Phishing scams and how to protect yourself

Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a legitimate/trusted organization or institution. 

Learn to spot phishing - take the online video course (available to all students, faculty & staff)

phishing awareness video 1.  Sign into myCourses
2. Look for Self-Registration Courses on the right side of the page and click register.
3. Click on the course link OLC 901 - IT Security Awareness - Phishing
4. Click Register > Submit > Finish to complete your enrollment.
5. Then click Go to course offering OLC 901 - IT Security Awareness - Phishing to begin.

Headphones or speakers are required.
You can leave the course at any point and come back later.

This article is divided into the following sections:

Introduction to Phishing

Phishing attacks trick users into revealing confidential information. Most phishing attacks are conducted by email; the emails mimic legitimate organizations/businesses in an attempt to fool recipients into disclosing confidential information. Some phishing scams are conducted by phone; common tactics include announcing you have won a free cruise/trip, or impersonating someone from your bank (or another business) and calling you to confirm some of your information for security reasons. Phishing attacks have become increasingly common in the last decade.

Example of a phishing email pretending to be from a legitimate bank:

The link contained in the email looks legitimate and contains https, which signifies a secure website. However, the link is to a fraudulent website prompting the users to log on and/or enter personal information (name, account number, password). Information entered is gathered by the phisher and used for malicious purposes.

The above email would link to a site that looks virtually identical to the legitimate site, making it seem to the user that they are simply logging into their bank's website.

Up arrow

Social Engineering Scams

Apart from "Phishing" scams, where the perpetrator aims to acquire your credentials or other personal data, other social engineering scams are designed to trick you into sending money to aid an individual or fund a noble cause.

If you receive an email asking you to send money, be suspicious. Emails addresses can be spoofed so that the email looks like it comes from a trusted source. Without replying to the email, try to contact the supposed sender -- go to the official website of the organization, or use your Contacts list or McGill Staff directory to look up individuals.

If you are in doubt about the authenticity of any email, send it as an attachment to

Up arrow

Phishing Tactics

Phishing emails use any number of tricks to fool users:

What to look for:

Common Phrases Found in Phishing Emails:

Up arrow

Prevention and Protection

Phishing filters

A Phishing Filter is designed to warn or block you from potentially harmful websites. All major browsers have phishing filters enabled by default that are intended to protect you from malicious sites. Make sure it is enabled in your browser!

If the phishing filter is enabled, you will be warned if the site you're trying to visit is suspected of phishing or hosting malware.

Up arrow

How to report phishing attempts

If you receive a spear phishing email - one that targets McGill users and appears to be coming from McGill - check to see if there is already an announcement posted on the IT Security Alerts page ( If not, please send the questionable email as an attachment to immediately; McGill IT Security will take measures to minimize the risk to the McGill community.

For other phishing or scam emails, delete them from your Inbox immediately. You can also block suspicious senders by using the Block Senders feature in Outlook.

Up arrow

Other resources:

Up arrow

To copy the article link, use the Easylink above, or click the Copy button at the top of this article.