases, these sites may be linked to blackmail attempts or other forms of online fraud such as contract cheating (paying someone to complete your university work) which is a serious breach of academic integrity, and money muling (being recruited to transfer illegally obtained funds through your bank account) which is a criminal offence.
Look for unusual domain names
Many of these sites use look-alike domains which seem convincing at a glance:
- sydney-university.org, or
- uni-sydney.com
Others use domain extensions from other countries, such as:
- .st (São Tomé and Príncipe)
- .co (Colombia)
- .io (British Indian Ocean Territory)
- .me (Montenegro)
These are real country domains but are often used in impersonation scams. If a ‘University of Sydney’ website doesn’t end in ‘.edu.au’, research the site and organisation before deciding to engage with it.
Protect yourself from impersonation sites
- Look closely at the URL - is it really the University?
- Be cautious with unexpected messages, offers or ads.
- Verify University communications by directly contacting the University.
- Report sites impersonating the University to the ICT Helpdesk, so we can investigate and take action: Email: ict.support@sydney.edu.au. Phone: 1800 SYD UNI (1800 793 864).
Cybercriminals rely on people missing the small details, so a few extra seconds to check could make all the difference.
Learn more about common scams and how to avoid them.
If you've been targeted by a scam on your personal accounts, report to Scamwatch to prevent further attacks. If your University account has been impacted by a scam, change your UniKey password and immediately contact the ICT Helpdesk on 1800 SYD UNI (1800 793 864). You can also connect with University support if needed.
Fake verification prompt that initiates malware
Cybercriminals are using fake CAPTCHAs to trick you into executing malicious code on your device. A legitimate CAPTCHA is a security challenge designed to verify you are human and not an automated bot. This may involve:
- Clicking a checkbox (‘I am not a robot’)
- Selecting images based on a prompt (‘identify all traffic lights’).
Fake CAPTCHAs prompt you to follow additional steps that install and run malware such as the Lumma Stealer and Amadey Trojan on your device. Once executed, the malware can steal passwords, cookies and sensitive data, allowing attackers to access your accounts and bypass security controls. They appear when you access an infected website, ad or popup.
Threat details
A fake CAPTCHA looks like a standard verification prompt, however clicking the ‘I’m not a robot’ button copies a malicious script to the clipboard and displays the following additional instructions:
Press Win + R (this opens the Windows 'Run' dialog box)
Press CTRL + V (this pastes the script from the clipboard into the dialog box)
Press Enter (this runs the script).
Do not follow these instructions. A legitimate CAPTCHA will never ask you to run commands like this.
How to identify and avoid fake CAPTCHAs
Be cautious of suspicious CAPTCHAs and remember:
Legitimate CAPTCHAs are usually found on websites requiring user verification, such as login or account creation pages.
Be cautious of CAPTCHA pages that appear unexpectedly on sites that shouldn’t require them.
Legitimate CAPTCHAs only ask you to verify you’re not a robot or to click on certain images to confirm this. They will never prompt you to copy or run code.
If you have interacted with a malicious CAPTCHA
These steps only apply if you followed the CAPTCHA instructions. Simply seeing the fake CAPTCHA does not install malware.
Disconnect your device from any network/Wi-Fi to prevent further spread.
Change any passwords you may have entered after interacting with the fake CAPTCHA, as these may have been solen. Use a safe uninfected device to do this, such as your mobile phone.
If you use a University-managed device, immediately report it to the Shared Service Centre on +61 2 9351 2000 (follow the prompts for the ICT).
If you use a personal device, run a full antivirus scan and remove the malware. The Australian Cyber Security Centre has useful instructions on how to report and recover from malware. Consider taking your device to a local IT repair store if you're unsure about malware removal.
If you lost money as result of this malware, contact your bank, the local police and IDCARE for further support.
Encountering a suspicious CAPTCHA
If you see a CAPTCHA that looks or behaves unusually:
Do not interact with it.
Close the webpage.
We understand the importance of responding quickly to prevent or defuse any cyber threats before they compromise our data security or ICT security.
If you are a member of the University community (staff, students, alumni etc), or work or partner with us in any capacity (industry partners, affiliates, contractors, government, vendors etc) we strongly encourage you to report any cyber security incidents in a timely manner.
Incidents you should report include:
- suspecting an ICT service, device or account has been compromised
- evidence on vulnerable University ICT services
- unauthorised disclosure of sensitive information or discovering a lost University asset
- observing someone breaching University policy.
Members of the public can contact the Cyber Security Team and staff and students can email ict.support@sydney.edu.au.
The University follows best-practice cyber security standards and has established a clear policy framework and invested substantial resources in its cyber security program. Read our policies on the University’s Policy Register.
The Cyber Security Policy 2019 (pdf, 216KB) defines the responsibilities and principles required within the University to protect the confidentiality, integrity and availability of ICT resources and digital information.
The Acceptable Use of ICT Resources Policy 2019 (pdf, 240KB) applies to all users of the University's ICT resources, and outlines user rights and responsibilities, the conditions of use of University ICT services, and penalties for misuse.
Facts_
8000+
Cyber security training is mandatory for all University staff