How can I easily spot phishing?

Does something feel off about it? Is it too convenient? Are you being asked for banking, personal information, passwords, or money? Do you feel rushed to respond?

If you answered yes to any of those, don’t engage!

Some legitimate requests might come across as urgent.

That’s when you need to follow up using a different method of contact. Never use the same one, because if it is an attack, you’ll just be chatting with the big bad wolf.

If you suddenly get an email asking you to sign a performance evaluation, but your boss hadn’t told you to expect it, that’s a red flag.

Sure, your boss might be busy and have forgotten to mention it. So check with them using a different method of contact. If they emailed you, confirm through another channel like MS Teams or better yet, call them directly to be sure it's really them.

Attackers pretend to be people you trust: from IT support technicians, the police, Revenue Canada, and other government officials to a representative of a company you do business with, like your bank. They think you will trust enough to share your personal or financial information.

No matter how rushed the request might seem, pause, breathe, and look for clues. If they’ve contacted you over voice or chat, don’t be afraid to put an end to the conversation then and there. A legitimate business will understand.

Attackers have the same tools at their disposal as the good guys, including AI.

This lets them easily generate professional looking, error-free content. They can also just easily steal and repurpose anything that’s already publicly available (or that they stole when compromising someone’s account).

Be cautious particularly if you find spelling and grammatical errors.

If you’re a McGill employee, your manager shouldn’t be emailing you from anything but an @mcgill.ca address. Nor will IT Services, HR, or any other McGill unit.

If you’re not expecting an email, never click on or open the attachment. Even if it seems to come from a company or person you’ve interacted with in the past, take time to assess if it’s really legitimate.

Watch out for links that don’t match official websites. These can be extra tricky to spot - just because it has the company name in it doesn’t mean it’s legitimate. An attacker can easily buy a URL containing the word “mcgill”, for instance.