Phishing Scams

What is a Phishing Scam?

Phishing is the practice of using manipulation to trick victims into providing information or access to resources that can be used for criminal purposes by attackers. Phishing emails can target anyone with an email account and can impersonate a legitimate business, institution, human, or financial institution.

How does a Phishing Scam work?

Phishing is usually done through email or phone and generally involves impersonating an organization or person of authority to manipulate a victim into taking some action that provides access, resources, and/or information to a scammer. A scammer sends an email that appears to be from a recognizable institution or company such as a bank or institution (or other). The email may claim that you need to update your account or that your “refund” is ready. Whatever the message is, the email is an attempt to trick you into providing your personal or financial information.

What are some common phishing campaigns?

  • Covid-19 Scams: Throughout the pandemic, scammers have been setting up phishing attempts to take advantage of the uncertainty and confusion surrounding Covid-19 response. Scammers claim to be part of some response, relief, or other authoritative entity and try to convince victims to give up personal and/or banking information.
  • Credential Mining: Fake warning message about account or service interruption that urges the victim to authenticate using a malicious link to a fake/look-a-like portal page exposing userid/password to attackers.
  • Gift Card Scams: Email requests mimicking a person of authority using a compromised account or a fake user account created on a free email service provider like Gmail. Scammer will claim to be unavailable through communications other than email and asking for a non-standard action to meet unusual circumstances (usually buying a gift card).
  • Malicious Links: Attacker generates a sense of urgency to trick victims into clicking on a malicious link within the message exposing them to malware and compromise. Some examples include fake invoices, fake package delivery notices, fake “secure” documents, fake personal videos, and many others.
  • Work-from-home: Scammers offer the promise of a job opportunity (work-from-home, caregiver, mystery shopper, or government/charity job) as the hook with the purpose of gaining access to victim personal and/or financial information to defraud them.

What information are they usually asking for?

  • Name and address
  • SFU computing ID or password
  • Birthdate
  • Social Insurance Number (SIN)
  • Credit card or banking information

How do I protect myself?

Here are some tips and tricks to protect yourself or your business from scams and fraud.

  • DO NOT RESPOND no matter how official the request seems.
  • DO NOT CLICK on the link if you are being asked for personal information. If you are unsure if the sender is credible, IT Services can confirm.
  • Never send your SFU Computing ID, personal information, password, or financial information to anyone via email.
  • Recommend department wide security training such as the SFU canvas training.
  • Improve business practices by reducing the reliance on email for financial transactions and/or exchange of sensitive (PII) data and creating workflows for verifying phishy sounding requests.
  • Refrain from using your personal email addresses when conducting business and ensure staff know to be wary of imposters setting up fake accounts on free services.
  • Delete the message or select 'Junk' located under the Junk button in the ribbon in the Outlook Web App (OWA). Even responding to the message with content such as "please don't send me spam" simply confirms to the sender that they have contacted a live address and increases your odds of receiving more spam in the future.
  • If you mark a message as Junk, that sender will then be added to your Blocked Senders list and the message will be put into your Junk folder. This will sync with the Outlook desktop applications.

Remember, if it seems too good to be true, it is.

Reporting Phishing

You may also forward any phishing attempt you receive to If the phishing attempt is from or targets SFU, please forward the headers from that message to following the instructions below:

1. Right-click on the e-mail in the message list and select View message details 

2. A window will open with all the message details. Copy the message details and then close the window.

3. Forward the e-mail to with the message details included. To do so, click Forward in the ribbon.

4. In the To field, enter Paste the message details into the body of your forwarded message, and then click Send.