Phishing attempts (don't take the bait!)

Got a suspicious email? Check our FAQ about phishing scams before you reply to it! Security: Phishing Emails, Blocking Senders and Managing Junk Email

On this page we focus on OCAD U targeted scams and phishing attempts.  Most banks and financial institutions have similar pages.

Read these tips to protect yourself against PhishingaAttempts!

Don’t take the bait:

Many people are familiar with the traditional phishing attack, which arrives in an email that appears to have been sent from your bank or ISP, warning that your account will be suspended unless you take some action immediately, usually clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Commercial emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email.

Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment (most phishing scams are hosted on hacked, legitimate Web sites). If you’re really concerned, pick up the phone (gasp!) and call the company to find out if there really is anything for you to be concerned about.

  1. Links Lie:  

    Don’t take links at face value. The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you. 

  2. "From" Fields can be forged:  

    Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged. If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email. 

  3. When in doubt, type it out:  

    If you’re not sure about the validity of an email, don’t click on the link in the message. Instead, take a moment to visit the Web site of the sender in question by typing the URL into a Web browser, and access your account normally. 

  4. Keep in mind that phishing can take many forms:  

    Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a Trojan that steals all of the sensitive data on victim PCs. So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. 

  5. If you didn’t go looking for it, don’t install it:  

    Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. 

  6. The point to remember is:  

    If it wasn’t your idea to install something from the get-go, don’t do it. Do your homework before installing programs, plug-ins, or ActiveX controls, and always try to download the installer directly from the vendor’s Web site if you can.