Overview
WHAT IS PHISHING?
Phishing is a type of online attack in which an attacker — using both technological and psychological tactics — sends one or more individuals an unsolicited email, social media post, or instant message designed to trick the recipient into revealing sensitive information or downloading malware.
Phishing attacks can be generic or customized, and can target both individuals and entire organizations. Attacks that target a specific individual or organization are commonly referred to as spear phishing attacks.
The main goal of a phishing attack is to get the individual to do something that compromises the security of their system and/or potentially their organization. To stop attackers achieving this, when you receive a suspicious email:
- DO NOT open email attachments that contain malware
- DO NOT click on a link that leads to a fake website or page that installs malware
- DO NOT enter user names and passwords or other sensitive information on a fake website
- DO NOT reply to phishing emails with confidential information such as login credentials
If you do fall victim to a phishing scam, do not be embarrassed. Report any and all suspicious email messages to is-spam@mcmaster.ca.
If you have opened any suspicious emails, links or attachments please report it to the UTS Service Desk.
Information Box Group
Training Complete the Phishing Module
Complete the McMaster UTS Phishing Course on Avenue to Learn:
- Log into Avenue to Learn
- Navigate to the UTS Phishing Course via the link below
How to Recognize Phishing Messages
Phishing messages can range from very basic to highly sophisticated. Common “red flags” or indicators include:
- Suspicious sender or reply-to address: always treat messages from unknown or unfamiliar senders or accounts with extra caution.
- Unexpected message: messages from recognized senders that are unrelated to normal communications or job responsibilities can signal an account has been compromised or is fake.
- Suspicious attachment: messages with unexpected or unusual attachments can contain malware.
- Suspicious link: messages that encourage recipients to click and follow embedded hyperlinks may point to websites unrelated to the message and under the control of the attackers.
- Poor spelling: spelling and grammar errors may indicate a phishing attack since legitimate organizations typically avoid these mistakes in their communications.
How to Protect Against Phishing Attacks
Adopting the following best practices can minimize the chances of falling for a phishing attack:
- Filter incoming messages: ensure that your IT systems screen incoming messages to reduce spam and other unwanted content. “Anti-spoofing” controls can verify the authenticity of senders and make it difficult for attackers to hit their target.
- Install malware detection and filters: your IT systems should automatically block or quarantine messages that contain viruses, ransomware or other malicious code. Use software that prevents, detects, and removes malware and performs real-time scans.
- Keep browsers and other software up to date: malicious attachments and malware often exploit security vulnerabilities made possible by outdated browsers and other software. Ensure that your IT staff regularly update all software and operating systems if it is not possible to set up automatic updates.
- Lock down workstations: hackers can exploit computers that allow software to be installed and settings to be configured by individual users. Restrict or disable administrative rights for normal users and limit the number of computers or accounts with high-level privileges or access to sensitive information. Individuals with high-level privileges should not share accounts or use them for non-work purposes.
- Require employees to use unique, complex passwords: the reuse of stolen passwords is a major phishing threat. Stronger authentication methods, such as one-time password tokens, cryptographic credentials, or biometric traits should be required for system administrators, users that handle sensitive information, and users with remote access to corporate resources.
- Identify external messages: you can detect phishing messages more easily if all external messages are clearly labeled as coming from outside the organization with a prominent message.
- Segment networks that contain sensitive data from other networks. You can limit the impact of compromised computers and accounts by restricting their access to other networks or systems. For example, public-facing webmail servers should be isolated from intranet systems or human resources databases.
- Use threat intelligence and endpoint protection tools. Advanced tools can detect, and in some cases, prevent attackers from gaining a foothold inside your network by flagging unusual patterns of system behaviour, such as irregular login attempts and large file downloads.
- Enable encryption on documents, devices, and databases that contain sensitive information, by default, to provide an extra layer of defence against unauthorized access, use, and disclosure by attackers.
- Conduct regular phishing awareness and training. Send simulated phishing attacks to employees to test their awareness and knowledge of how to respond. Routine tests raise awareness of security issues and help identify employees who need additional training.
- Enable users to report phishing and to request help. Organizations benefit from real-time feedback from employees on phishing threats
- Verify the sender by carefully examining the “From” address, which should be consistent with the display name and the context of the message. For example, an email message claiming to be from a bank should not have an “xbox.com” address domain (the domain is everything after the @). Some phishing attacks use a sender’s email address that is similar to, but not the same as, an organization’s official email address. An example would be “omtario.ca” instead of “ontario.ca.”
- Do not provide usernames, passwords, or other access codes in response to an email request or unsolicited popup windows. Legitimate organizations never ask for this information via email and only collect it through their official websites or applications. When in doubt, follow up with the sender by phone.
- Do not open suspicious file attachments. If you receive an unexpected attachment, contact the sender (preferably by phone) to confirm that the attachment is legitimate. If you cannot confirm its legitimacy, report the attachment to your IT department, or delete it.
- Never click on suspicious links. Hover your mouse over parts of the message without clicking on anything. If the underlying hyperlink looks strange or does not match what the link description says, do not click on it — report it. Note that images can also contain suspicious links.
- Do not respond to suspicious or unwanted messages. Attackers benefit from learning more about potential targets. For example, asking to have an email address removed from a malicious party’s mailing list confirms that email is active, potentially leading to additional attacks. Downloading missing images confirms that the message was viewed. The best practice is to flag the message as spam or delete it.
- Report suspicious messages. When you receive a suspicious message, and especially if you click on questionable links or attachments, notify your IT department immediately.
- Make it easy for all your employees to report suspected phishing messages, and to request and get help in case of a possible attack. Employees are often the last line of defence against phishing attacks. Awareness and training can and does improve security.
Phish Bowl
Below you will find examples of recent phishing attempts at McMaster University.
If you do fall victim to a phishing scam, do not be embarrassed. Report any and all suspicious email messages to is-spam@mcmaster.ca.
If you have opened any suspicious emails, links or attachments please report it to the UTS Service Desk.
Learn about different types of phishing and how to identify them by clicking on the link below.
Information Box Group
Grand Piano Phishing 2024
Phish Bowl
November 21, 2024
Phishing Email: 2024 Payroll Notification
Phish Bowl
October 30, 2024
September 30, 2024
Phishing Email: McMaster ITS
Phish Bowl
September 16, 2024
Phishing Email: Funding & Investment Loans
Phish Bowl
August 15, 2024
Phishing Email: McMaster Career Service
Phish Bowl
July 9, 2024
Phishing Email: (ACTION REQUIRED) For {Name}
Phish Bowl
May 13, 2024
Phishing Email: RFP-1255-32 {Name} 02 {Name}
Phish Bowl
April 26, 2024
Phishing Email: I Recorded You!
Phish Bowl
April 23, 2024
Phishing Campaign involving LastPass
Phish Bowl
April 23, 2024
April 1, 2024
March 13, 2024
March 6, 2024
February 6, 2024
February 6, 2024
Phishing Email: Virtual Assistant Needed
Phish Bowl
January 31, 2024
January 24, 2024
January 11, 2024
Phishing Email: confirmation email
Phish Bowl
December 4, 2023
Spoof Email: About Piano
Phish Bowl
December 1, 2023
Spoof Email: Final Grant Announcement
Phish Bowl
December 1, 2023
Phishing Email: One Message!
Phish Bowl
November 20, 2023
November 20, 2023
November 2, 2023
November 2, 2023
Phishing Email: Document shared with you: "STAFF FACULTY AGENDA(SOB) OCTOBER 9 2023.docx"
Phish Bowl
October 12, 2023
Phishing: Webmail Admin Login – New Message
Phish Bowl
October 5, 2023
September 22, 2023
Spoof Email: Employment Opportunity
Phish Bowl
September 8, 2023
Spoof/Phishing Email: ISSofBC Fresh Job
Phish Bowl
August 30, 2023
August 14, 2023
Phishing Email: Mainenance Notice [email] Password Report Today August 1 2023 at 10:16:06 AM
Phish Bowl
August 14, 2023
Social Engineering over Teams
Phish Bowl
August 3, 2023
Phishing Email: Action Required!
Phish Bowl
July 31, 2023
July 13, 2023
July 13, 2023
July 4, 2023
June 20, 2023
Phishing Email: VIRTUAL PA JOB (REMOTE)
Phish Bowl
June 8, 2023
June 8, 2023
Phishing Email: 42 market research
Phish Bowl
May 30, 2023
Phishing Email: ExpiredPassword
Phish Bowl
May 29, 2023
Spoof Email: You have an outstanding payment
Phish Bowl
May 19, 2023
May 19, 2023
May 10, 2023
Spoof Email: JOB OFFER
Phish Bowl
May 2, 2023
April 27, 2023
Phishing Email: Mailbox Full Case 10318093
Phish Bowl
April 24, 2023
Spoof Email: Earn $500 Weekly
Phish Bowl
April 11, 2023
April 5, 2023
Spoof Email: REQUEST
Phish Bowl
March 30, 2023
Spoof Email: CME, Registration
Phish Bowl
February 8, 2023
February 5, 2023
December 14, 2022