Phishing

What is phishing?

Phishing is the attempt by cyber criminals to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly money), by posing as a trustworthy entity in an electronic communication (email, text message, etc.) Phishing tactics usually request that the victim click on a link, leading to a fraudulent website designed to fool the person into submitting the desired information.

How to spot phishing

If you look at the samples below, you'll see that it can be hard to distinguish a scam/phishing email from a legitimate one. Scammers can easily reuse legitimate emails (and just replace the links), or copy images and other content they find online to create realistic looking emails and fake websites. Here are some tips to watch for, but remember that anyone can be a target, and it's easy to be fooled.

  1. It's incredibly easy to buy a URL/web address with the word "McGill" in it. There are millions of potential combinations that could be used. Just because you see the word McGill (or any other company/institution name) in a URL, doesn't mean it's legitimate, or owned/managed by McGill University. It is even easier to send out an email with a fake address that looks like it comes from a friend, coworker, or business contact, and it doesn't cost anything.
  2. Look for the domain name in a URL. One way to know if a link is fake is to check the domain name in the URL by hovering your mouse over it. The domain name is the part immediately to the left of the first forward slash (including the .ca, .gov, .edu, .com, .net, .org) until the first dot, reading to the left.
    Example:
    domain, URL
    IMPORTANT: We don't recommend attempting to hover over a link on a mobile device.
  3. If someone you don't know is sending an attachment, don't open it! Viruses and malware can be packaged in a .zip file, a Word document, a PDF, and many other types of attachments. If someone you do know sent an attachment you weren't expecting, we recommend calling them before opening it. Their account could have been compromised and used without their knowledge.
  4. Scammers often use threatening language or try to create a sense of urgency to get readers to panic and follow their instructions without stopping to question them.
  5. Spelling mistakes and bad grammar can often (but not always) be found in phishing emails.
  6. Fancy/legitimate-sounding group names in the signature. Even with targeted emails (spear-phishing), scammers don't always bother to look up the actual name of the group/unit they supposedly belong to. Instead, they make up a generic name that could possibly apply. 
  7. Copy/paste of branding. This could be copyright info, contact details taken off a website, logos, etc. Sometimes, it's easier to spot since the scammers don't always format it to match the rest of their email.

For more information on protecting yourself from phishing scams, take our online IT Security Awareness training. It's completely anonymous, and you can watch it from anywhere, at any time

When in doubt, don't click it!
At any time, you can phishing [at] mcgill.ca (report a suspicious email).