Email Phishing: FAQ
- What is e-mail phishing?
- What phishing e-mails are circulating around Concordia?
- How does phishing work?
- How can I tell if an e-mail is fraudulent?
- How can I tell if a website link is fraudulent?
- Why did I receive a phishing e-mail?
- How did the phishers get my e-mail address?
- What do the phishers do with my personal information?
- What is Concordia doing to address e-mail phishing?
- What should I do if I replied to the fraudulent e-mail?
- How can I report a fraudulent e-mail?
- Where can I find more phishing resources?
What is e-mail phishing?
Phishing is a type of e-mail scam designed to criminally and fraudulently acquire sensitive information, such as account usernames, passwords, credit card numbers, and other information.
What phishing e-mails are circulating around Concordia?
Examples of phishing e-mails circulating around Concordia can be seen here.
How does phishing work?
Phishers create free e-accounts (i.e., Yahoo, Hotmail, Gmail, etc.) and send out mass e-mails to random e-mail accounts.
Phishers also use machines or e-mail accounts which have been compromised by malware in order to send out their e-mail phishing attacks.
In both cases, the e-mail will normally request that the recipient either reply back with their personal information, or click on a website link.
How can I tell if an e-mail is fraudulent?
If you are unsure, please communicate directly with the IITS Helpline at (514) 848-2424 ext. 7613 or by e-mail at help@concordia.ca.
Following are some common phrases found in phishing e-mails.
"Verify your account" or “Confirm your Address”
- Concordia University will never ask for your personal information by phone, e-mail, or URL unless it is in response to a support request you have initiated. Concordia University will never ask for your password, nor should businesses, banks, and other institutions.
“Dear Concordia Subscriber” or “Dear Account Owner”
- Since phishing e-mails are sent out to numerous recipients, they often are not personalized. You may notice that your e-mail address is displayed in the “To:” field rather than something vague (i.e., Undisclosed Recipients), however, you will find that the greeting and main body of the e-mail is generally not personalized.
“Failure to submit your password will render your account inactive” or “If you do not respond within 7 days your account will be lost”
- Phishers aim to have the recipient respond immediately in order to prevent the recipient from thinking about the legitimacy of the e-mail. System maintenance does not require an update of your account nor does it require your account information. If in doubt, please visit http://iits.concordia.ca/news to learn about scheduled or emergency maintenance.
Following is an example of a fraudulent e-mail directly targeting Concordia University account holders. You'll notice phrases similar to the ones noted above, and you'll also notice numerous spelling and grammar mistakes. Lastly, you can see that the 'From:' address and the 'Reply-To:' address differ.
The phishers who created the above e-mail even included the Concordia and IITS logos in an attempt to confuse the recipients. Notice however that the text of the phishing e-mail still contains all the common phrases and characteristics of a phishing e-mail. For more examples of Concordia phishing e-mails click here.
How can I tell if a website link is fraudulent?
If you are unsure, please communicate directly with the IITS Helpline at (514) 848-2424 ext. 7613 or by e-mail at help@concordia.ca.
According to Microsoft, phishers may place a link that appears to go to the legitimate website, but it actually takes you to a phony scam site or possibly a pop-up window that looks exactly like the official site. These copycat sites are also called “spoofed” web sites. Once you’re at one of these spoofed sites, you might unwittingly send personal information to the con artists. To view an example please visit Microsoft’s site on Phishing Scams.
Why did I receive a phishing e-mail?
Phishers send out mass e-mails to targeted recipients. If you received a Concordia related phishing e-mail in your Concordia e-mail account, you would have received the e-mail because the phishers were targeting random Concordia University account holders.
E-mail phishing can also be non-targeted. If you received a phishing e-mail regarding an account or company that you are not affiliated with (i.e., Desjardins, RBC, etc.) then you simply received the phishing e-mail at random.
If you received a phishing e-mail, delete it without replying to it.
How did the phishers get my e-mail address?
As with spam, your e-mail address may have been obtained via a compromised computer, an online publication, a public directory, etc.
What do the phishers do with my personal information?
Once your information is obtained, or your account is compromised, the phishers may use your account to send out e-mails, to commit fraud (i.e., if you provided banking information), or for other criminal activity. Clicking on a fraudulent link may compromise your computer or infect it with a virus or spyware/malware.
What is Concordia doing to address e-mail phishing?
IITS continuously monitors these situations closely, and takes action whenever the message source can be reliably determined. Unfortunately, it is not possible to completely eliminate phishing scams, as the attacks are coming from so many different sources, and new phishing addresses are being observed daily.
Important notices have been posted and will continue to be posted at http://helpline.concordia.ca, http://iits.concordia.ca, http://myconcordia.ca, and http://concordia.ca, as well as on the Shoptalk mailing list.
What should I do if I replied to the fraudulent e-mail?
In the event that you replied to a phishing e-mail with your personal information, please notify the targeted company’s system administrators and change your password immediately.
If you provided phishers with your Alcor username and/or password, please change your Alcor password immediately. For instructions please click here.
How can I report a fraudulent e-mail?
Most businesses, banks, and institutions have an e-mail address that you can forward suspicious e-mails to. Generally, reporting a fraudulent e-mail is only necessary in the event that the recipient was personally targeted (i.e., not just in the “To:” field, but in the body of the message as well).
Example:
- To: Jsmith@alcor.concordia.ca
- Subject: Verify your account
- Body: Dear John, please reply back with the password for your jsmith@alcor.concordia.ca e-mail account. Otherwise, your Alcor account will be deleted….
If you were personally targeted in the “To:” field as well as in the body of the e-mail, it would be best to report the e-mail and then delete it without replying. To obtain the forwarding e-mail address, visit the website of the company owning the account being targeted.
Tip: If you cannot easily find information about phishing on the company's website, try using the website’s search field and search for ‘phishing’. Another option would be to contact their technical support/customer service directly.
Examples:
- Concordia University IITS Helpline: help@concordia.ca
- Desjardins: phishing@desjardins.com
- RBC: information.security@rbc.com
- Scotiabank: phishing@scotiabank.com
Where can I find more phishing resources?
- Microsoft: Recognizing Phishing
- CBC: Online Identity Theft
- RCMP: Phishing or Brand Spoofing
- Services Québec: Avoid Phishing
- Desjardins: Phishing FAQ
- RBC: Phishing Resource Center
- Scotiabank: Phishing Scams