Phishing Scams

SFU aims to promote a culture of information security throughout the University. Protection and mitigation from cyber security risks and continually improving our information security is crucial to our organization.

What is a Phishing Scam?

An online technique for attempting to acquire personal data via email by pretending to be a trusted person or organization. With the incremental rise in cyber security incidents globally, including more than a double increase in those aimed toward higher education institutions, it's never a bad idea to refresh your awareness of online scams such as Phishing.

How does a Phishing scam work?

Phishing is usually done through email or phone and generally involves impersonating an organization or person of authority to manipulate a victim into taking some action that provides access, resources, and/or information to a scammer. A scammer sends an email that appears to be from a recognizable institution or company such as a bank or institution (or other). The email may claim that you need to update your account or that your “refund” is ready. Whatever the message is, the email is an attempt to trick you into providing your personal or financial information.

How can you spot a Phishing scam?

  1. Many grammar or spelling errors.
  2. Incorrect sender email address.
  3. Urgent or threatening language.
  4. Pressure to respond ASAP.
  5. Image-only emails.
  6. Suspicious links or attachments.
  7. Requests for personal information.

What are some common phishing campaigns?

  • Covid-19 Scams: Throughout the pandemic, scammers have been setting up phishing attempts to take advantage of the uncertainty and confusion surrounding Covid-19 response. Scammers claim to be part of some response, relief, or other authoritative entity and try to convince victims to give up personal and/or banking information.
  • Credential Mining: Fake warning message about account or service interruption that urges the victim to authenticate using a malicious link to a fake/look-a-like portal page exposing userid/password to attackers.
  • Gift Card Scams: Email requests mimicking a person of authority using a compromised account or a fake user account created on a free email service provider like Gmail. Scammer will claim to be unavailable through communications other than email and asking for a non-standard action to meet unusual circumstances (usually buying a gift card).
  • Malicious Links: Attacker generates a sense of urgency to trick victims into clicking on a malicious link within the message exposing them to malware and compromise. Some examples include fake invoices, fake package delivery notices, fake “secure” documents, fake personal videos, and many others.
  • Work-from-home: Scammers offer the promise of a job opportunity (work-from-home, caregiver, mystery shopper, or government/charity job) as the hook with purposes including money laundering, gaining access to victim personal and/or financial information or using bouncing cheques to defraud them.

What information are they usually asking for?

  • Name and address
  • SFU computing ID or password
  • Birthdate
  • Social Insurance Number (SIN)
  • Credit card or banking information

How do I protect myself?

  • DO NOT RESPOND no matter how official the request seems.
  • DO NOT CLICK on the link if you are being asked for personal information. If you are unsure if the sender is credible, IT Services can confirm.
  • Never send your SFU Computing ID, personal information, password, or financial information to anyone via email.
  • Recommend department wide security training such as the SFU canvas training.
  • Improve business practices by reducing the reliance on email for financial transactions and/or exchange of sensitive (PII) data and creating workflows for verifying phishy sounding requests.
  • Refrain from using your personal email addresses when conducting business and ensure staff know to be wary of imposters setting up fake accounts on free services.
  • Delete the message or select 'Junk' located under the Junk button in the ribbon in the Outlook Web App (OWA). Even responding to the message with content such as "please don't send me spam" simply confirms to the sender that they have contacted a live address and increases your odds of receiving more spam in the future.
  • If you mark a message as Junk, that sender will then be added to your Blocked Senders list and the message will be put into your Junk folder. This will sync with the Outlook desktop applications.

Remember, if it seems too good to be true, it is.