Reporting phishing attempts is everyone’s responsibility

This is an image of a browser with the deceptive website alert.

In a large organization like University of Toronto (U of T), information security is everyone’s responsibility. Phishing is a fraudulent act of acquiring sensitive information (usernames, passwords, credit card information and more) through email, phone calls and text messaging. Everyone is responsible for recognizing and reporting these threats.

Phishing attempts should be reported quickly because a successful scam could lead to an organization-wide security breach. For example, if an employee of an organization enters their account credentials into a fake login portal their account could then be used to phish other employees or even external contacts. By targeting not only the organization but also the organization’s external contacts, a security breach can increase rapidly.

Phishing attempts can sometimes be identified by the use of out of place or awkward phrasing, typos and/or poor grammar. Many attempts will include unusual emotional triggers that emphasize urgency, fear or disciplinary action. The attacker wants sensitive information quickly, and won’t want to give you time to think or confirm.

Always keep in mind that some phishing attempts are very well crafted – remember that the desired result is to trick you into giving away information, such as your login credentials.

Below are some of the best practices many industries and organizations use to avoid security breaches.

  • Emails that contain hyperlinks should be checked to see if the blue text has an embedded URL that leads to a trusted destination.
  • For emails that come from external sources, never click on links, and always manually navigate to the website. Government organizations like the Canada Revenue Agency (CRA) will never ask for credentials or send you links.
  • Use different passwords for each of your accounts, especially for work-related accounts. If one account is compromised, you don’t want to compromise all of your accounts.

You can report any suspicious emails to

To learn more, visit our security blog at

We have resources available for students, staff, faculty and IT professionals.

Here are some more tips on how to avoid identity theft and keep your accounts safe.