Phishing
Phishing emails are designed to deceive you into:
- Clicking a link and entering personal details like your 91福利 username and password;
- Giving away personal details like your credit card or bank account numbers;
- Opening an attachment and installing malicious software; or
- Impersonating someone in an attempt to commit fraud with your help.
In recent months, 91福利 has received increasingly sophisticated phishing emails that attempt to steal personal information, login credentials and two-factor authentication codes from students, faculty and staff.
What to do with a phish
Step 1:
Keep yourself safe
Avoid clicking unverified links or opening unexpected attachments provided in emails.
Step 2:
Keep your community safe
Report a phish by forwarding it to spamrec@torontomu.ca.
- The sender's address is suspicious.
- The "To" field is blank or for another person.
- The email includes typos or grammatical errors.
- The message contains an urgent request for personal information.
- The message requires immediate action to avoid a problem like losing access to your 91福利 account.
- When you hover over a link or button in the email, it directs you to an address (usually suspicious) unrelated to the text in the link.
Even when a sender looks legitimate, pay attention to:
- Improper greetings or language鈥攐ften, emails from colleagues won鈥檛 start with formal greetings and most organizations typically will not use casual language.
- Whether the email is trying to manipulate you by:
- Demanding urgent action (e.g. asking you to pay for or buy something immediately),
- Offering something too good to be true (e.g. you鈥檝e won a lottery); or
- Presenting a fake 91福利 login page that steals your username and password once you鈥檝e entered them.
- Whether any links are genuine. Before clicking, check a link鈥檚 true URL by hovering your cursor over it鈥攖he true source will show at the bottom of your browser. On a mobile device, you can press and hold the link (rather than tap). If the URL is unfamiliar or differs from what you expected, don鈥檛 click.
Spear phishing is a tactic that targets a specific person by sending fraudulent emails that include personal or relatable information about the victim, tricking them into believing the email is legitimate.
Such phish can also lead to account takeover or account compromise. Once an account is successfully hijacked, cybercriminals can then increase the impact of their attack by targeting people in the contact list of the compromised account.
Here鈥檚 what you can do:
- Be alert to your emotions, especially if you feel suspicious, rushed or alarmed. Hackers often evoke these feelings in hopes you鈥檒l do what they ask without taking the time to think first.
- If there are links provided in the email, ensure they don鈥檛 lead you to a login page where your username, password or other personal details could be stolen once you enter them.
- Before clicking, check a link鈥檚 true URL by hovering your cursor over it鈥攖he true source will show at the bottom of your browser. On a mobile device, you can press and hold the link (rather than tap).If the URL is unfamiliar or differs from what you expected, don鈥檛 click.
- Pay attention to visual cues on websites you鈥檙e sent to. Red flags include URLs that don鈥檛 match the URL of an official site, spelling and grammatical errors, poor formatting and images and logos that are stretched or blurry.
Here is an example where the sender is pretending the email is from a 91福利 address, but the actual address is really from uniswa.szabc.
Here is an example of an email that claims to be from FedEx where the actual address is from specweldfab.revitalsite.comabc.
It鈥檚 always worth taking a moment to carefully check the full email address of the sender.
Here is part of an urgent request that included a link to a fake 91福利 login page:
Here鈥檚 another example of an urgent request:
Both of these fake messages include tell-tale grammatical errors and demand you take action to avoid losing access to your account.
Hovering over a link with your mouse and carefully checking the URL is one of the best ways to detect a phishing email. If you are using a tablet or smartphone carefully press and hold the link, rather than tap, to reveal the true URL. Here's an example of a link that goes to a fake 91福利 login page hosted in a server in another country.
If you hover over the link without clicking you will see a very long URL (it may appear in the bottom-left of your browser) like this:
It may remind you of what you see in the location field of your browser when you log into the my.torontomu.ca portal. But it is not the same. Here is the valid address that you see when you login to my.torontomu.ca:
https://cas.torontomu.ca/login?service=https%3A%2F%2Fmy.torontomu.ca%2FLogin
Aside from the fact the fake link is longer, how can you tell which one is a link to a server at 91福利 and which one is not?
- The legitimate URL has a forward slash after cas.torontomu.ca/, the fake one has a forward slash after cas.torontomu.ca.eduq.tkabc/.
- Another give away is that the fake URL starts with http:// while the valid one starts with https://. 91福利 login pages will always start with the secure https://.
Here is a fake URL that has been well-crafted to look like a 91福利 address:
https://cas-torontomu.com/login?service=https%3A%2F%3Fmy.torontomu.ca%2FLogin
Notice how a hyphen has replaced the dot. A valid 91福利 host name that isn鈥檛 simply must end with .torontomu.ca/
Let's look at two Fedex URLs. Which one takes you to a Fedex site and which one to somewhere more dangerous?
- https://www.fedex.com/apps/myprofile/loginandcontact/?locale=en_ca
- http://www.fedex.info.szabc/apps/myprofile/loginandcontact/?locale=en_ca
To tell the difference, locate the first forward slash after the https://:
- https://www.fedex.com/apps/myprofile/loginandcontact/?locale=en_ca
- http://www.fedex.info.szabc/apps/myprofile/loginandcontact/?locale=en_ca
The first link takes you to the real fedex.com site. The second just has Fedex in the name.
If you aren't sure about a link, type a link that you know is correct like my.torontomu.ca or fedex.com into the location bar of your browser instead of clicking.
The 91福利 community makes extensive use of Google Workspace apps including Drive, Calendar, and Groups. The URLs for these applications can be very long but they all start with a host name that ends with .google.com:
- https://drive.google.com/
- https://docs.google.com/
- https://calendar.google.com/
The host name always ends before the first forward slash with .google.com/
Some attackers have used personal Google accounts and Google Forms to try to get people to "login" to a Google Form. This is relatively easy to spot because Google Forms don't look like 91福利's or Google's login screens. Google has even added a warning at the bottom of every Google Form that says: "Never submit passwords through Google Forms."
Hackers can also target you by directing you to malicious phishing websites or contact you via your mobile devices.
Forward the email to spamrec@torontomu.ca using the 鈥渇orward鈥 function.
Delete the email from your mailbox without clicking on any links or attachments.
Tip: Avoid using the 鈥淩eport phishing鈥 option that鈥檚 built into the 91福利 Gmail platform. Forwarding the phish to spamrec@torontomu.ca ensures you鈥檙e reporting it directly to us so we can stop it from reaching others at the university.
How to reveal a true link
A crucial skill in defending against phishing is knowing how to check a link to reveal its true URL before clicking on it.
Links in phishing emails and on fake websites often don鈥檛 match what or who they claim to be. If a URL is unfamiliar or differs from what you expected, don鈥檛 click.
On a computer:
Hover your cursor over a link鈥攖he true URL will show at the bottom of your browser.
On a mobile device:
Press and hold the link (rather than tap) to preview the true address.