What is phishing?

Phishing is the attempt by cyber criminals to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly money), by posing as a trustworthy entity in an electronic communication (email, text message, etc.) Phishing tactics usually request that the victim click on a link, leading to a fraudulent website designed to fool the person into submitting the desired information.

How to spot phishing

If you look at the samples below, you'll see that it can be hard to distinguish a scam/phishing email from a legitimate one. Scammers can easily reuse legitimate emails (and just replace the links), or copy images and other content they find online to create realistic looking emails and fake websites. Here are some tips to watch for, but remember that anyone can be a target, and it's easy to be fooled.

  1. It's incredibly easy to buy a URL/web address with the word "McGill" in it. There are millions of potential combinations that could be used. Just because you see the word McGill (or any other company/institution name) in a URL, doesn't mean it's legitimate, or owned/managed by McGill University. It is even easier to send out an email with a fake address that looks like it comes from a friend, coworker, or business contact, and it doesn't cost anything.
  2. If someone you don't know is sending an attachment, don't open it! Viruses and malware can be packaged in a .zip file, a Word document, a PDF, and many other types of attachments. If someone you do know sent an attachment you weren't expecting, we recommend calling them before opening it. Their account could have been compromised and used without their knowledge.
  3. Scammers often use threatening language or try to create a sense of urgency to get readers to panic and follow their instructions without stopping to question them.
  4. Spelling mistakes and bad grammar can often (but not always) be found in phishing emails.
  5. Fancy/legitimate-sounding group names in the signature. Even with targeted emails (spear-phishing), scammers don't always bother to look up the actual name of the group/unit they supposedly belong to. Instead, they make up a generic name that could possibly apply. 
  6. Copy/paste of branding. This could be copyright info, contact details taken off a website, logos, etc. Sometimes, it's easier to spot since the scammers don't always format it to match the rest of their email.

For more information on protecting yourself from phishing scams, take our online IT Security Awareness training. It's completely anonymous, and you can watch it from anywhere, at any time

When in doubt, don't click it!
At any time, you can phishing [at] (report a suspicious email).