Email & Phishing

Phishing is when a fraudulent email is sent from a seemingly legitimate organization in an attempt to convince individuals to divulge personal information, such as passwords and credit card numbers. Links in phishing emails will often take you to phoney sites that encourage you to send personal or financial information to these criminals.


 

What to Watch For:

 Revised March 3, 2020

Dear valued customer,

We have received information that you recently tried to withdraw the following amount from your chequing account while in another country: $235.14. If this is not correct, then click the link below to verify your personal information and receive your full refund:

http://www.trustedbank.definitelynotascam/

Look familiar? Every day, our email accounts get a barrage of phishing attacks. Over half of internet users receive at least one phishing email in their inbox every day, and according to Verizon's 2018 Data Breach Investigations Report:

  • 92% of malware is transmitted via email;
  • 16% of data breaches in the education industry are due to human error;
  • 39% of malware-related data breaches contain ransomware, twice the number of last year.

What is phishing?

Phishing is when a fraudulent email is sent from a seemingly legitimate organization in an attempt to convince individuals to divulge personal information, such as passwords and credit card numbers. Links in phishing emails will often take you to phoney sites that encourage you to send personal or financial information to these criminals.

There are five main phishing attacks to be aware of:

  1. Clone phishing: a previously delivered, legitimate email is used to create a phishing clone, sent from an email address spoofed to look like the original sender. These phishing emails contain a malicious link or attachment.
  2. Spear phishing: a targeted phishing attack directed at specific individuals or companies. Attackers may gather personal information about their targets to increase their likelihood of success.
  3. Whaling: a targeted phishing attack directed at senior executives and other high-profile business targets.
  4. Smishing: a form of phishing that uses fake SMS (mobile phone text) messages to gain your personal information. These messages could come from strange phone numbers you’re unfamiliar with, or masquerade as a business. These messages will often invite you to download something or click a malicious link.
  5. Vishing: a form of phishing that uses internet phone services (VoIP) to trick people into providing sensitive personal information such as a credit card number. Sometimes these scammers will leave an urgent message hoping it will create panic that causes you to phone back. These messages can also appear positive such as claiming you've won a prize. How many free cruises or flights have you appeared to have won? Other common tactics include leaving messages stating your account has been compromised and leaving a number to call back to reset your password. 

How do I recognize a phishing attack?

Phishing emails can look legitimate; that's why so many people fall victim to them. The most important thing to remember is to stay constantly vigilant against unusual and irregular requests, especially when unsolicited, as they are most likely scams. Do not respond or click on any links or open attachments. Mark them as spam and delete them. If in doubt, phone or discuss offline from the email with the supposed sender.  

Email phishing scams can include the correct display name (first_name and last_name). Again, the name is likely gleaned from website information. A telltale sign is often in the reply-to address that will not be an @ualberta.ca account. In this current wave of email phishing, scammers are using some form of correct name in the prefix but the account (domain) is often @gmail.com or @hotmail.com. Examples of scammers' reply-to addresses include gordie.mah.ualberta.ca@gmail.com, or mah.ualberta.ca@hotmail.com.

Simply receiving scam emails does not lead to compromise or harm, but clicking links or engaging can. Do not respond or click and immediately delete and flag these emails as spam. Similarly, individuals being impersonated are likely not compromised either.  Do spread the news and awareness to your coworkers to be alert and vigilant.  

Here are some tips to catch a phish:

  1. Don't trust the display name: always check the sender's actual email address. The sender's domain name (e.g., royalbank@secure.123.com) will indicate if it's a phishing attack.
  2. Don't click any links or attachments: hover your mouse over the link to see where the URL leads you, but don't click. Don't open any email attachments you weren't expecting.
  3. Check for spelling mistakes: legitimate organizations have professional communicators, so their emails typically do not contain spelling and grammar mistakes. An excess of spelling and grammar errors indicate a phishing attack.
  4. Be aware of urgent or threatening language: phishing attacks prey on our emotions. Invoking a sense of urgency is a common phishing tactic, so be on the lookout for subject lines like "your account has been suspended," "unauthorized login attempt," or "claim your $618.52 tax refund now."
  5. Review the signature: legitimate companies always provide contact details. If a signature is missing or incomplete, it may be a phishing attack.
  6. Never give up personal information: banks, lending institutions, insurance companies, health care services, credit card companies, and government organizations will never ask for your personal information over email. If in doubt, call the organization to verify if they sent the email.
  7. Always be skeptical: phishing emails may have convincing logos, language, and a seemingly valid email address. But just because it looks legitimate doesn't mean it is. Don't believe everything you see. If an email looks even remotely suspicious, don't open it.
  8. Forward phishing attacks to IST: if you get what you believe is a phishing email, forward it to abuse@ualberta.ca with the subject line "Suspected Phishing Email." We'll let you know if it's legitimate, and if it's not, that will help us protect the next potential victim.
  9. Be wary of monetary requests: some phishing emails will request or demand monetary payment, often in the form of iTunes or Amazon gift cards. These emails may even seem to come from a trusted contact. But be cautious with anyone asking for money or gift cards. First, pick up the phone and connect with the apparent sender to verify.

For guidance and resources on phishing, see the following articles for more information:

Detect Phishing Emails