Phishing Scams

Beware of phishing scams aiming to steal your personal information. Read more on how to protect yourself.

What is phishing?

NOTE: Under no circumstances will SFU ever request our users to provide or confirm their computing ID and password via email. You should never send your SFU password to anyone.

SFU, like many other universities, is the subject of "phishing" attacks. Phishing is an attempt to acquire sensitive personal information, such as usernames, passwords and banking information by masquerading as a trustworthy party in an electronic communication. Phishing is typically carried out by email or instant messaging and often directs users to enter details at a website or in a email reply.

The term phishing is a variant of fishing and alludes to the use of increasingly sophisticated baits used in the hope of a "catch" of personal information.

How you can protect yourself

Never send your SFU Computing ID and password to anyone. If you receive an email message asking for your SFU Computing ID and password:

  • DO NOT RESPOND no matter how official the request seems.
  • Delete the message or select 'Phishing' located under the Junk button in the ribbon in the Outlook Web App (OWA). Even responding to the message with content such as "please don't send me spam" simply confirms to the sender that they have contacted a live address and increases your odds of receiving more spam in the future. 

Reporting Phishing

When you select a message and click "Phishing", the message will be placed into your Deleted Items folder. If you mark a message as Junk, that sender will then be added to your Blocked Senders list and the message will be put into your Junk folder. This will sync with the Outlook desktop applications.

You may also forward any phishing attempt you receive to abuse@sfu.ca. If the phishing attempt is from or targets SFU, please forward the headers from that message to abuse@sfu.ca following the instructions below:

1. Right-click on the e-mail in the message list and select View message details 

2. A window will open with all the message details. Copy the message details and then close the window.

3. Forward the e-mail to abuse@sfu.ca with the message details included. To do so, click Forward in the ribbon.

4. In the To field, enter abuse@sfu.ca. Paste the message details into the body of your forwarded message, and then click Send.

Identifying legitimate SFU webpages

A web page is asking me for my SFU computing ID and password. How do I know it is legitimate?

Many SFU online services (e.g. SFU Mail, Canvas, Student Information System) require you to log in with your SFU computing ID and password.

Legitimate SFU website Phishing website
The website address (URL) for any legitimate SFU website requesting your SFU computing ID and password will always end in sfu.ca (e.g. mail.sfu.ca, webct.sfu.ca, sis.sfu.ca). The website address (URL) for a phishing site may contain the phrase sfu.ca but may take the form of http://my.sfu.ca.fakesite.com

What to do if you have responded to a phishing message

If you have responded to a phishing message with your SFU Computing ID and password, change your password immediately. You can change your SFU password on the SFU Computing Account Management page .

If your SFU computing account has been compromised and subsequently locked, contact IT Services by phone (778-782-3234) or in person (Burnaby Campus, Strand Hall 1001 or Surrey Campus, Area 3505 Podium Level 3).

What is SFU doing about phishing?

With each new email scam that we observe, SFU system administrators analyze the message and make configuration changes to attempt to block future messages, while being careful not to block legitimate email. Unfortunately, it is impossible to predict exactly what the next scam will look like or where it will come from, so we are unable to stop some of these messages from getting through to your mailbox. When they do, simply delete the message.

To learn more about phishing, visit these links: