What is phishing?

NOTE: Under no circumstances will SFU ever request our users to provide or confirm their computing ID and password via email. You should never divulge your SFU password to anyone.

SFU, like many other universities, has been the subject of a number of "phishing" attacks. Phishing is an attempt to acquire sensitive personal information, such as usernames, passwords and banking information by masquerading as a trustworthy party in an electronic communication. Phishing is typically carried out by email or instant messaging and often directs users to enter details at a website or in a email reply.

The term phishing is a variant of fishing and alludes to the use of increasingly sophisticated baits used in the hope of a "catch" of personal information.

How you can protect yourself

Never send your SFU Computing ID and password to anyone.
If you receive an email message asking for your SFU Computing ID and password:

DO NOT RESPOND, no matter how official the request seems.

Delete the message or use the "Report Phishing" button. Even responding to the message with content such as "please don't send me spam" simply confirms to the sender that they have contacted a live address and increases your odds of receiving more spam in the future.

When you select a message and click "Report Phishing", IT Services will be notified of the phishing attempt, and the message will be placed into your Junk folder.

Report Phishing

The following is an example of a phishing attack by email.
Some messages may contain links to malicious websites. If in doubt, do not click on the links.

phishing

Identifying legitimate SFU webpages

A web page is asking me for my SFU computing ID and password. How do I know it is legitimate?

Many SFU online services (e.g. SFU Connect, WebCT, Student Information System) require you to log in with your SFU computing ID and password.

Legitimate SFU website Phishing website
The website address (URL) for any legitimate SFU website requesting your SFU computing ID and password will always end in sfu.ca (e.g. connect.sfu.ca, webct.sfu.ca, sis.sfu.ca). The website address (URL) for a phishing site may contain the phrase sfu.ca but may take the form of http://my.sfu.ca.fakesite.com

If in doubt, do not enter your SFU computing ID and password.  Visit the IT Services Help page for assistance.

What to do if you have responded to a phishing message

If you have responded to a phishing message with your SFU Computing ID and password, change your password immediately. You can change your SFU password on the SFU Computing Account Management page .

If your SFU computing account has been compromised and subsequently locked, contact IT Services by phone (778-782-3234) or in person (Burnaby Campus, Strand Hall 1001 or Surrey Campus, Area 3505 Podium Level 3).

What is SFU doing about phishing?

With each new email scam that we observe, SFU system administrators analyze the message and make configuration changes to attempt to block future messages, while being careful not to block legitimate email. Unfortunately, it is impossible to predict exactly what the next scam will look like or where it will come from, so we are unable to stop some of these messages from getting through to your mailbox. When they do, simply delete the message.