Identifying and reporting phishing emails

Owned by Barb Yantha
Last updated: Mar 21, 2023 by Rohan Raghavan
2 min read

Everyone using the internet is at risk of receiving phishing emails. Whenever you receive email messages, you should always consider whether they are legitimate.  Even if they seem plausible, if you have any doubts, take a closer look and be aware of any warning signs.  If anything looks suspicious, do not open attachments or reply to the message. These messages may ask you to reply with personal information or direct you to follow a web link to a bogus form that will ask you to enter passwords or other information. Fake emails are called "phishing emails, “…by analogy to a fisher casting a hook to see who bites”. When you put your information into those forms, it is said you have been "phished."

Consequences of getting phished can include the following:

  • your account could be locked out because your email account is taken over and misused by cybercriminals

  • the sensitive data from your response to the phishing could be used to steal your identity and set up credit cards in your name

Examples of a suspicious email

  • offer a prize or benefit of surprising value

  • tries to panic you and have you respond quickly

  • comes from an entity you don’t usually have dealings with

  • encourages you to open attachments or web links rather than containing details in email itself

  • look for spelling and grammatical errors because many phishing attacks are from hackers who are not native English speakers.

Primary ways you can avoid getting phished

  • use an email filter to prevent malicious emails from reaching your Inbox. UWaterloo has such filtering in place to help protect your work email.

  • be vigilant

    • hover over links in emails before you click to make sure you're going where you think you are. Hackers will disguise a malicious web link by using different text in the message body.

    • copy addresses and paste them into the address bar instead of clicking on links in emails to ensure you are going to a legitimate web site

    • watch for obvious spelling/grammatical mistakes in otherwise official-looking emails

    • ask a known real person from the source organization if an email is actually genuine

  • most UWaterloo sites/logins require you to use Two-factor authentication (2FA). Consider enrolling in 2FA in non-University of Waterloo sites that you use.

How to report a phishing email

Forward the suspicious email as an attachment to soc@uwaterloo.ca, with the internet headers in the body of the email. More information can be found in this article https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/42583719946

Need Help?

Contact the IST Service Desk online or 519-888-4567 ext. 44357.

Article feedback

If you’d like to share any feedback about this article, please let us know.