What is email fraud?
Email fraud can take many forms, such as requests for help, bogus offers, or requests for personal data. The messages requesting personal data are typically referred to as phishing scams and can come from sources that appear legitimate, for instance, a bank or a trusted institution such as U of T. They attempt to get you to divulge personal information, such as user names, passwords, banking information, etc. They succeed in getting this information if you respond to the emails or if you log into a website that imitates a legitimate website. They tend to try to instill a sense of urgency by telling you that your account will be deactivated or some other limiting measure will be taken.
What effect does it have?
If you are the victim of such an attack, confidential material in that account is subject to unauthorized access. It is also common for compromised accounts to be used to send unsolicited emails to others who may fall victim because they trust messages coming from those accounts. When many accounts from the University are compromised, other institutions may block all email messages coming from U of T in order to protect their own clients.
How can I recognize and avoid phishing scams?
U of T and other legitimate organizations will NEVER send requests for passwords or other personal information via email. If you receive a message requesting your user name or password to any accounts, DO NOT provide it. If the message provides a link to a website, DO NOT click on it. Instead, you should delete these messages.
If you have clicked on a link in a suspicious message, look closely at the URL and make sure you recognize it before continuing. The example below shows how misleading addresses can be formatted:
Credit: Microsoft Corporation
If you have provided your login information to such a request, change your password immediately and send a request for help through ESC (http://uoft.me/esc).
What can you do to help
Report it! See our instructions on reporting fraudulent websites or forms you are directed to in phishing emails.
Also, see our instructions on reporting a suspected phishing email.
What U of T is doing to help
U of T’s Weblogin page and UTORid management page have added security. For the Weblogin page, there is an Extended Validation (EV) server certificate installed, which provides a higher degree of assurance than other certificates.
For further information on this subject, please consult the following websites:
- Recognize and Report Email Phishing Scams (Microsoft Corporation)
- Phishing or Brand Spoofing (Royal Canadian Mounted Police)
- Internet Crime Prevention Tips (Federal Bureau of Investigation)
Related articles
Secure U of T advanced threat protections: Overview
Secure U of T advanced threat protections: Anti-phishing protection
Block an email sender in Outlook
Create a rule to filter unwanted spam from your inbox on Outlook Web Access (OWA)