Phishing 101: Spot, report and prevent

Phishing 101 blog post feature image

Some people may wonder how much damage an email can cause, but did you know that around 90 per cent of cyber incidents occur as a result of a successful phishing attack?

With increased reports of cyber attacks around the world, it’s important to know what to do in the event of a phishing attack. Use this quick guide to learn how to protect yourself.

What is phishing?

Phishing is a form of social engineering used by cyber criminals to trick individuals into clicking a malicious link, downloading malware or sharing sensitive information. Generally, the messages are convincingly disguised as to appear legitimate.

Received a suspicious email? Pause to think before you act.

Ask yourself these questions if you receive a suspicious email before you engage with the email:

  1. Does this message make sense?
  2. Why am I receiving this email?
  3. Does the tone seem unnecessarily rushed or urgent?
  4. Am I being asked to download an attachment or click on an unknown link?
  5. Am I being asked for information that is personal or sensitive?

If your answers don’t clear your suspicions, then report the email immediately. Learn more about how to identify and report a phishing attempt.

What to do if you suspect an email to be a phishing attempt

  1. Do not interact with the sender. Do not click on links, download attachments, provide personal information or forward it to your contacts.
  2. If in doubt, call or ask the sender in-person to confirm if the email is really from them.
  3. Report the email to and then delete it from your inbox.
  4. If you already engaged with the sender or clicked on a link or attachment, please contact immediately for assistance.

How can you prevent future phishing attacks?

Hackers frequently steal login credentials to access email accounts. These compromised accounts are then used to send phishing emails to other unsuspecting individuals. Protect your online accounts to prevent this from happening:

  1. Use multi-factor authentication (MFA) for your online accounts. Enrol in UTORMFA, U of T’s multi-factor authentication solution, to add an extra layer of protection to your U of T online accounts.
  2. Create unique and strong passwords for your online accounts.

Keep an eye out for these common types of phishing:

  1. Email phishing: Fraudulent emails designed to manipulate individuals into revealing sensitive information or taking other harmful actions.
  2. Spear phishing: Fraudulent emails targeting a specific group or individual in an organization.
  3. Whaling: Fraudulent emails targeting senior executives at an organization.
  4. Smishing: Phishing messages sent via SMS.

Check out the Phish Bowl for examples of actual phishing emails received by members of the U of T community.

Visit the Security Matters website regularly to learn more about information security and online safety.