Avoid Phishing Scams

Recognize phishing scams and fraudulent emails

Phishing is a type of deception designed to steal your personal data such as credit card numbers, passwords or account data.

Con artists might send millions of fraudulent email messages that appear to come from websites you trust, like your email, bank, or credit card company, and request that you provide personal information.

Before clicking any link in any email message, always hover over the link with your mouse without clicking and check the URL in your status bar. A phishing email will usually link to a URL that does not start with https or does not lead to the website you expect. Please read further for more information and advice that can protect you and your data.

What does a phishing scam look like?
How to tell if an email message is fraudulent
How to avoid phishing scams
How to handle suspicious email
What to do if you've responded to a phishing scam


What does a phishing scam look like?

As scam artists become more sophisticated, so do their phishing email messages and pop-up windows. They often include official-looking logos from real organizations and other identifying information taken directly from legitimate websites.

To make these phishing email messages look even more legitimate, the scam artists may place a link in them that appears to go to the legitimate website. But it actually takes you to a phoney scam site or possibly a pop-up window that looks exactly like the official site but with a malicious web address, as shown below:

These copycat sites are also called "spoofed" websites. Once you're at one of these spoofed sites, you might unwittingly send personal information to the con artists.

How to tell if an email message is fraudulent

Here are a few phrases to look for if you think an email message is a phishing scam.

Verify your account
Businesses should not ask you to send passwords, login names, social insurance number or other personal information through email.

If you don't respond within 48 hours, your account will be closed
These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing email might even claim that your response is required because your account might have been compromised.

Dear valued customer
Phishing email messages are usually sent out in bulk and often do not contain your first or last name.

Click the link below to gain access to your account
Specially formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a website.

The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phoney website.

Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting or transposing letters.


How to avoid phishing scams

  • Protect your computer with antivirus software, spyware filters, email filters and firewall programs.
  • Do not reply to any email that requests your personal information.
  • Do not respond to unsolicited online requests for personal information.
  • Do not enter personal information into pop-up windows.
  • Do not provide personal information online if:
    • You are not certain of who is requesting it.
    • Any word in the URL is misspelled.
    • The URL does not start with https
    • The small yellow lock in the browser's status bar is not closed
    • The browser window is not one you opened yourself.
  • Forward suspicious emails to IT Services at ITstaff@trinity.utoronto.ca for their assessment.


How to handle suspicious email

Follow these guidelines to help protect yourself from phishing scams sent through email:

  1. If you think you've received a phishing email message, do not respond to it.
  2. Report suspicious email to the faked or "spoofed" organization.

    Contact the organization directly-not through the email you received-and ask for confirmation. Or call the organization and speak to a customer service representative. For more information on how to report phishing scams, read What to do if you've responded to a phishing scam.

  3. Don't click links in email messages.

    Links in phishing email messages often take you to phoney sites that encourage you to transmit personal or financial information to con artists. Avoid clicking a link in an email message unless you are sure of the destination. Even if the address bar displays the correct address, don't risk being fooled. Con artists can display a fake URL in the address bar on your browser.

  4. Type addresses directly into your browser or use your personal bookmarks.

    If you need to update your account information or change your password, visit the website by using your personal bookmark or by typing the URL directly into your browser.

  5. Check the security certificate before you enter personal or financial information into a website.

    You can do this in most web browsers by checking the yellow lock icon on the status bar. If the lock is closed, then the site uses encryption to help protect any sensitive, personal information.

    Note: The lock icon doesn't need to appear on every page of a site, only on those pages that request personal information. Unfortunately, even the lock symbol can be faked. To help increase your safety, double-click the lock icon to display the security certificate for the site. The name following "Issued to" should match the name of the site. If the name differs, you may be on a fake site. If you're not sure whether a certificate is legitimate, don't enter any personal information. Play it safe and leave.

  6. Don't enter personal or financial information into pop-up windows.

    One common phishing technique is to launch a fake pop-up window when someone clicks a link in a phishing email message. To make the pop-up window look more convincing, it may be displayed over a window you trust. Even if the pop-up window looks official or claims to be secure, avoid entering sensitive information, because there is no way to check the security certificate. Close pop-up windows by clicking the red X in the top right corner (a "cancel" button may not work as you'd expect).

What to do if you've responded to a phishing scam

If you suspect that you've responded to a phishing scam with personal or financial information or entered this information into a fake website, take these steps to minimize any damage.

Step 1: Report the incident to the following authorities

  • Institutions you deal with and your credit card company, if you have given out your credit card or account information. The sooner an organization knows your account may have been compromised, the easier it will be for them to help protect you.
  • The company that you believe was forged. Remember to contact the organization directly, not through the email message you received.
  • Contact both of Canada's national credit reporting agencies, Trans Union Canada and Equifax Canada. Ask each agency to send you a copy of your credit report. Also, discuss with them whether you should have a fraud alert placed on your file, asking that creditors call you before opening any new accounts or changing your existing accounts.
    Equifax Canada
    Trans Union Canada
  • You can also report the phishing scam to the at reportphishing@antiphishing.org. To report the scam to these groups, create a new email message addressed to them and attach the phishing email to the new message. You can also copy the entire phishing email and paste it in the new message. Do not use the "forward" option if possible, as this format may exclude information and requires more manual processing.

Step 2: Change the password on your online account

Step 3: Routinely review your credit card and bank statements 

Review your bank and credit card statements monthly for unexplained charges or inquiries that you didn't initiate.