University Systems status update

Phishing

Phishing is a common online scam designed to trick you into revealing sensitive personal information (e.g. passwords, credit card numbers, your SIN) that is then used for fraud or identity theft. Phishing typically takes the form of an email message that appears to come from a trusted organization (e.g. your bank, the university), but is actually from the identity thieves. It is intentionally difficult to tell the difference between a legitimate message and a phishing message.

The Essentials

  • Do not send sensitive information in email. No matter what. Ever. This includes passwords, credit card numbers, birth dates, Social Insurance Numbers, etc.
  • Beware of links in emails—especially when the page you land on asks for sensitive information. Check the address bar to ensure that you're on the site you think you're on. When in doubt, open a new browser window and type the URL of the site you want to visit, then follow links to the page you want to access.
  • Never assume that an email came from the person you think it came from. When in doubt, phone the sender or contact the Computer Help Desk.

How to recognize a phishing message

The following examples are real phishing emails that UVic students and employees received. They are what's called "targeted phishing" (or "spear phishing"), as they are looking for specific information from members of the UVic community.

Example 1: Verify your account

These types of phishing messages ask you to reply and provide sensitive information like credit card numbers or, in this case, your password. UVic will never ask you for this kind of information via email, and you should never send it via email for any reason. We will also never ask you for your password. Ever.

Unpolished grammar

Example 2: Spoofing a UVic email address

Even though an email might look to be from the University of Victoria or the Computer Help Desk, look closely at the "From" address. If the "From" address looks legitimate, double check the return-to address in the email composition window after clicking "reply." Be aware that from time to time, even UVic email addresses get stolen or compromised. If you receive a suspicious email from someone that you know, you should call them on the phone and verify the legitimacy of the email.

Spoofing

Example 3: Click the link below

Suspicious link

Phishing messages commonly include a link that appears to go to one place (e.g. the university), but actually goes somewhere else (eg. the attacker's site, which is setup to look like a university site; see example 5, below). If you hover your mouse over a link, the real destination generally appears in the status bar at the bottom, or in a small tooltip beside the link. If it doesn't match the link text, there's a good chance you've caught a phish.

Example 4: Imitation branding

Phishing emails that use the UVic logo or other branding images make identifying the legitimacy of the email very difficult. Be sure to check for things like spelling and grammar errors and be wary of emails that aren't addressed to you personally. Phishing messages are generally sent in bulk, so they usually don't contain your first and last name. Just because an email looks like it's from UVic, doesn't mean it is! Double check with the Help Desk if you're unsure.

Marketing spoof

Example 5: Fake websites

If you click on a link in an email, be sure to check that the website you end up at is what you expected. In the previous example, the phishing email appeared to link to mail.uvic.ca. However, if you actually clicked on the link, you would be taken to a completely different website address that is unrelated to UVic. Do NOT enter your personal information into a page that has a suspicious website address.

Exchange spoof

What to do if you suspect your account has been compromised

Visit netlink.uvic.ca and change your password immediately!

For additional assistance or information, contact the Computer Help Desk: 250-721-7687 or helpdesk@uvic.ca.

If you are noticing a lot of fraudulent emails in your inbox, there are a few ways you can prevent your account from receiving phishing or spam emails. Visit our anti-spam page for details.