Identifying and reporting phishing emails
Everyone using the internet is at risk of receiving phishing emails. Whenever you receive email messages, you should always consider whether they are legitimate. Even if they seem plausible, if you have any doubts, take a closer look and be aware of any warning signs. If anything looks suspicious, do not open attachments or reply to the message. These messages may ask you to reply with personal information or direct you to follow a web link to a bogus form that will ask you to enter passwords or other information. Fake emails are called "phishing emails, “…by analogy to a fisher casting a hook to see who bites”. When you put your information into those forms, it is said you have been "phished."
Consequences of getting phished can include the following:
your account could be locked out because your email account is taken over and misused by cybercriminals
the sensitive data from your response to the phishing could be used to steal your identity and set up credit cards in your name
Examples of a suspicious email
offer a prize or benefit of surprising value
tries to panic you and have you respond quickly
comes from an entity you don’t usually have dealings with
encourages you to open attachments or web links rather than containing details in email itself
look for spelling and grammatical errors because many phishing attacks are from hackers who are not native English speakers.
Primary ways you can avoid getting phished
use an email filter to prevent malicious emails from reaching your Inbox. UWaterloo has such filtering in place to help protect your work email.
be vigilant
hover over links in emails before you click to make sure you're going where you think you are. Hackers will disguise a malicious web link by using different text in the message body.
copy addresses and paste them into the address bar instead of clicking on links in emails to ensure you are going to a legitimate web site
watch for obvious spelling/grammatical mistakes in otherwise official-looking emails
ask a known real person from the source organization if an email is actually genuine
most UWaterloo sites/logins require you to use Two-factor authentication (2FA). Consider enrolling in 2FA in non-University of Waterloo sites that you use.
How to report a phishing email
Forward the suspicious email as an attachment to soc@uwaterloo.ca, with the internet headers in the body of the email. More information can be found in this article How to forward an email as an attachment
Related articles
Need Help?
Contact the IST Service Desk online or 519-888-4567 ext. 44357.
Article feedback
If you’d like to share any feedback about this article, please let us know.