University of Calgary

Email phishing

UToday HomeOctober 15, 2012

By Stephanie Weir

On Wednesday, Oct. 10, Information Technologies (IT) discovered an authentic-looking spam email that was distributed campus-wide.

This particular message claimed to be from the University of Calgary, and encouraged recipients to upgrade their mailboxes in order to receive the new spam detection/blocker feature. To complete this upgrade to their email account, users were asked to click on the provided URL and fill in the online form. Emails of this nature are a form of phishing, and are designed to deceive recipients into revealing their confidential security information, such as login and password credentials.

In a computing context, phishing is a form of criminal activity that utilizes social engineering techniques to impersonate a corporation or other trusted institution. The goal of the impersonation is to extract passwords or other sensitive information from the victim, and is typically administered using email or instant messaging programs. The intent of a phishing attack is to ensure the message appears legitimate so as to persuade the victims to either directly respond, or to click on the provided URL.

IT utilizes spam blocking technology which identifies and blocks 85-90 per cent of all inbound email messages. This is more than 99 per cent of the spam directed at University of Calgary staff. However, even with the best spam-blocking technology, some phishing attacks will get through to your inbox.

What can you do to protect yourself from Phishing, Scams & Hoax emails?

Education is the key to successfully eliminating this problem. IT will continue sending out timely information in the form of information security bulletins and awareness campaigns. In addition, here are a few tips to prevent you from getting hooked:

  • DO NOT reply to suspicious emails or instant messages. Trust your instincts – if you think it’s a scam, it probably is. Contact the IT Support Centre (220-5555) for advice
  • NEVER click on links requesting passwords or account info – DELETE immediately
  • NEVER provide passwords, credit card numbers, or any personal information over email. Trustworthy companies, or individuals, will not ask for personal information in an email, nor will they ask you to do something to your computer (i.e. “follow these instructions to remove an infected file”)
  • If you receive an attachment from someone you do not know, or an unexpected attachment from someone you do know, DO NOT open it. Check with the trusted individual to ensure that it is a legitimate attachment.
  • REPORT spam by forwarding suspicious messages to

Remember, IT will NEVER ask for your password, and will NEVER ask you to click on a link to validate your IT Account or other personal information.

For more information on phishing and other information security topics, visit