Don't get "phished"

Scammers are getting smarter

- November 5, 2013

An example of a phishing email designed to look like it came from Dalhousie.
An example of a phishing email designed to look like it came from Dalhousie.

Pop quiz: “Phishing” is:

a) A typo for “fishing”
b) Travelling to attend concerts from your favourite jam band
c) A criminal activity carried out by fraudsters attempting to obtain sensitive information such as passwords and credit card details

The answer, of course, is c.

Phishing, sadly, is a reality of Internet life in the 21st century. Each of us can recall countless mysterious emails, tweets or websites inviting us to reply, click or offer up our password. And we think we know what to do about them: don’t reply, don’t click, delete.

But Dal’s information security manager says it’s more important than ever to be diligent about phishing — because the phishers are getting smarter.

“This new generation of scammers aren’t sending emails about fake inheritances or that sort of old-fashioned trick,” explains John Bullock with Dal Information Technology Services. “Instead, they’re building emails that look like they’re coming from your bank, your government — or your university.”

Never give out your password


Bullock says it’s difficult to pin down exact volumes when it comes to scam emails, but generally ITS has seen an increase in recent years in the number of scam emails purporting to be from “Dalhousie.” To make it seem like they’re coming from the actual university, the emails can use images of the university or phrases like “MyDal” or “Help Desk.” Some pull factual details from Dal’s Wikipedia page to seem more real.

One sure-fire way to know that these emails are fake is that many ask for your password.

Dalhousie will never ask for your password by email, nor will any reputable organization,” says Bullock.

But not all phishes have such a clear “tell” that gives them away. That’s why Bullock advises never to click links in any email that you weren’t expecting, or links that give you even the slightest suspicion. And just because you recognize the sender doesn’t always mean its safe: “from” and “reply-to” fields can be faked, and phishers do research so the message resonates with their intended victim.

“’Better safe than sorry’ is always the best approach, whether it’s an email, a mysterious tweet or something else,” says Bullock. “If you’re at all suspicious, either delete the message, visit the official website manually in your web browser and navigate down from there, or pick up the phone and call or text the person or office who sent it.”

Protecting your information


The consequences of getting phished through your Dal account are serious, both for you and for the university. Your email account and passwords could be used for fraud or illegal activity, or your computer could be attacked with “drive-by-download” software that allows others to use it. On Dalhousie’s end, the more @dal.ca accounts are used for phishing scams, the greater the risk that the university domain could be “blacklisted” by other companies and email service providers, preventing Dal email from reaching them.

“Getting caught in a phishing scam affects you, your friends and colleagues and the entire Dal community,” says Bullock. “That’s why constant vigilance is so necessary.”

Avoiding phishing

  • Delete requests for your password
  • Don’t click links or open attachments in unexpected email
  • Be suspicious of any requests for financial information
  • Do not fill out forms embedded in email messages
  • Keep your web browser and plug-ins up-to-date
  • Avoid clicking links in private messages on social media sites that you were not expecting
  • If you think you have been phished, here’s how you can learn what to do about it.