BE A HERO BY REPORTING!
Report suspicious emails to IT Services.
Report suspicious emails to IT Services.
It’s how scammers and cybercriminals try to trick you into giving up your (or others’) personal or financial data, access to accounts and systems. Their main goal is usually to make a profit, either at your expense or that of others.
By selling the data they harvest, getting you to pay them directly, stealing and using your credit card/banking information, collecting ransoms, and by blackmail.
Some scams are small and fly under the radar, either because victims are ashamed, don’t realize they’ve been scammed, or feel there’s no point in reporting it. Others regularly make the news, either because of the scale, or because of the massive amounts of damage they cause to their victims. Identity theft can cause lasting mental harm and significantly impact a victim’s ability to live a normal life. Stolen intellectual property can be misused or significantly set back research aims. Systems and services that are essential can be taken offline for months.
Any way they can! If it can be used to reach you, an attacker will try it. Email is still the most common method, but phishing attacks also take the form of links in instant messages, social media or forum posts, popup windows, video games, malicious advertisements, sponsored search results, and more! Phone calls, QR codes, even video calls using AI are also used as part of successful phishing attacks. Some scammers go old-school and initiate their phish with in-person contact at events.
Here are some common tactics they use to try and get you to fall for their attacks.Â
A desire to help. Fear. Curiosity. Disappointment. Urgency. Happiness. Hope. These are all popular triggers an attacker will try to leverage to hook you. “Urgent”, “Congratulations”, “Act Now” - if you spot emotional triggers, assess if it’s legitimate, spam, or scam.
Nothing is foolproof. Attackers regularly trick McGillians into handing over their passwords and 2FA credentials. They then use those to access the accounts, harvest emails, and/or email our community.
Just like marketers, attackers study what people will click on, their habits, and interests. They count on you interacting with their phishing attempt before you have a chance to think about the red flags.
If it’s available online, it can be used for phishing! Your boss’ name, the McGill logo, content from a webpage - even the whole website can be recreated by an attacker
Protect yourself. Protect others.
But how can I easily spot phishing?
Easy? Not quite. It gets harder every year. Just like a good detective, you’ve got to look for clues and follow up on them.
Does something feel off about it? Is it too convenient? Are you being asked for banking, personal information, passwords, or money? Do you feel rushed to respond?
If you answered yes to any of those, don’t engage! Some legitimate requests might come across as urgent.
That’s when you need to follow up using a different method of contact. Never use the same one, because if it is an attack, you’ll just be chatting with the big bad wolf.
If you suddenly get an email asking you to sign a performance evaluation, but your boss hadn’t told you to expect it, that’s a red flag.
Sure, your boss might be busy and have forgotten to mention it. So check with them using a different method of contact. If they emailed you, use Teams to message them. Even better, pick up the phone and call them so you can make sure it’s them replying.
Attackers like to use this tactic while pretending to be: An IT support technician, the police, Revenue Canada, and other government officials, a representative of a company you do business with, like your bank. They’ll masquerade as anyone they think you’ll hand over your personal or financial information over to.
No matter how rushed the request might seem, pause, breathe, and look for clues. If they’ve contacted you over voice or chat, don’t be afraid to put an end to the conversation then and there. A legitimate business will understand.
Attackers have the same tools at their disposal as the good guys, including AI.
This lets them easily generate professional looking, error-free content. They can also just easily steal and repurpose anything that’s already publicly available (or that they stole when compromising someone’s account).
Be cautious particularly if you find spelling and grammatical errors.
If you’re a McGill employee, your manager shouldn’t be emailing you from anything but an @mcgill.ca address. Nor will IT Services, HR, or any other McGill unit.
Be on the lookout for any suspicious attachments.
Watch out for links that don’t match official websites. These can be extra tricky to spot - just because it has the company name in it doesn’t mean it’s legitimate. An attacker can easily buy a URL containing the word “mcgill”, for instance.
If it’s in your McGill email - use the Report Message button
All popular email services have report buttons too!
If it’s a non-email scam specifically targeting the McGill community (for example, you spot posters with suspicious links or QR codes around campus), contact the IT Service Desk to report it.
If it’s not McGill related, report it to the Canadian Anti-Fraud Centre.
Financial organizations and companies like Amazon, Apple, Google, Instagram etc. all have ways to directly report users or vendors that are scamming or spoofing them.
Scammers often re-target victims with the promise of recovering money, personal information, or with other scams. It’s a trap that plays on our hopes and fears. If you or someone you know experiences this, do not engage; instead, report the incident as soon as possible.
Phishing
Phishing is designed to cause harm to people and/or organizations. It allows cybercriminals to either profit or gain access to accounts and systems for malicious or illegal purposes. The harm can be quite significant. Some particularly dark and twisted phishing extortion scams involve emails claiming the attacker has been watching you through your webcam and viewed adult activities you engaged in or has been contracted to assassinate you. These phishing scams may seem quite personal, but the emails are sent out en-masse, and should be reported just like any other phishing emails. Pro tip: If you have the option to report a message as phishing, it’s important to use that option only for suspicious emails, and not for email that you know is spam.
Spam
Spam is called junk mail for good reason. Spammers focus on quantity and send out their emails offering products and services to as many people as they possibly can, whether or not they signed up to be part of their mailing list. It’s definitely unwanted, and at worst, results in you receiving even more spam. Pro tip: Never click the Unsubscribe button in a spam email - it lets the spammers know your email account is active. Use the Report Junk button in your email instead!
Cyber Harassment
Sometimes it can be tricky to tell if something is phishing, harassment or bullying targeted at a specific individual. They can overlap. Cyber harassment is targeted at a specific individual or group of individuals. Oftentimes it will be prolonged, repeated, and list alleged grievances or accusations. If you encounter this, depending on who the target and perpetrator is, you’ll need to report it to authorities who can take action to investigate.