Tips for identifying and reporting a phishing attempt

Phishing attempts and attacks are incredibly common forms of social engineering, used to target people in the form of malicious emails or messages. These attempts are becoming more sophisticated and polished and are on the rise as more people work remotely. Here are steps to identify and report phishing attacks.

What are common red flags of phishing attempts?

A strong sense of urgency and/or odd requests

These emails will often request that you complete a task quickly so that you don’t have time to consider or think about the request. A common example is when attackers pose as the victim’s boss and ask them to quickly purchase a gift card and send the code via email. See an example here.

Requesting personal information

Legitimate organizations are unlikely to request sensitive or personal information through email, so a request for this information is often a sign of a phishing attempt. University of Toronto (U of T) staff, faculty and students will never be asked to share their UTORid password.

Spelling and/or grammar mistakes

Check for spelling mistakes and/or grammatically incorrect sentences. If you are already suspicious, these mistakes can be an indication of a phishing email. See an example here.

Brief signatures and generic greetings

The email signature may be missing crucial information like an address or phone number, while the greeting may use phrasing such as “good afternoon,” “dear customer” or no greeting at all rather than your name. See an example here.

Intriguing attachments or links

Phishing emails aim to trick you into clicking malicious links or opening malicious attachments. The attachments might even include fake images or icons to make it look like the sender is sharing or sending a document you are expecting. Fake links might be hyperlinked so that the display text seems legitimate, but the hyperlinked address is malicious. See an example here.

What can I do to help identify/confirm a phishing attempt:

  • Tap or click the display name to see if the email address matches/is valid
  • Hover over (or long-press on mobile) links to check if the URL address matches the display text
  • Check the Phish Bowl to see if the email you received has already been reported

What can I do if I suspect a phishing attempt?

  • Report phishing messages by either using the “report message” function in your Office 365/UTMail+ inbox or report it to
  • When in doubt, call or ask the sender in person to confirm that the email was really from them.
  • If you opened an attachment that was provided in a phishing email, contact to your local IT service desk immediately.
  • If you suspect your password may have been compromised due to an attack, immediately change it.

What can I do to prevent future phishing attempts?

Working from home on personal devices

For safe and effective account management on your personal devices while working from home, follow these top five tips: 

  1. Create a password-protected user account that you only use for work.
  2. Create a separate account for everything else, including online shopping, casual web-surfing, watching Netflix, etc. Where possible, create additional accounts for anyone else who might use your computer (e.g. family members, roommates, guests, etc.) 
  3. Make sure your work account automatically locks after short periods of inactivity. This will prevent accidental use of your work account by other users.
  4. Limit yourself to one administrative account on the computer that is used to authorize updates.
  5. Use different passwords to access each account. Review these tips for creating strong passwords.

Looking for more tips on working remotely? Visit Remote Security Matters.

Cyber threats on the rise for health care and research

The Canadian Centre for Cyber Security has been monitoring an increase in targeted attacks during the COVID-19 pandemic and has published curated advice and guidelines for targeted institutions and IT professionals.

Cyber threat attackers monitor current affairs across the globe to identify ways to exploit fear and uncertainty to increase their success rate. It is no surprise that the current global pandemic has provided malicious attackers opportunities to target individuals and institutions involved in healthcare and research, in addition to the general public.

More information and the full PDF tip sheet can be downloaded from the Canadian Centre for Cyber Security website.
Baseline Security Controls. Read linked pdf

Below are some quick links to cyber security resources, which can also be found in the tip sheet.

Cyber Security Best Practices:

Additional Information

More information on the Canadian Centre for Cyber Security.

Take 5 Minutes to Improve Your Online Safety

University of Toronto’s Citizen Lab provides the community with a simple visual tool that helps internet users navigate complicated privacy and security concerns in an ever-evolving digital world.

Security Planner is an easy-to-use guide that outlines how to stay safe online. Whether you are online for personal or professional reasons, answering three simple questions will generate a personalized list of recommendations with step-by-step instructions based on your specific concerns and environment.

Try out Citizen Lab’s confidential and free Security Planner service. Simply select what applies to you and get on track to a safer online experience!

Receive personalized recommendations based on:

  • What device(s) you are using
  • Your personal security concerns
  • Areas of information security that interest you most or scenarios that are best suited to your situation

Block Known Malicious Sites from Home

The Canadian Internet Registration Authority (CIRA) has announced a new security service to protect individual Canadians from accessing malware sites. It’s called Canadian Shield and it provides three levels of protection: ‘private’, ‘protected’ and ‘family’, by filtering DNS queries. User friendly instructions are provided to set up a full range of devices and there is no charge for the service. Learn more here.

When set to ‘protected’, the service will block HTTP and HTTPS connections to known malware and phishing sites as well as protect the privacy of DNS queries. In the case of HTTP, users receive a notification explaining why access to a site was blocked, whereas HTTPS attempts will result in an error message.

This type of DNS protection is known to be effective in blocking malicious sites, reducing the likelihood of malware infections and reducing the effectiveness of phishing attacks.

This article from the Canadian Centre for Cyber Security provides a detailed explanation.

This video from Waterloo University demonstrates where to make changes in your router.

Image shows how Canadian Shield protects from from accessing known malicious sites

Protect Your Network

Almost every home network starts with a wireless (often called Wi-Fi) network. This means securing your wireless network is a key part of protecting your home. We recommend the following steps to secure it:

  • Change the default administrator password on the device controlling your wireless network. The administrator account is what allows you to configure the settings for your wireless network.
  • Ensure that only people you trust can connect to your wireless network. Do this by enabling strong security including requiring a password for people to connect to your wireless network. Once connected, their online activities are then encrypted.
  • Make sure the password you provide to people using your wireless network is a strong password and that it is different from the administrator password.
  • Remember you only need to enter the administrative password once for each of your devices, as they store and remember the password.

Not sure how to perform these steps? Ask your Internet service provider, check their website, check the documentation that came with your wireless access point, refer to the vendor’s website, review the first 80 seconds of this video:

Other tips to protect your home are:

  • Know and secure other network devices in your home
  • Keep your home systems up to date
  • Use two-step verification for your online accounts
  • Back-up your data

Details are also shown in the fact sheet on “Creating a Cyber Secure Home.”

Protect Your Passwords

When a site prompts you to create a password: create a strong one — the more characters it has, the stronger it is. Using a passphrase is one of the simplest ways to ensure your password is strong. A passphrase is a password made up of multiple words such as “beehoneybourbon.” We recommend you also use a unique passphrase for each device or online account. This way, if one passphrase is compromised, all of your other accounts and devices are still safe.

Can’t remember all your passphrases? Use a password manager, which is a specialised program that securely stores all your passphrases in an encrypted format (and has lots of other great features too!).

Finally, enable two-step verification (also called two-factor or multi-factor authentication) whenever possible. It uses your password, but also adds a second step, such as a code sent to your smartphone or an app that generates the code for you. Two-step verification is probably the most important step you can take to protect your online accounts and it’s much easier than you may think.

See more detail in this document.

Image showing steps to protect your password

Additional Security Matters articles about passwords:

Remote Security Concerns

We know that working from home is different — perhaps overwhelming — as you adjust to your new environment. One of our goals is to enable you to work as securely as possible from home. Below are some simple, effective steps to working securely. The best part is all of these steps not only help secure your work, but they will make you and your family far safer as you create a cybersecure home.
The following is a list of useful cyber security sites
2020-03-30InternalU of T ITS IT Preparedness
2020-03-30InternalSpecial Advisory on COVID-19 Phishing, Mar 19, 2020
2020-03-30InternalCTSI Resources for Instructors
2020-03-26ExternalCanadian government guidance
2020-03-26ExternalUK government training
2020-03-26ExternalSANS Security Awareness blog
2020-03-26ExternalGeneral guidance (

Protect Yourself Against Malware

Cyber attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices. Meanwhile, the companies that created the software are hard at work fixing them by releasing updates.

Here are some tips and resources to help protect your devices against malware while working remotely:

  1. Enable automatic updates on your devices. By ensuring your computers and mobile devices install these updates promptly, you make it much harder for someone to hack you. This rule applies to almost any technology connected to a network, including not only your work devices but Internet-connected TVs, baby monitors, security cameras, home routers, gaming consoles or even your car.  If your computer is managed by your department, automatic updates may already be enabled.
  2. Install Microsoft System Center Endpoint Protection (anti-virus for Windows); it is available for no charge on University owned or leased equipment. See for more information.
  3. If you are using a work-provided computer remotely, be sure to only download and use products and software that are approved by your department.
  4. See this tip sheet on how to protect yourself from phishing attacks.
  5. Promptly report incidents to your IT personnel. See this list of contacts for details.

See more detail in this document.

image has pdf attached re staying safe from malware

Additional Security Matters articles about malware:

Protect Yourself Against Personalized Attacks

During this time of change and confusion, personalized cyber attacks are more common and have a greater success rate.

Here are some tips and resources to help you stay safe when working remotely:

  1.  Get familiar with the different types of social engineering.
  2.  Learn how to spot a phish! The best offence is a good defence!
  3.  Learn about the anatomy of a phish.

If you suspect a social engineering attempt, follow this checklist:

  • Resist the rush: If someone pressures you to act quickly under pressure, it is most likely an attack.
  • Recognize the ‘bag of tricks’: If something sounds suspicious or too good to be true, it probably is.
  • Think before you click: Be cautious: One wrong move could infect your device and spread it to others.
  • If you are not sure, ask: Ask your manager or your administrator if what you are being asked to do is unusual; ask through your normal methods.
  • Do not respond unless you are certain: do not provide your phone number or respond to emails. Hang up the phone if you feel threatened.
  • React quickly if you think your account / computer was compromised: change your password and contact your local IT department.

See more detail in this document.
Social Engineering Personalized Attacks Factsheet

Want to learn more about malware and its effect on the U of T community?

Here are some Security Matters articles on previous incidents that involve social engineering