NOTE: Under no circumstances will SFU ever request our users to provide or confirm their computing ID and password via email. You should never divulge your SFU password to anyone.
SFU, like many other universities, has been the subject of a number of "phishing" attacks. Phishing is an attempt to acquire sensitive personal information, such as usernames, passwords and banking information by masquerading as a trustworthy party in an electronic communication. Phishing is typically carried out by email or instant messaging and often directs users to enter details at a website or in a email reply.
The term phishing is a variant of fishing and alludes to the use of increasingly sophisticated baits used in the hope of a "catch" of personal information.
Never send your SFU Computing ID and password to anyone.
If you receive an email message asking for your SFU Computing ID and password:
DO NOT RESPOND, no matter how official the request seems.
Delete the message or use the "Report Phishing" button. Even responding to the message with content such as "please don't send me spam" simply confirms to the sender that they have contacted a live address and increases your odds of receiving more spam in the future. For those using third party email clients, you may also forward any phishing attempt you receive to email@example.com.
When you select a message and click "Report Phishing", IT Services will be notified of the phishing attempt, and the message will be placed into your Junk folder.
The following is an example of a phishing attack by email.
Some messages may contain links to malicious websites. If in doubt, do not click on the links.
A web page is asking me for my SFU computing ID and password. How do I know it is legitimate?
Many SFU online services (e.g. SFU Connect, WebCT, Student Information System) require you to log in with your SFU computing ID and password.
|Legitimate SFU website||Phishing website|
|The website address (URL) for any legitimate SFU website requesting your SFU computing ID and password will always end in sfu.ca (e.g. connect.sfu.ca, webct.sfu.ca, sis.sfu.ca).||The website address (URL) for a phishing site may contain the phrase sfu.ca but may take the form of http://my.sfu.ca.fakesite.com|
If in doubt, do not enter your SFU computing ID and password. Visit the IT Services Help page for assistance.
If you have responded to a phishing message with your SFU Computing ID and password, change your password immediately. You can change your SFU password on the SFU Computing Account Management page .
If your SFU computing account has been compromised and subsequently locked, contact IT Services by phone (778-782-3234) or in person (Burnaby Campus, Strand Hall 1001 or Surrey Campus, Area 3505 Podium Level 3).
With each new email scam that we observe, SFU system administrators analyze the message and make configuration changes to attempt to block future messages, while being careful not to block legitimate email. Unfortunately, it is impossible to predict exactly what the next scam will look like or where it will come from, so we are unable to stop some of these messages from getting through to your mailbox. When they do, simply delete the message.
To learn more about phishing, visit these links: