Phishing scams and how to protect yourself
Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a legitimate/trusted organization or institution.
Learn to spot phishing - take the online video course (available to all students, faculty & staff)
1. Sign into myCourses
2. Look for Self-Registration Courses on the right side of the page and click register.
3. Click on the course link OLC 901 - IT Security Awareness - Phishing
4. Click Register > Submit > Finish to complete your enrollment.
5. Then click Go to course offering OLC 901 - IT Security Awareness - Phishing to begin.
Headphones or speakers are required.
You can leave the course at any point and come back later.
This article is divided into the following sections:
Introduction to Phishing
Phishing attacks trick users into revealing confidential information. Most phishing attacks are conducted by email; the emails mimic legitimate organizations/businesses in an attempt to fool recipients into disclosing confidential information. Some phishing scams are conducted by phone; common tactics include announcing you have won a free cruise/trip, or impersonating someone from your bank (or another business) and calling you to confirm some of your information for security reasons. Phishing attacks have become increasingly common in the last decade.
- Phishing attempts appear in many forms, including but not limited to: email, popup windows, instant messages, and phone calls.
- Potential victims are asked to enter confidential information such as account numbers and/or passwords. The information you enter is gathered by the phisher. Once such confidential credentials have been obtained, the phisher has control of the account.
- Do not provide your McGill username and McGill password in an email or attempt to register on an external web site with your McGill credentials.
- McGill and other reputable institutions will never contact you by email or phone and ask you to provide confidential information, nor will they request you to log onto a website to do so.
- Phishing attempts are very convincing, often using content (images, words, logos) taken from legitimate websites. If there is a reason to believe that the request is indeed legitimate, verify it: call your bank or system admin and ask if the email or popup asking for your password, PIN, or credit card is authentic.
Example of a phishing email pretending to be from a legitimate bank:
The link contained in the email looks legitimate and contains https, which signifies a secure website. However, the link is to a fraudulent website prompting the users to log on and/or enter personal information (name, account number, password). Information entered is gathered by the phisher and used for malicious purposes.
The above email would link to a site that looks virtually identical to the legitimate site, making it seem to the user that they are simply logging into their bank's website.
Social Engineering Scams
Apart from "Phishing" scams, where the perpetrator aims to acquire your credentials or other personal data, other social engineering scams are designed to trick you into sending money to aid an individual or fund a noble cause.
If you receive an email asking you to send money, be suspicious. Emails addresses can be spoofed so that the email looks like it comes from a trusted source. Without replying to the email, try to contact the supposed sender -- go to the official website of the organization, or use your Contacts list or McGill Staff directory to look up individuals.
If you are in doubt about the authenticity of any email, send it as an attachment to email@example.com.
Phishing emails use any number of tricks to fool users:
- Duplicated content from official websites
- Legitimate looking email addresses
- Personalized greetings
What to look for:
- Registered domain names that are real, but not legitimate, look to be authentic and registered to the spoofed institution. (e.g.: fake site: www.theroyalbank.ca / real site: www.royalbank.com)
- Check the IP address in the address bar.
- Obscured URLs (www.theroyalbank.com/379505838/1/obscure.html)
- Fraudulent pages that float in front of the true site
- Well-placed errors
- Online forms where a customer must confirm their personal details which are already on file
Common Phrases Found in Phishing Emails:
- "Dear Valued Customer." Phishing email messages are usually sent out in bulk and often they are not personalized. If reputable institutions send you an email, they will put your name on it.
- "Verify your account." Your financial institutions will never ask you to send passwords, login names or other personal information via email. If you believe that your account has problems, just call the institution directly using the official phone number.
- "If you don't respond within 48 hours, your account will be closed." Be cautious about messages that inflict a sense of urgency or reaction from you without thinking.
- "Click the link below to gain access to your account." The link that you are urged to click will lead you to a fraudulent website or login page, where you can fill out your personal information; the page may look identical to the real site, but if you check the URL you will notice that it is not legitimate. If you are unsure about the legitimacy of the email, do not click the link in email. Instead, open your browser and type in the official URL.
Prevention and Protection
- Remember that reputable institutions will never email you to confirm details of your account.
- Never click on a link within an email, always type in the URL of the site yourself and navigate to the login page via their menu.
- Never email confidential information to ANYONE.
- Never give out information over the phone if you did not initiate the call.
- Online banking is only safe if your computer is free of malware and protected against threats.
- Even the most convincing websites can be fake, as images and content from the legitimate website are used to fool users.
- Even if the website has a secure address or the security lock is shown on your browser, the website can still be fraudulent, so type in the URL yourself.
- Make sure you are using an up-to-date browser. While it doesn't have to be the latest version, it MUST be a supported (by the vendor) version.
- If you suspect a website to be fraudulent, enter a fake username and password combination. If the website accepts the information, it means that it is a phishing website.
- Typos are a red flag.
- Change your passwords periodically.
- Use a phishing filter (see below).
A Phishing Filter is designed to warn or block you from potentially harmful websites. All major browsers have phishing filters enabled by default that are intended to protect you from malicious sites. Make sure it is enabled in your browser!
- Internet Explorer includes the SmartScreen Filter. It helps identify reported phishing and malware sites and also helps you make informed decisions about downloads.
- In Firefox, phishing and malware detection is enabled by default.
- In Google Chrome, phishing and malware detection is enabled by default.
- In Safari, go to Tools menu > Internet Options > Advanced tab, and scroll down to the Security section. Under Phishing, make sure that the Fraudulent Website Warning or Turn on automatic website checking feature is enabled.
If the phishing filter is enabled, you will be warned if the site you're trying to visit is suspected of phishing or hosting malware.
How to report phishing attempts
If you receive a spear phishing email - one that targets McGill users and appears to be coming from McGill - check to see if there is already an announcement posted on the IT Security Alerts page (www.mcgill.ca/it/information-security/it-security-alerts). If not, please send the questionable email as an attachment to firstname.lastname@example.org immediately; McGill IT Security will take measures to minimize the risk to the McGill community.
For other phishing or scam emails, delete them from your Inbox immediately. You can also block suspicious senders by using the Block Senders feature in Outlook.
© IT Service Desk
To copy the article link, use the Easylink above, or click the Copy
button at the top of this article.