Phishing Attacks

What is “Phishing”?

Phishing is a form of cyber attack that uses fraudulent emails to try to trick people into divulging personal information, usually via a link that clicks through to a data collection form or an attachment that can download malware. The email is typically worded in such a way as to try to trick the recipient into following the instructions within the message, that it is something urgent or something they want or need, and to click a link or download an attachment.

In a phishing attack, the sender will generally impersonate someone trusted or a well-known institution (a bank, an employee at your organization, a government official, etc.) to try to appear legitimate. Phishing attacks have been around since the 1990s but have become increasingly persuasive, sophisticated, and realistic-looking in recent years. It is estimated that 1 in 10 people who receive a phishing email will fall victim to it and that as many as 3 in 10 people who receive a more sophisticated version will fall prey.

Examples of phishing messages reported to the University’s IT can be found here.

“Phishing” Red Flags

A strong sense of urgency and/or odd requests: These emails will often request that you complete a task quickly so that you don’t have time to consider or think about the request. A common example is when attackers pose as the victim’s boss and ask them to quickly purchase a gift card and send the code via email. 

Requesting personal information: Legitimate organizations are unlikely to request sensitive or personal information through email, so a request for this information is often a sign of a phishing attempt. University of Toronto (U of T) staff, faculty, and students will never be asked to share their UTORid password.

Spelling and/or grammar mistakes: Check for spelling mistakes and/or grammatically incorrect sentences. If you are already suspicious, these mistakes can be an indication of a phishing email. 

Brief signatures and generic greetings: The email signature may be missing crucial information like an address or phone number, while the greeting may use phrasing such as “good afternoon,” “dear customer,” or no greeting at all rather than your name. 

Intriguing attachments or links: Phishing emails aim to trick you into clicking malicious links or opening malicious attachments. The attachments might even include fake images or icons to make it look like the sender is sharing or sending a document you are expecting. Fake links might be hyperlinked so that the display text seems legitimate, but the hyperlinked address is malicious.