Phishing

Phishing refers to the process where a targeted individual is contacted by email, phone call or text by someone posing as a legitimate institution to lure the individual into providing sensitive information such as banking information, credit card details, and passwords. The personal information is then used to access the individual’s account and can result in identity theft and financial loss. Be very cautious. Phishers can only find you if you respond. Please note that you are the most effective defense to detect and stop phishing.

Phishing Indicators

Here is a sample of a Phishing email and below are some flags that can help you identify if an email you receive is a scam or not.  

Sample Phishing Email

1. Suspicious Sender Address

Check the sender’s address carefully and make sure it is really coming from who it says it is coming from.

Attackers often try to impersonate someone from your organization or from another recognizable institution. In this example, the display name has some grammar and spelling mistakes and it does not match the email address.

Phishing Email Sender Address

2. Email Subject

Check the subject of the email for grammatical errors, spelling mistakes and other oddities. Most phishing emails try to create a sense of urgency to compel recipients to act hastily. They may also use certain language and keywords, while also being vague enough so that the email seems legitimate.

The subject in this example is an email address and it provides no other details about what the email is concerning. This is a very strange subject for an email, so it should automatically raise some warning flags, indicating that the email may not be what it seems.

Phishing Email Subject

3. Email Body / Content

Always check the body of the email for grammar mistakes, spelling errors, and formatting issues. Reputable organizations generally do not send emails that are full of such errors.

The email below is a sample of a typical job scam – notice the poor grammar and the too-good-to-be-true compensation offer for the job.

Phishing Email Body

4. Suspicious Links

Often, emails contain links that appear safe but direct you to phishing websites. For example, a site posing as a Google Forms page might request personal information such as credit card details or your Social Insurance Number (SIN).

If you cannot see the actual link, hover your mouse over it before clicking to verify if it matches the text in the email. For example, the link below appears to lead to a Google form requiring you to fill out information. While it is not malicious, any request for personal information should be considered a red flag.

Phishing Email Links

5. Suspicious QR Code

Another tactic threat actors use to make their targets click on phishing links is through QR Codes. They require you to scan the QR code leading you to a phishing page that would appear to be a trusted service or application. This page is designed to steal personal, financial, or login information. In some cases, it can initiate a download of malware which can compromise your device and data.

Many smartphone cameras will give you a preview of the code’s URL as you start to scan it. If it looks suspicious, skip it.

Check out this Brock News article for more information about QR Code phishing.

Phishing Email QR Code

6. Email Signature

Another important thing to check in an email is the signature, as attackers often try to appear as legitimate as possible. They try to copy the email signature of the person or organization they are impersonating, however there are usually minor differences that can tip you off that it’s not legitimate such as spelling errors, inaccurate information, and/or a missing or altered logo.

If you are suspicious of the email, check the signature details and compare them with the company’s official website and contact information.

Phishing Email Signature

FAQs

Why should I care?

You may not realize it, but YOU ARE A PHISHING TARGET at work and at home. Organized crime groups want you to click on a link that takes you to a website where your personal information is requested.

Phishing isn't that serious, is it?

If you think that phishing isn’t very serious, consider the following:

In July 2020, Twitter suffered a security breach via a phishing attack. Specific Twitter employees fell victim to the phishing attack that allowed cybercriminals to acquire their credentials and gain access to Twitter’s internal systems. Using the credentials of the Twitter employees, the cybercriminals were able to target 130 Twitter accounts, including high-profile US personalities like Barack Obama, Joseph R. Biden Jr., Bill Gates, Elon Musk, Kim Kardashian, and many more. Furthermore, the bad guys were able to tweet from 45 accounts, access the DM inbox of 36, download the Twitter Data of 7 and swindle USD 120,000 worth of bitcoin.

As we live more and more of our lives online, and use our phones, computers and online services for more of our personal information, these accounts become very valuable to organized crime. You may not be famous but you are still a target. Your bank accounts as well as credit/debit cards are prime targets for criminals as the days of the big bank heist are over. Organized crime now employs large networks of computers and minions to try and steal a few hundred dollars at a time from large numbers of people. Estimates put the cost of phishing and identity theft at over $5 billion annually. Having control of your email account can give criminals access to more than just your email messages. Almost all online services like Facebook, Twitter and Amazon use your email to verify your identity and perform password resets so gaining access to your email account can give these criminals access to more than just your email.

How can I spot a phishing email?

Phishers send more convincing emails all the time. ITS posts samples of phishing emails received at Brock here.

You can also take the SonicWall Phishing IQ Test to see how you score.

How can I protect myself from phishing attempts?

To help protect yourself from phishing attempts, follow these email safety tips:

  • Never send your username/login and password in an email message.
  • Beware when replying to unsolicited messages. Replying to these messages or going through the process of unsubscribing from lists merely enforces that they have discovered an active e-mail address. Ignore and delete these messages. Only unsubscribe from lists you have knowingly subscribed to or trust.
  • Beware of links in email messages. Although some may take you to reputable content, others can lead to infected websites or phishing scams asking for your username/login and password.
  • Beware of any email messages or attachments you are not expecting, even from friends, family, and colleagues. Some viruses can take over email programs and impersonate people you know.
  • Don’t run any executable (programs) received as email attachments. This is not the best way to transmit programs anyways. If you are transferring programs you should “zip” the files before sending.
  • Turn off the preview pane in your email program. Some viruses can be accidentally initiated by just previewing the message in some older e-mail programs.
  • Turn off scripting and auto-launch features. Any features that run programs, macros, or scripts within email messages are capable of launching viruses.
  • If you receive a message from anybody and are told to delete a file on your computer, DO NOT DELETE IT. Chances are it is a hoax. Check with your antivirus support person or visit a reputable antivirus website and see what they recommend.
  • Use discretion when forwarding emails. Not everyone appreciates receiving chain emails. Make sure the people you are sending them to don’t mind this type of email. If you receive a virus alert, although you may think you are doing your friends a favour by warning them, you could be feeding hysteria.

I think I've received a phishing email. What should I do?

If you have received an email that you believe to be a phishing attempt, please use one of the methods outlined in the sections below to report it.

If you are concerned you may have fallen victim to a phishing attempt, contact the Help Desk at x4357 or email itsecurity@brocku.ca right away.

Where can I learn more about phishing?

If you would like to learn more about Phishing, or Cyber Security:

Reporting Methods for Faculty, Staff & Students

From the Office 365 Email Webpage

  1. From Office 365 email, select the target email to report.
  2. Select the “Junk” dropdown from the ribbon above.
  3. Select “Junk” or “Phishing”.
  4. Select “Report” if asked:
    • Reported as junk: The messages are moved to the Junk Email folder.
    • Reported as phishing: The messages are deleted.

From the Office 365 Email App or any other Email Client App (e.g., Apple Mail)

You can also use email to submit junk, spam, and phishing emails directly to Microsoft:

  1. Create a new, blank email.
  2. Address the email to the Microsoft team that reviews messages as follows:
  3. Copy and paste the junk or phishing scam message into that email (as an attachment).
  4. You can attach multiple messages to the email if you want to; make sure all the messages are the same type – either phishing scam messages or junk email messages.
  5. Leave the body of the new message empty.
  6. Click Send.

All faculty, staff and student email are scanned by Microsoft’s Anti-spam & Malware service called Exchange Online Protection. To report spam or phishing attacks, follow one of the above procedures. Microsoft gathers this information to create a blacklist based on feedback from users like yourself.