Report an Incident

Received a suspicious message?

Have you received a possible phishing email?

If you receive a suspicious email from a known or unknown email contact asking you to click a link, download an attachment, enter your credentials or send money or gift cards you may have received a phishing email. The University of Toronto’s Information Security and Enterprise Architecture (ISEA) team takes these attacks very seriously. If you think you have received a phishing attempt please take the following measures:

What can you do if you suspect a phishing attempt/attack?

  1. If you suspect your password may have been compromised, immediately change it at
  2. Please report phishing messages by using the “report message” function in your Office 365/UTMail+ inbox and please report it to
  3. When in doubt, call or ask the sender in person to confirm the email was really from them.
  4. If you opened an attachment that was provided in a phishing email, reach out to your local IT service desk immediately.

Learn more about phishing here:

Threat to life or property – call police 911

  • This is usually really easy to spot – Fire, flood, physical break-ins, assault, robbery, etc.
  • To ensure prompt service, after calling 911, contact Campus Police at 416-978-2222
  • If there turns out to be an investigation that requires Infosec, Campus police may engage us in this case, but they will continue to own the incident.

Event or Incident?

When deciding whether an event is security related, and it is not immediately obvious, consider these questions:

  • Did someone see/change/delete sensitive information that they should not have? (Ransomware, Denial of Service, Loss of data confidentiality, etc.)
  • Did someone intentionally access a system that they should not have? (hacking access, installing and using a back door, etc.)
  • Did someone misrepresent themselves when accessing a University resource? (use of stolen credentials, falsifying identification, etc)
  • Something else?

One of the key consideration is whether there was a malicious intent or not. In general, if there is malicious intent, then it is an Incident, otherwise it is an Event.


Contact your local Help Desk.


Please see the Incident Event Flow for an overview.

For Medium and High incidents, contact ISEA at

Highly sensitive issues can also be reported by phone though the usual means.

Classification of an Incident

  • low impact malware such as clickfraud on workstations without restricted data is low.
  • Denial of service attack against a shared hosting service (multiple groups affected) is a medium.
  • unauthorized access to a service that hosts restricted data is a high.

Low incidents would usually be managed by a Department/Division/Faculty (D/D/F) incident management process. If you do not know the process, contact your local IT group.