To Catch a Phish

Phishers are good at what they do. You might know the warning signs of a phishing email, but if the bait looks legitimate, you can still get hooked.

15 October 2018

Dear valued customer,

We have received information that you recently tried to withdraw the following amount from your chequing account while in another country: $235.14. If this is not correct, then click the link below to verify your personal information and receive your full refund:


Look familiar? Every day, our email accounts get a barrage of phishing attacks. Over half of internet users receive at least one phishing email in their inbox every day, and according to Verizon's 2018 Data Breach Investigations Report:

  • 92% of malware is transmitted via email;
  • 16% of data breaches in the education industry are due to human error;
  • 39% of malware-related data breaches contain ransomware, twice the number of last year.

What is phishing?

Phishing is when a fraudulent email is sent from a seemingly legitimate organization in an attempt to convince individuals to divulge personal information, such as passwords and credit card numbers. Links in phishing emails will often take you to phoney sites that encourage you to send personal or financial information to these criminals.

There are three main phishing attacks to be aware of:

  1. Clone phishing: a previously delivered, legitimate email is used to create a phishing clone, sent from an email address spoofed to look like the original sender. These phishing emails contain a malicious link or attachment.
  2. Spear phishing: a targeted phishing attack directed at specific individuals or companies. Attackers may gather personal information about their targets to increase their likelihood of success.
  3. Whaling: a targeted phishing attack directed at senior executives and other high-profile business targets.

How do I recognize a phishing attack?

Phishing emails can look legitimate; that's why so many people fall victim to them. The most important thing to remember is to stay constantly vigilant online, especially when using email.

Here are some tips to catch a phish:

  1. Don't trust the display name: always check the sender's actual email address. The sender's domain name (e.g., will indicate if it's a phishing attack.
  2. Don't click any links or attachments: hover your mouse over the link to see where the URL leads you, but don't click. Don't open any email attachments you weren't expecting.
  3. Check for spelling mistakes: legitimate organizations have professional communicators, so their emails typically do not contain spelling and grammar mistakes. An excess of spelling and grammar errors indicate a phishing attack.
  4. Be aware of urgent or threatening language: phishing attacks prey on our emotions. Invoking a sense of urgency is a common phishing tactic, so be on the lookout for subject lines like "your account has been suspended," "unauthorized login attempt," or "claim your $618.52 tax refund now."
  5. Review the signature: legitimate companies always provide contact details. If a signature is missing or incomplete, it may be a phishing attack.
  6. Never give up personal information: banks, lending institutions, insurance companies, health care services, credit card companies, and government organizations will never ask for your personal information over email. If in doubt, call the organization to verify if they sent the email.
  7. Always be skeptical: phishing emails may have convincing logos, language, and a seemingly valid email address. But just because it looks legitimate doesn't mean it is. Don't believe everything you see. If an email looks even remotely suspicious, don't open it.
  8. Forward phishing attacks to IST: if you get what you believe is a phishing email, forward it to with the subject line "Suspected Phishing Email." We'll let you know if it's legitimate, and if it's not, that will help us protect the next potential victim.
  9. Be wary of monetary requests: some phishing emails will request or demand monetary payment, often in the form of iTunes or Amazon gift cards. These emails may even seem to come from a trusted contact. But be cautious with anyone asking for money or gift cards. First, pick up the phone and connect with the apparent sender to verify.
Visit Email & Phishing to see some examples of phishing attacks at the U of A.