BE A HERO BY REPORTING!
Report suspicious emails to IT Services.
Report suspicious emails to IT Services.
It鈥檚 how scammers and cybercriminals try to trick you into giving up your (or others鈥) personal or financial data, access to accounts and systems. Their main goal is usually to make a profit, either at your expense or that of others.
By selling the data they harvest, getting you to pay them directly, stealing and using your credit card/banking information, collecting ransoms, and by blackmail.
Some scams are small and fly under the radar, either because victims are ashamed, don鈥檛 realize they鈥檝e been scammed, or feel there鈥檚 no point in reporting it. Others regularly make the news, either because of the scale, or because of the massive amounts of damage they cause to their victims. Identity theft can cause lasting mental harm and significantly impact a victim鈥檚 ability to live a normal life. Stolen intellectual property can be misused or significantly set back research aims. Systems and services that are essential can be taken offline for months.
Any way they can! If it can be used to reach you, an attacker will try it. Email is still the most common method, but phishing attacks also take the form of links in instant messages, social media or forum posts, popup windows, video games, malicious advertisements, sponsored search results, and more! Phone calls, QR codes, even video calls using AI are also used as part of successful phishing attacks. Some scammers go old-school and initiate their phish with in-person contact at events.
Here are some common tactics they use to try and get you to fall for their attacks.聽
A desire to help. Fear. Curiosity. Disappointment. Urgency. Happiness. Hope. These are all popular triggers an attacker will try to leverage to hook you. 鈥淯rgent鈥, 鈥淐ongratulations鈥, 鈥淎ct Now鈥 - if you spot emotional triggers, assess if it鈥檚 legitimate, spam, or scam.
Nothing is foolproof. Attackers regularly trick 海角社区ians into handing over their passwords and 2FA credentials. They then use those to access the accounts, harvest emails, and/or email our community.
Just like marketers, attackers study what people will click on, their habits, and interests. They count on you interacting with their phishing attempt before you have a chance to think about the red flags.
If it鈥檚 available online, it can be used for phishing! Your boss鈥 name, the 海角社区 logo, content from a webpage - even the whole website can be recreated by an attacker
Protect yourself. Protect others.
But how can I easily spot phishing?
Easy? Not quite. It gets harder every year. Just like a good detective, you鈥檝e got to look for clues and follow up on them.
Does something feel off about it? Is it too convenient? Are you being asked for banking, personal information, passwords, or money? Do you feel rushed to respond?
If you answered yes to any of those, don鈥檛 engage! Some legitimate requests might come across as urgent.
That鈥檚 when you need to follow up using a different method of contact. Never use the same one, because if it is an attack, you鈥檒l just be chatting with the big bad wolf.
If you suddenly get an email asking you to sign a performance evaluation, but your boss hadn鈥檛 told you to expect it, that鈥檚 a red flag.
Sure, your boss might be busy and have forgotten to mention it. So check with them using a different method of contact. If they emailed you, use Teams to message them. Even better, pick up the phone and call them so you can make sure it鈥檚 them replying.
Attackers like to use this tactic while pretending to be: An IT support technician, the police, Revenue Canada, and other government officials, a representative of a company you do business with, like your bank. They鈥檒l masquerade as anyone they think you鈥檒l hand over your personal or financial information over to.
No matter how rushed the request might seem, pause, breathe, and look for clues. If they鈥檝e contacted you over voice or chat, don鈥檛 be afraid to put an end to the conversation then and there. A legitimate business will understand.
Attackers have the same tools at their disposal as the good guys, including AI.
This lets them easily generate professional looking, error-free content. They can also just easily steal and repurpose anything that鈥檚 already publicly available (or that they stole when compromising someone鈥檚 account).
Be cautious particularly if you find spelling and grammatical errors.
If you鈥檙e a 海角社区 employee, your manager shouldn鈥檛 be emailing you from anything but an @mcgill.ca address. Nor will IT Services, HR, or any other 海角社区 unit.
Be on the lookout for any suspicious attachments.
Watch out for links that don鈥檛 match official websites. These can be extra tricky to spot - just because it has the company name in it doesn鈥檛 mean it鈥檚 legitimate. An attacker can easily buy a URL containing the word 鈥渕cgill鈥, for instance.
If it鈥檚 in your 海角社区 email - use the Report Message button
All popular email services have report buttons too!
If it鈥檚 a non-email scam specifically targeting the 海角社区 community (for example, you spot posters with suspicious links or QR codes around campus), contact the IT Service Desk to report it.
If it鈥檚 not 海角社区 related, report it to the Canadian Anti-Fraud Centre.
Financial organizations and companies like Amazon, Apple, Google, Instagram etc. all have ways to directly report users or vendors that are scamming or spoofing them.
Scammers often re-target victims with the promise of recovering money, personal information, or with other scams. It鈥檚 a trap that plays on our hopes and fears. If you or someone you know experiences this, do not engage; instead, report the incident as soon as possible.
Phishing
Phishing is designed to cause harm to people and/or organizations. It allows cybercriminals to either profit or gain access to accounts and systems for malicious or illegal purposes. The harm can be quite significant. Some particularly dark and twisted phishing extortion scams involve emails claiming the attacker has been watching you through your webcam and viewed adult activities you engaged in or has been contracted to assassinate you. These phishing scams may seem quite personal, but the emails are sent out en-masse, and should be reported just like any other phishing emails. Pro tip: If you have the option to report a message as phishing, it鈥檚 important to use that option only for suspicious emails, and not for email that you know is spam.
Spam
Spam is called junk mail for good reason. Spammers focus on quantity and send out their emails offering products and services to as many people as they possibly can, whether or not they signed up to be part of their mailing list. It鈥檚 definitely unwanted, and at worst, results in you receiving even more spam. Pro tip: Never click the Unsubscribe button in a spam email - it lets the spammers know your email account is active. Use the Report Junk button in your email instead!
Cyber Harassment
Sometimes it can be tricky to tell if something is phishing, harassment or bullying targeted at a specific individual. They can overlap. Cyber harassment is targeted at a specific individual or group of individuals. Oftentimes it will be prolonged, repeated, and list alleged grievances or accusations. If you encounter this, depending on who the target and perpetrator is, you鈥檒l need to report it to authorities who can take action to investigate.