To Catch a Phish

Phishers are good at what they do. You might know the warning signs of a phishing email, but if the bait looks legitimate, you can still get hooked.

15 October 2018

Dear valued customer,

We have received information that you recently tried to withdraw the following amount from your chequing account while in another country: $235.14. If this is not correct, then click the link below to verify your personal information and receive your full refund:

http://www.trustedbank.definitelynotascam/


Look familiar? Every day, our email accounts get a barrage of phishing attacks. Over half of internet users receive at least one phishing email in their inbox every day, and according to Verizon's 2018 Data Breach Investigations Report:

  • 92% of malware is transmitted via email;
  • 16% of data breaches in the education industry are due to human error;
  • 39% of malware-related data breaches contain ransomware, twice the number of last year.

What is phishing?

Phishing is when a fraudulent email is sent from a seemingly legitimate organization in an attempt to convince individuals to divulge personal information, such as passwords and credit card numbers. Links in phishing emails will often take you to phoney sites that encourage you to send personal or financial information to these criminals.

There are three main phishing attacks to be aware of:

  1. Clone phishing: a previously delivered, legitimate email is used to create a phishing clone, sent from an email address spoofed to look like the original sender. These phishing emails contain a malicious link or attachment.
  2. Spear phishing: a targeted phishing attack directed at specific individuals or companies. Attackers may gather personal information about their targets to increase their likelihood of success.
  3. Whaling: a targeted phishing attack directed at senior executives and other high-profile business targets.

How do I recognize a phishing attack?

Phishing emails can look legitimate; that's why so many people fall victim to them. The most important thing to remember is to stay constantly vigilant against unusual and irregular requests, especially when unsolicited, as they are most likely scams. Do not respond or click on any links or open attachments. Mark them as spam and delete them. If in doubt, phone or discuss offline from the email with the supposed sender.  

Email phishing scams can include the correct display name (first_name and last_name). Again, the name is likely gleaned from website information. A telltale sign is often in the reply-to address that will not be an @ualberta.ca account. In this current wave of email phishing, scammers are using some form of correct name in the prefix but the account (domain) is often @gmail.com or @hotmail.com. Examples of scammers' reply-to addresses include gordie.mah.ualberta.ca@gmail.com, or mah.ualberta.ca@hotmail.com.

Simply receiving scam emails does not lead to compromise or harm, but clicking links or engaging can. Do not respond or click and immediately delete and flag these emails as spam. Similarly, individuals being impersonated are likely not compromised either.  Do spread the news and awareness to your coworkers to be alert and vigilant.  

Here are some tips to catch a phish:

  1. Don't trust the display name: always check the sender's actual email address. The sender's domain name (e.g., royalbank@secure.123.com) will indicate if it's a phishing attack.
  2. Don't click any links or attachments: hover your mouse over the link to see where the URL leads you, but don't click. Don't open any email attachments you weren't expecting.
  3. Check for spelling mistakes: legitimate organizations have professional communicators, so their emails typically do not contain spelling and grammar mistakes. An excess of spelling and grammar errors indicate a phishing attack.
  4. Be aware of urgent or threatening language: phishing attacks prey on our emotions. Invoking a sense of urgency is a common phishing tactic, so be on the lookout for subject lines like "your account has been suspended," "unauthorized login attempt," or "claim your $618.52 tax refund now."
  5. Review the signature: legitimate companies always provide contact details. If a signature is missing or incomplete, it may be a phishing attack.
  6. Never give up personal information: banks, lending institutions, insurance companies, health care services, credit card companies, and government organizations will never ask for your personal information over email. If in doubt, call the organization to verify if they sent the email.
  7. Always be skeptical: phishing emails may have convincing logos, language, and a seemingly valid email address. But just because it looks legitimate doesn't mean it is. Don't believe everything you see. If an email looks even remotely suspicious, don't open it.
  8. Forward phishing attacks to IST: if you get what you believe is a phishing email, forward it to ist@ualberta.ca with the subject line "Suspected Phishing Email." We'll let you know if it's legitimate, and if it's not, that will help us protect the next potential victim.
  9. Be wary of monetary requests: some phishing emails will request or demand monetary payment, often in the form of iTunes or Amazon gift cards. These emails may even seem to come from a trusted contact. But be cautious with anyone asking for money or gift cards. First, pick up the phone and connect with the apparent sender to verify.

For guidance and resources on phishing, see the following articles for more information:

Dont Lose Your Money to Phishers (November 15, 2018)

Can You Tell A CRA Agent from a Scam Artist (February 10, 2020)

Phishing, Phone Calls and Frauds: How to Stay Safe This Tax Season (Febraury 10, 2020)

Phishing Has Evolved...Have You? (October 1, 2019)

Don't Get Hooked by this Parking Services Phishing Scam (September 26, 2019)

Don't Hand Over That Bitcoin Payment - Protect Yourself from Sextortion (July 24, 2018)

The CRA Is Not Calling You - Protect Yourself from Tax Fraud (January 12, 2018)

Detect Phishing Emails 

Visit Email & Phishing to see some examples of phishing attacks at UAlberta.