Our digital future depends on all of us. Phishing is one of the most common cyber threats facing the U of T community. One click can put personal data and university systems at risk. For week two of Cyber Security Awareness Month we’re spotlighting phishing so you can recognize scams, protect your information and help safeguard the U of T community.

Phishing happens when cybercriminals send messages that try to trick you into sharing sensitive information such as:

• Requesting your UTORid username and password.
• Entering Duo multifactor authentication (MFA) passcodes.
• Providing banking or credit card details.
• Disclosing other personal information.

These messages often look legitimate and try to create panic – they might say your account will be closed, your password has expired or you’ve won a prize. The goal is getting you to click a link, open an attachment or log in to a fake website.

Scammers also use current events to make their messages seem legitimate. When stories about data breaches at companies such as Google, Apple or Facebook resurface, attackers pose as tech support and urge you to “secure your account” or “reset your password.” Remember: U of T will never email you asking for your password or Duo passcodes.

Recognize these scams by watching for messages that:

• Promise a one-time bonus or reward.
• Request personal information such as full name, student ID and phone number.
• Mention Quercus, ACORN or UTORid to sound official.
• Come from real U of T email addresses that have been compromised, making them appear more trustworthy

Spot tuition or payment scams when they:

• Claim your tuition deposit is overdue or due today.
• Threaten to cancel your registration or admission if you don’t act.
• Include fake payment instructions or links to a lookalike U of T payment page.
• Appear to be sent from compromised U of T email accounts.

If you receive one of these messages:

• Do not reply, click links or open attachments.
• Do not send money or share personal information.
• Report the message using the U of T Report Phishing button in Outlook or forwarding it to report.phishing@utoronto.ca.
• If you have fallen victim to one of these scams, contact your local help desk and Campus Safety for support.

Watch for these red flags by checking for:

• Using urgent or threatening language such as “Act now or lose access to your account.”
• Requesting sensitive information – U of T will never ask for your password, Duo codes or banking details by email.
• Offering prizes or jobs you never applied for.
• Sending unexpected invoices, shipping notices or subscriptions.
• Including suspicious attachments or links, especially if you weren’t expecting the message.

Andrew Wagg, manager, Incident Response, Information Security, emphasizes:

“Attackers rely on us reacting before thinking. It’s critical to slow down and take a moment to consider whether something coming in by email makes sense. Nothing is so important that you cannot take the time to validate it before acting.

Follow these tips by:

• Ignoring job offers you didn’t apply for.
• Watching for messages from or to free Gmail or Outlook accounts.
• Refusing tuition payment requests by e-transfer.
• Nothing official should ever come from a student address, such as *@mail.utoronto.ca.”

Phishing emails can be convincing, especially when they come from people you trust. By slowing down, reporting suspicious messages and sharing what you know with classmates and colleagues, you help protect everyone.

Learn more about how to identify and report a phishing attempt.