Phishing 101: How to identify and report a phishing attempt

Published: July 14, 2025

A woman carefully reviews a potentially fraudulent message on her mobile phone.

Phishing scams are getting smarter. Do you know how to protect yourself — and the university?

Cyber criminals are using artificial intelligence (AI) to craft more convincing phishing emails, fake phone calls (“vishing,” short for voice phishing) and even deepfake videos. These scams are designed to trick you into sharing personal information, clicking malicious links or downloading harmful files.

The good news is that staying safe doesn’t require technical expertise. With a few simple habits — like spotting common red flags and reporting suspicious messages – you can help safeguard your information and support a more secure U of T community.

See what phishers are sending

Visit the Phish Bowl regularly to see examples of real phishing emails targeting the U of T community.

Common phishing red flags

While phishing scams are getting harder to detect — especially as AI makes them more polished — many still include telltale signs. Here’s what to watch for:

  • 1
    Urgent or threatening language
    Phishing emails often create a false sense of urgency; for example, claiming that your account will be closed unless you act immediately, or that your credentials have been compromised.
  • 2
    Requests for sensitive information
    U of T will never ask you to share your UTORid password, Duo multi-factor authentication passcodes or banking details over email.
  • 3
    Too-good-to-be-true offers
    Lottery winnings? Grants you didn’t apply for? Inheritances from long-lost relatives? If it sounds too good to be true — it probably isn’t legitimate.
  • 4
    Unexpected emails
    Watch for messages about purchases, deliveries or subscriptions you didn’t initiate. These often include fake links or attachments meant to install malware (malicious software).
  • 5
    Suspicious attachments or links
    Don’t open attachments or click links unless you’re sure they’re safe — especially if you weren’t expecting the email.

Think you’ve been phished? Here’s what to do

  • Don’t engage
    Don’t click links, open attachments, reply or forward the email.
  • Report it
    Click the U of T Report Phishing button in Outlook or forward the message to report.phishing@utoronto.ca. Then delete it.
  • If you clicked something suspicious
    Contact your local IT support right away.
Icon for report phishing

Where to find the U of T Report Phishing button

Look for the button in the toolbar.
Outlook toolbar with the UofT Report Phishing button located at the right-hand side highlighted.

Click the ellipsis (… menu) in the email window to access the button.

If you don’t see it, you may need to manually add it to your toolbar.

Related articles

Guidance on international travel for university activities

July 14, 2025
A traveller using her mobile device at the airport.

Safeguarding your data while travelling

April 25, 2025
Using safe password to protect your computer system.

Craft strong passwords to protect your information

February 14, 2025