McGill IT Knowledge - Phishing scams and how to protect yourself

OVERVIEW

Target audience: McGill faculty, students and staff

Phishing is one of the most common ways that cybercriminals gain access to sensitive information, accounts, and systems. Phishing attacks often come as an email, text, call, or post from a trusted sender, company, or organization. This article provides information on how to spot, stop, and report phishing attacks.

In this article:

Phishing at McGill
Phishing can happen to anyone: How to recognize and report a phishing attack
Phishing safety tips in your McGill Outlook email
Other safety features in your McGill email and Microsoft Teams
The 7 red flags of phishing
Other types of scams

warning

ATTENTION:

If you have clicked a link or opened a file attachment in a suspicious email, please call the IT Service Desk immediately at 514-398-3398.

You can quickly report a suspicious email using the Report Message, Report Junk, or Report Phishing buttons in any Outlook app, including Outlook on the web (https://outlook.com/mcgill.ca).

Note: If the email is already in your Junk Email folder, you do not need to report it.

For more details, see Report suspicious emails.

In addition, we invite you to take the Cyber Security Essentials Training course for all faculty, staff and students.

Phishing at McGill

Learn what phishing is, how attackers profit from it, and how they’ll try to phish you by visiting our Phishing 101 page.

A few McGill specifics to keep in mind:

McGill representatives will never contact you by email or phone and ask you to provide confidential information, nor will they request you to log onto a website.
Phishing attempts can be convincing, often using content (images, information, logos, and templates) taken from legitimate McGill websites and those of the services we use. If in doubt, verify: contact the department or organization that the message appears to be from using a different method of communication to confirm that they did indeed send it.
Phishing attacks that impact a significant portion of the McGill community are posted on the IT Services site in the Announcements & alerts section. Emails sent from IT Services on specific IT-related issues that require you to take any action can also be found here, so you can confirm if an email you received is legitimate.

Phishing can happen to anyone: How to recognize a phishing attack

Did you accidentally fall victim to a phishing attack? It can happen to almost anyone, at any time. If you do fall victim to phishing through a McGill-provided service such as email or Teams or provide your McGill credentials as part of an attack, it is critical that you report it right away to the IT Service Desk by calling 514-398-3398.

There are common clues that can help you identify a phishing attack. Be on the lookout for these signs:

Messages that you don’t expect or that don’t quite make sense for you to have received.
Offers that are too good to be true.
Messages that create a strong sense of urgency.
Emails that appear work-related but use a personal email address, such as @gmail.com.
The language, tone, or signature is inconsistent with the supposed sender.
Emails that pressure you to bypass or ignore security policies, business processes, and usual ways of working at McGill.
Messages that try to invoke curiosity or fear.

We know the bad guys can be tricky. If you suspect an email sent to your McGill email is a phishing attack, help us by reporting it right away.

Phishing safety tips in your McGill Outlook email

When you access your McGill email through Microsoft Outlook, phishing safety tips at the top of some messages help you determine whether to trust them.

warning

IMPORTANT:

These messages only appear when an email comes from a non-McGill email account. Emails sent from one McGill email to another don't have these messages. Since McGill email accounts can get compromised, you should always assess an email before interacting with it in any way.

"You don't often get email from <email address>."

If an email is sent to multiple people, you might see "Some people who received this message don't often get email from <email address>" instead. When you see this variation, it's very likely phishing.

This is the most common safety tip. You'll see it when:
- Anyone contacts you for the first time. This could be a legitimate contact, a marketer, spam, or phishing.
- Someone emails you very rarely. For example, a fellow researcher from another institution only emails you once or twice a year.

"<email address> appears similar to someone who previously sent you email…"

"The email address <email address> includes unexpected letters or numbers. We recommend you don't interact with this message."

These safety tips are often a sign that you're being phished. You'll see them when:
- An attacker is spoofing by creating an email account similar to the legitimate account of someone you're familiar with or trust, such as your boss or a colleague. For example, we often see Gmail accounts created that impersonate members of the McGill community.
- A legitimate contact writes you from a different address because they've changed their workplace or school. This is rare. If you're unsure, contact them through a method you've previously used, such as the email address you've previously used to communicate with them.

"This sender might be impersonating a domain that's associated with your organization."
"The actual sender of this message is different than the normal sender."

These safety tips can be a sign that you're being phished.
When you'll see them:
- An attacker is spoofing McGill.ca or one of the many other domains owned by McGill University.
- Some McGill groups use external online tools to send out bulk mail. If they haven't properly configured them in coordination with IT Services to send mail on behalf of McGill, this tip may appear.

What should you do when you spot one of these tips?

Like with any other message, take an extra minute to review it and look for signs of phishing. If you’re unsure, don’t interact with the email. Instead, look for:

Facts you can cross-check.
Alternatives to clicking on any links (e.g. if a file is supposedly being shared with you through SharePoint, go directly to mcgill.sharepoint.com and search for it there).
Companion content on trusted sources (like a mcgill.ca website).
If you recognize the sender, contact them using a method you’ve previously used or listed on their organization’s website.

If you suspect an email sent to your McGill account is a phishing attack, help us and our community by reporting it right away.

What should you do if you spot a tip that isn’t listed here?

Microsoft occasionally updates the wording of their safety tips and creates new ones, and we may only discover them when we see them first-hand. Attackers have also created their own and added them at the top of their emails (Hint: their messages often try to make the email seem legitimate and safe). If you spot a tip that’s not listed in our article, pay extra attention to what it tells you.

If there’s no tip at the top of an email, does that mean it’s safe?

Unfortunately not. Attackers are wily, and if they manage to compromise a McGill mailbox or compromise a reputable organization or sender, they can send emails that make it through our detection systems and defenses. That’s why it’s always important to think before you click...on anything!

Other safety features in your McGill email and Microsoft Teams

Safe Attachments  
Safe Attachments scans all incoming attachments in your email and Microsoft Teams conversations to detect malware and/or viruses. This enhanced attachment scanning might result in very slight delays in receiving attachments.

Safelinks  
This feature scans links in your email and Microsoft Teams conversation for links that are known to be malicious or fraudulent.
If you do click on a known malicious or fraudulent link, Safelinks will protect you from accessing the content at that link. Instead, you will be sent to a Microsoft page informing you that you have clicked a malicious link. This feature adds an extra layer of protection from phishing, fraud, and malware.

Note:  The link preview displays the correct link in Outlook but may show a different URL beginning in can01.safelinks.protection.outlook.com in other mail programs.

The 7 red flags of phishing

Other types of scams

In addition to email, scams can also be facilitated by phone, text, and other methods. Fraudsters will often impersonate government or law enforcement officials to try and scam you out of large sums of money. Below are some resources from the Government of Canada on how to recognize these scams and help avoid becoming a victim: