Report suspicious emails to IT Services.

Cybersecurity Essentials Training

In today's digital age, protecting yourself, your loved ones, your research and your work from cyber threats is more important than ever. 

Ready to level up your detective skills? Dive in and become a scam-spotting pro!

Phishing: it’s how scammers and cybercriminals try to trick you into giving up your (or others’) personal or financial data, access to accounts and systems. Their main goal is usually to make a profit, either at your expense or that of others.

How do they make a profit? By selling the data they harvest, getting you to pay them directly, stealing and using your credit card/banking information, collecting ransoms, and by blackmail.

Some scams are small and fly under the radar, either because victims are ashamed, don’t realize they’ve been scammed, or feel there’s no point in reporting it. Others regularly make the news, either because of the scale, or because of the massive amounts of damage they cause to their victims. Identity theft can cause lasting mental harm and significantly impact a victim’s ability to live a normal life. Stolen intellectual property can be misused or significantly set back research aims. Systems and services that are essential can be taken offline for months.

How will attackers try and phish me?

Any way they can! If it can be used to reach you, an attacker will try it. Email is still the most common method, but phishing attacks also take the form of links in instant messages, social media or forum posts, popup windows, video games, malicious advertisements, sponsored search results, and more! Phone calls, QR codes, even video calls using AI are also used as part of successful phishing attacks. Some scammers go old-school and initiate their phish with in-person contact at events.

Here are some common tactics they use to try and get you to fall for their attacks. Click on each tab to learn more: 

Preying on your emotions

A desire to help. Fear. Curiosity. Disappointment. Urgency. Happiness. Hope. These are all popular triggers an attacker will try to leverage to hook you. “Urgent”, “Congratulations”, “Act Now” - if you spot emotional triggers, assess if it’s legit, spam, or scam.

Compromised accounts

Nothing is foolproof. Attackers regularly trick McGillians into handing over their passwords and 2FA creds. They then use those to access those accounts, harvest emails, and/or email our community.

Behavioral analysis

Just like marketers, attackers study what people will click on, their habits, and interests. For example, they know you’ve got so many things to do and not enough hours in the day. They count on you interacting with their phish before you have a chance to think about the red flags.


If it’s available online, it can be used for phishing! Your boss’ name, the McGill logo, content from a webpage - even the whole website can be recreated by an attacker.

It's (almost always) a trap: Common Scams

  • Fake websites
  • Gift card / purchase scams
  • Charities/fundraising scams
  • Job opportunities
  • HR-related emails
  • Tax/benefit/refund scams
  • Purchase order scams
  • Sign this document
  • IT - related scary alerts that you need to act on ASAP
  • Investment opportunities
  • Posts on social media
  • Online marketplace ads
  • Scan this to pay
  • Immigration scams
  • Fake fraud alerts - credit cards, banking, other financial accounts
  • Law enforcement scams

Protect Yourself. Protect others.

But how can I easily spot phishing?

Easy? Not quite. It gets harder every year. Just like a good detective, you’ve got to look for clues and follow up on them.

Trust your gut

Does something feel off about it? Is it too convenient? Are you being asked for banking, personal information, passwords, or money? Do you feel rushed to respond?

If you answered yes to any of those, don’t engage! Some legitimate requests might come across as urgent.

That’s when you need to follow up using a different method of contact. Never use the same one, because if it is an attack, you’ll just be chatting with the big bad wolf.

Are you expecting it?

If you suddenly get an email asking you to sign a performance evaluation, but your boss hadn’t told you to expect it, that’s a red flag.

Sure, your boss might be busy and have forgotten to mention it. So check with them using a different method of contact. If they emailed you, use Teams to message them. Even better, pick up the phone and call them so you can make sure it’s them replying.

Attackers like to use this tactic while pretending to be: An IT support technician, the police, Revenue Canada, and other government officials, a representative of a company you do business with, like your bank. They’ll masquerade as anyone they think you’ll hand over your personal or financial information over to.

No matter how rushed the request might seem, pause, breathe, and look for clues. If they’ve contacted you over voice or chat, don’t be afraid to put an end to the conversation then and there. A legitimate business will understand.

What about physical clues?

Attackers have the same tools at their disposal as the good guys, including AI.

This lets them easily generate professional looking, error-free content. They can also just easily steal and repurpose anything that’s already publicly available (or that they stole when compromising someone’s account).

Not all attackers are meticulous though, so you can look for:

Watch for typos and errors

Be cautious particularly if you find spelling and grammatical errors.

Sender's email address

If you’re a McGill employee, your manager shouldn’t be emailing you from anything but an address. Nor will IT Services, HR, or any other McGill unit.

Suspicious attachments

Be on the lookout for any suspicious attachments.

Be weary of fake links

Watch out for links that don’t match official websites. These can be extra tricky to spot - just because it has the company name in it doesn’t mean it’s legitimate. An attacker can easily buy a URL containing the word “mcgill”, for instance.

I think I've spotted a scam...


If it’s in your McGill email - use the Report Message button

All popular email services have report buttons too!

If it’s a non-email scam specifically targeting the McGill community (for example, you spot posters with suspicious links or QR codes around campus), contact the IT Service Desk to report it.

If it’s not McGill related, report it to the Canadian Anti-Fraud Centre.

Financial organizations and companies like Amazon, Apple, Google, Instagram etc. all have ways to directly report users or vendors that are scamming or spoofing them.

I interacted with a phish...


Were you using a McGill-owned device and/or did you enter or otherwise provide your McGill credentials?
  • If Yes, Call the IT Service Desk immediately at 514-398-3398. They can disable your McGill account until your password is changed and provide guidance on what to do next.
  • If No, read on.
Were you using a personal device, or suspect your non-McGill accounts were compromised:
  • Change your password, passphrase, or PIN using a different device.
  • If you don’t use unique passwords for your accounts, make sure to change the password for any account that used the same password. For your own safety, use unique passwords or passphrases for all your accounts - a password manager can help you generate and store them!
  • Scan the device using anti-malware software if possible.
  • Perform any available updates and security patches on your device.
  • Monitor your accounts regularly for suspicious activity.
Was your financial information accessed or potentially exposed to a cybercriminal?
  • Contact your banks to notify them that your personal and financial information was viewed by an attacker, so they can take steps to protect your account.
  • Contact Canada’s main credit reporting agencies to have a fraud alert added to your credit report.
    • Trans Union Canada (1-866-525-0262, Québec 1-877-713-3393) or
    • Equifax Canada (1-866-779-6440).
If you’ve sent money to a cybercriminal, you should report the incident as soon as possible to:

Scammers often re-target victims with the promise of recovering money, personal information, or with other scams. It’s a trap that plays on our hopes and fears. If you or someone you know experiences this, do not engage; instead, report the incident as soon as possible.

Phishing VS Spam


Phishing is designed to cause harm to people and/or organizations. It allows cybercriminals to either profit or gain access to accounts and systems for malicious or illegal purposes. The harm can be quite significant. Some particularly dark and twisted phishing extortion scams involve emails claiming the attacker has been watching you through your webcam and viewed adult activities you engaged in or has been contracted to assassinate you. These phishing scams may seem quite personal, but the emails are sent out en-masse, and should be reported just like any other phishing emails. Pro tip: If you have the option to report a message as phishing, it’s important to use that option only for suspicious emails, and not for email that you know is spam.


Spam is called junk mail for good reason. Spammers focus on quantity and send out their emails offering products and services to as many people as they possibly can, whether or not they signed up to be part of their mailing list. It’s definitely unwanted, and at worst, results in you receiving even more spam. Pro tip: Never click the Unsubscribe button in a spam email - it lets the spammers know your email account is active. Use the Report Junk button in your email instead!

Cyber Harassment

Sometimes it can be tricky to tell if something is phishing, harassment or bullying targeted at a specific individual. They can overlap. Cyber harassment is targeted at a specific individual or group of individuals. Oftentimes it will be prolonged, repeated, and list alleged grievances or accusations. If you encounter this, depending on who the target and perpetrator is, you’ll need to report it to authorities who can take action to investigate.

Back to top