Email Phishing Scams

Email Phishing: FAQ

What is e-mail phishing?

Phishing is a type of e-mail scam designed to criminally and fraudulently acquire sensitive information, such as account usernames, passwords, credit card numbers, and other information.

What phishing e-mails are circulating around Concordia?

Examples of phishing e-mails circulating around Concordia can be seen here.

How does phishing work?

Phishers create free e-accounts (i.e., Yahoo, Hotmail, Gmail, etc.) and send out mass e-mails to random e-mail accounts.

Phishers also use machines or e-mail accounts which have been compromised by malware in order to send out their e-mail phishing attacks.

In both cases, the e-mail will normally request that the recipient either reply back with their personal information, or click on a website link.

How can I tell if an e-mail is fraudulent?

If you are unsure, please communicate directly with the IITS Helpline at (514) 848-2424 ext. 7613 or by e-mail at help@concordia.ca.

Following are some common phrases found in phishing e-mails.

"Verify your account" or “Confirm your Address”

Concordia University will never ask for your personal information by phone, e-mail, or URL unless it is in response to a support request you have initiated. Concordia University will never ask for your password, nor should businesses, banks, and other institutions.

“Dear Concordia Subscriber” or “Dear Account Owner”

Since phishing e-mails are sent out to numerous recipients, they often are not personalized. You may notice that your e-mail address is displayed in the “To:” field rather than something vague (i.e., Undisclosed Recipients), however, you will find that the greeting and main body of the e-mail is generally not personalized.

“Failure to submit your password will render your account inactive” or “If you do not respond within 7 days your account will be lost”

Phishers aim to have the recipient respond immediately in order to prevent the recipient from thinking about the legitimacy of the e-mail. System maintenance does not require an update of your account nor does it require your account information. If in doubt, please visit http://iits.concordia.ca/news to learn about scheduled or emergency maintenance.

Following is an example of a fraudulent e-mail directly targeting Concordia University account holders. You'll notice phrases similar to the ones noted above, and you'll also notice numerous spelling and grammar mistakes. Lastly, you can see that the 'From:' address and the 'Reply-To:' address differ.

The phishers who created the above e-mail even included the Concordia and IITS logos in an attempt to confuse the recipients. Notice however that the text of the phishing e-mail still contains all the common phrases and characteristics of a phishing e-mail.

How can I tell if a website link is fraudulent?

If you are unsure, please communicate directly with the IITS Helpline at (514) 848-2424 ext. 7613 or by e-mail at help@concordia.ca.

Phishers may place a link that appears to go to the legitimate website, but it actually takes you to a phony scam site or possibly a pop-up window that looks exactly like the official site. These copycat sites are also called “spoofed” web sites. Once you’re at one of these spoofed sites, you might unwittingly send personal information to the con artists. To view an example please visit Microsoft’s site on Phishing Scams.

Why did I receive a phishing e-mail?

Phishers send out mass e-mails to targeted recipients. If you received a Concordia related phishing e-mail in your Concordia e-mail account, you would have received the e-mail because the phishers were targeting random Concordia University account holders.

E-mail phishing can also be non-targeted. If you received a phishing e-mail regarding an account or company that you are not affiliated with (i.e., Desjardins, RBC, etc.) then you simply received the phishing e-mail at random.

If you received a phishing e-mail, delete it without replying to it.

How did the phishers get my e-mail address?

As with spam, your e-mail address may have been obtained via a compromised computer, an online publication, a public directory, etc.

What do the phishers do with my personal information?

Once your information is obtained, or your account is compromised, the phishers may use your account to send out e-mails, to commit fraud (i.e., if you provided banking information), or for other criminal activity. Clicking on a fraudulent link may compromise your computer or infect it with a virus or spyware/malware.

What is Concordia doing to address e-mail phishing?

IITS continuously monitors these situations closely, and takes action whenever the message source can be reliably determined. Unfortunately, it is not possible to completely eliminate phishing scams, as the attacks are coming from so many different sources, and new phishing addresses are being observed daily.

Important notices are posted to remind the Community to delete any such messages immediately.

What should I do if I replied to the fraudulent e-mail?

In the event that you replied to a phishing e-mail with your personal information, please notify the targeted company’s system administrators and change your password immediately.

If you provided phishers with your Concordia portal or email credentials, please change your password immediately by logging into your MyConcordia portal and selecting Personal Services.

How can I report a fraudulent e-mail?

Most businesses, banks, and institutions have an e-mail address that you can forward suspicious e-mails to. To obtain the forwarding e-mail address, visit the website of the company owning the account being targeted.

Tip: If you cannot easily find information about phishing on the company's website, try using the website’s search field and search for ‘phishing’. Another option would be to contact their technical support/customer service directly.

For Concordia please contact the IITS Helpline at help@concordia.ca