Phishing

Phishing is a common online scam designed to trick you into revealing sensitive personal information (eg. passwords, credit card numbers, SIN) that is then used for fraud or identity theft. Phishing typically takes the form of an email message that appears to come from a trusted organization (eg. your bank, the University), but is actually from the identity thieves. It is intentionally difficult to tell the difference between a legitimate message and a phishing message.

The Essentials

  • Do not send sensitive information in email. No matter what. Ever. This includes passwords, credit card numbers, birth dates, Social Insurance Numbers, etc.
  • Beware of links in emails - especially when the page you land on asks for sensitive information. Check the address bar to ensure that you're on the site you think you're on - make sure the web address includes uleth.ca or ulethbridge.ca as described below. When in doubt, open a new browser window and type the address of the site you want to visit, then follow links to the page you want to access.
  • Never assume that an email came from the person you think it came from. When in doubt, call the sender on the phone or contact the Solutions Centre (403-329-2490 or help@uleth.ca).

How to recognize a phishing message

  • "Verify your account"
    The message asks you to reply and provide sensitive information like passwords or credit card numbers. The University would never ask you for this kind of information via email, and you should never send it via email for any reason.
  • "If you don't respond within 48 hours, your account will be closed."
    Phishing messages try to convey a sense of urgency so that you'll respond without thinking. It's always safer to check with the supposed sender of such a message via phone or in person before doing anything.
  • "Dear Valued Customer,"
    Phishing messages are generally sent in bulk, and usually don't contain your first and last name.
  • "Click the link below..."
    Phishing messages commonly include a link that appears to go to one place (eg. the University), but actually goes somewhere else (eg. the attacker's site, which is setup to look like the University site). If you hover your mouse over a link, the real destination generally appears in the status bar at the bottom, or in a small pop-up beside the link. If it doesn't match the link text or goes somewhere other than a uleth.ca or ulethbridge.ca site, there's a good chance you've caught a phish. (See the next section for more details on this.)
  • The message does not pertain to you.
    Some recent phishing messages appear to come from the US Internal Revenue Service advising you of a tax refund. If you don't file taxes in the US, you can safely assume that such a message is a phish.
  • Spelling and grammar errors.
    It is common for phishing messages to include many spelling and grammar errors. Some of these errors, especially in the subject line, may be placed intentionally to try to confuse automated phishing filters. However, the absence of spelling/grammar errors doesn't necessarily mean the message is legit.

How do I know if the link in an email goes to a U of L website?

If you hover your mouse pointer over the link in your email, you will usually be able to see the true destination (it will either be visible in a pop-up near the link or in the status bar at the bottom of the window - see the examples below). You can also see it at the top of your browser after you've clicked the link.

The links you will see look like this:

 

http://www.uleth.ca/it/security
https://discover.ulethbridge.ca/highschool/
http://news.google.ca/news

 

To determine whether a link is really going to a U of L website, verify the part to the left of the first single slash. We've highlighted it in red below:

 

http://www.uleth.ca/it/security/This is a link to a U of L website.
https://discover.ulethbridge.ca/highschool/This is a link to a U of L website.
http://news.google.ca/newsThis is NOT a link to a U of L website.

 

You can tell that the first two links go to U of L sites because the part to the left of the first single slash is either uleth.ca or ulethbridge.ca. The third link is not a U of L website, as the part to the left of the first single slash is google.ca.

Never enter your U of L password on any site that doesn't include uleth.ca or ulethbridge.ca in the link as shown above.

What do phishing messages look like?

Here is an example of a phishing message that asks you to respond with your password via email:

 


Dear uleth.ca Email Owner,

This message is from uleth.ca messaging center to all uleth.ca Email owners. We are currently upgrading our data base and e-mail center. We are deleting all unused uleth.ca to create more space for new one.

To prevent your account from closing you will have to update it below so that we will know that it's a present used account.

CONFIRM YOUR EMAIL BELOW
Email Username :.....
EMAIL Password : ................
Date of Birth : .................
Country or Territory : ..........

Warning!!! Email owner that refuses to update his or her Email,within Seven days of receiving this warning will lose his or her Email permanently.

Thanks,
uleth.ca Team
ULETH BETA.

---------------------------------------------------------------------------
3webXS HiSpeed Dial-up...surf up to 5x faster than regular dial-up alone...
just $14.90/mo...visit www.get3web.com for details


 

Notice the following points about this message:

  • Generic greeting
    The message begins with "Dear uleth.ca Email Owner," instead of addressing the recipient by his/her first and last name.
  • "uleth.ca" instead of "University"
    The message consistently refers to the University as "uleth.ca". This is relevant because the message is setup as a template, and the domain name the attackers are targeting is simply inserted into the message. A legitimate message would use "University", "U of L", or "University of Lethbridge" in most of these places.
  • "CONFIRM YOUR EMAIL BELOW"
    The message indicates that you should reply with your username, password, etc. This sort of information should never be sent by email, and is a clear indication of phishing.
  • "within Seven days..."
    The message tries to get you to reply without thinking by threatening that your account will be deleted.
  • Advertisement at the bottom
    This message includes an ad for "3webXS HiSpeed Dial-up". A legitimate University communication would never include ads.

Here is an example of a phishing message with a link to a non-U of L website:


Your Webmail Quota Has Exceeded The Set Quota/Limit Which Is 20GB.
You Are Currently Running On 23GB Due To Hidden Files And Folder On Your Mailbox.
Please Click the Link Below To Validate Your Mailbox And Increase Your Quota.

Click here: http://some.scam.site/
Failure To Click This Link And Validate Your Quota May Result In Loss Of Important Information In Your Mailbox/Or Cause Limited Access To It.
Thanks
HELP DESK

 

Here is an example of a non-U of L scam site, often linked to by an email like the one above:



What should I do if I receive a phishing message?

  • If you receive a generic phishing message (eg. "Dear Webmail User"), just delete it.
  • If you receive a targeted phishing message (eg. "Dear Uleth.ca User"), please forward it to help@uleth.ca and then delete it.

Can't you filter phishing messages the same way you do spam?

The University has recently started adding ***PHISHING-SCAM*** to the subject line of any email that appears to be a phishing message. If you receive a legitimate message that is tagged with ***PHISHING-SCAM*** in the subject, please contact the IT Solutions Centre (403-329-2490 or help@uleth.ca) so that we can make the appropriate adjustments.

The truth is that blocking phishing messages is a tricky business. As the phishers become more and more proficient at mimicking legitimate emails, it becomes harder to identify them automatically.

If you have questions about phishing, please contact the Solutions Centre (329-2490 or help@uleth.ca)