Students! This is your chance win a pair of AirPods or one of two Ravens swag packs during Cyber Security Awareness Month contest.

What is Phishing?

Phishing is a deceptive kind of cyber-attack used by scammers masquerading as credible sources. Their goal is to mislead victims into clicking a malicious link, which can then download malware onto their computer, allowing criminals to hijack their account and steal confidential information. Such personal information can then be used to steal money from victims by accessing their credit cards and bank accounts.

What are the Various Kinds of Phishing?

Phishing can take many forms including some of the following:

New Trends in Phishing

Social Engineering:

Social engineers are not computer masters who can hijack into systems to steal information. Instead, they are professional manipulators who use their victims’ innate desire to help people into deceiving them into giving up their own secretive information. While normal email phishing campaigns can be more easily prevented using AI security measures, no technology can defend against social engineering.

To these kinds of criminals, sensitive information is gold. Personal and financial information such as confidential business files, user IDs and passwords, as well as bank account and credit card info can grant them access to an organization’s network and enable them to commit fraud.

To defend against these attacks, remember that vigilance is key. Be careful about who you trust online and use your best judgement before passing along any of your information.

WhatsApp:

WhatsApp is a popular messaging app that offers a fast and easy way for families and friends to chat online. Unfortunately, it is also becoming an increasingly more common place for cybercriminals to use for nefarious purposes. Now that people are generally more aware of email phishing scams, cybercriminals are adapting their tactics towards instant communication methods like text messaging and WhatsApp. According to the , there has been a 2,000 per cent increase in WhatsApp scams in the past year.

Some of the methods cybercriminals are using on WhatsApp to deceive victims include:

• Impersonating loved ones in need of money
• Sending malicious links that could lead to malware infections
• Compromising an account and then prompting the victim with a verification code to complete the login

Stay Cyber Secure Year Round

Cyber security doesn’t end after October, so watch the ITS web site and for information about new campaigns, tips and tricks as they become available.

If you have any questions, please contact ITS Security.

Thank you in advance for your participation!

What is phishing?

Phishing is a cyberattack that leverages fraudulent emails, SMS texts, and phone calls to deploy malicious software to your device or to solicit sensitive information from you. These phishing attacks can be effective as the communication appears to be from a reputable institution, organization, or person.

How do you identify a phishing attack?

Always remember to look out for something that might be off or unusual; being cautious goes a long way. An email, SMS text, or phone call might be phishy if:

• You notice a lot of spelling and grammar errors
• The email or SMS text uses a generic greeting instead of addressing you
• The email address has very subtle misspellings of legitimate domain names (e.g., example@gnnail.com instead of example@gmail.com)
• The sender claims to be affiliated with a reputable organization but their email is sent from a public email domain (e.g., example@gmail.com, example@hotmail.com, example@yahoo.com)
• The email appears to be sent to a long list of people instead of just you
• The subject line is in all caps
• The caller’s voice has a robotic tone or unnatural rhythm to their speech
• The call has poor audio quality
• You don’t recognize the sender’s name, email address, or phone number
• The offer sounds too good to be true
• The sender or caller requests payment (e.g., Bitcoin, e-transfer, cheques, giftcards, etc.)
• The sender or caller requests your personal or confidential information
• There is an urgent call for action (e.g., “download this now to claim your free car”, “click on the link below to prevent closure of your account”)

How can you tell if you have been phished?

If you have recently engaged with a suspicious email, text message, or phone call, you can check for signs of a compromised device and account to determine if you have been phished.

What should you do if you have been phished?

Once you suspect that you have been phished, the first course of action is to submit a ticket to the ITS Service Desk using any of the methods listed on���Ӱ�ԭ��.ca/its/contact.

Our Information Security professionals may recommend the following measures:

Stay Cyber Secure Year Round

Cyber security doesn’t end after October, so watch the ITS web site and for information about new campaigns, tips and tricks as they become available.

If you have any questions, please contact ITS Security.

Thank you in advance for your participation!

Cyber Security Month is back this October! It’s a chance to educate citizens about how to stay safe and cyber aware while they work and live online.

This year’s theme is Fight Phishing: Ruin a Cyber Criminal’s Day! Phishing is an attack��where a scammer calls you, texts or emails you, or uses social media to trick you into clicking a malicious link, downloading malware, or sharing sensitive information.
��
Watch this ITS website and on Twitter for new posts each week throughout October to learn how to stay cybersecure. Follow along on social media using #CyberMonth2022.

Curious about how �Ӱ�ԭ�� is fighting phishing? In the past year, ITS has rolled out a number of initiatives to fight phishing at �Ӱ�ԭ��, including:

Security Awareness Courses

In 2021, we launched our����through Brightspace, and in partnership with��, to teach the community how to stay cyber secure. Students, faculty and staff are invited to enrol in a series of modules that are short, digestible and, most importantly, informative. Topics include phishing, ransomware, Wi-Fi security, social engineering, risky USB devices and much more.
��
As part of the campaign, all staff, faculty, and students are encouraged to����for the course. Keep in mind that, after clicking the link above, you’ll need to log in with your My�Ӱ�ԭ��One (MC1) password before enrolling.

Advanced Protection Tool of Microsoft Defender

AI-based email protections for students that help us quickly identify phishing and spam, along with the introduction of for all faculty and staff to defend against phishing, spoofing, spam, and impersonation, while ensuring the safety of attachments and links

Report Phishing Button

Part of the problem with phishing is knowing how many attempts are coming in, and how they seek to rope in victims. The “Report Phishing” button allows users to easily report phishing emails, providing our Information Security professionals the information they need to prevent future attempts. Users no longer need to manually forward email messages or attachments to the Service Desk to report a phishing message. They can simply click the Report Phishing button on a phishing email, and we’ll do the rest.
And, as we report, the��tech behind the Report Phishing button��is very cool.

Phishing Simulations

Education is a key element in the fight against phishing, because everyone plays a role in identifying and reporting phishing attempts. In 2021, we launched a Simulated Phishing Initiative in which the community began receiving safe and simulated phishing emails, automatically generated by our systems, to help faculty, staff and students better recognize what a phishing email might look like. There is still much to do in the fight against phishing, but these simulations are a strong start.

Cyber security doesn’t end after October, so watch the��ITS web site��and����for information about new campaigns, tips and tricks as they become available.

If you have any questions, please contact��ITS Security.

Thank you in advance for your participation!

Students, including those who click on links in the simulated phishing emails, are not being evaluated as part of this initiative. This initiative is for informational and education purposes only, and students who click on simulated phishing links will only be encouraged to learn more about how to stay safe online.

Enrol in our����through Brightspace now to learn more about how to stay cyber secure!

Phishing is a cyber crime that uses tactics like deceptive emails, websites, and text messages to steal confidential information from individuals or organizations. Cyber criminals use stolen information like addresses, names, and social insurance numbers to apply for credit cards or loans, open bank accounts, and commit other fraudulent activity.

During Cyber Security Awareness Month, the �Ӱ�ԭ�� community will begin receiving safe and simulated phishing emails, automatically generated by our systems, to help faculty, staff and students better recognize what a phishing email might look like. These emails will be modelled after real-life emails that have arrived in �Ӱ�ԭ�� email inboxes in the past. If a user clicks on a link in the email, they will be taken to an informational page outlining ways to stay safe online. This page will be hosted on a �Ӱ�ԭ�� site and will encourage viewers to sign up for the security awareness courses mentioned above.

Importantly, participants, including those who click on links in the simulated phishing emails, are not being evaluated. This initiative is for informational and education purposes only, and those who click on simulated phishing links will only be encouraged to learn more about how to stay safe online.

Learn more about phishing

Interested in learning more? Read our informational page and learn how to use our Report Phishing button.

Cyber security doesn’t end after October, so watch the ITS web site and for information about new campaigns, tips and tricks as they become available.

If you have any questions, please contact ITS Security.

Thank you in advance for your participation!

The course is divided into a series of modules that are short, digestible and, most importantly, informative. Topics include:

• Phishing
• Ransomware
• Wi-Fi Security
• Social Engineering
• Risky USB devices
• And much more!

As part of the campaign, all staff, faculty, and students are encouraged to for the course. Keep in mind that, after clicking the link above, you’ll need to log in with your My�Ӱ�ԭ��One (MC1) password before enrolling.

Simulated Phishing Email Campaign

During the month, the �Ӱ�ԭ�� community will also begin receiving safe and simulated phishing emails, automatically generated by our systems, to help faculty, staff and students better recognize what a phishing email might look like. These emails will be modelled after real-life emails that have arrived in �Ӱ�ԭ�� email inboxes in the past. If a user clicks on a link in the email, they will be taken to an informational page outlining ways to stay safe from phishing attempts. This page will be hosted on a �Ӱ�ԭ�� site and will encourage viewers to sign up for the security awareness courses mentioned above.

Importantly, participants, including those who click on links in the simulated phishing emails, are not being evaluated. This initiative is for informational and education purposes only, and those who click on simulated phishing links will only be encouraged to learn more about phishing.

Cyber security doesn’t end after October, so watch the ITS web site and for information about new campaigns, tips and tricks as they become available.

If you have any questions, please contact ITS Security.

Thank you in advance for your participation!

These scams typically offer jobs as personal assistants, secret shoppers or marketers. They may request that you visit a website or send an email to apply for a job. ��The messages may be masquerading as offering employment through or from the university.��These are attempts at obtaining personal information (e.g., name and address, social insurance number, banking info.) They may also ask you to cash cheques or request that you purchase items for them such as gift cards or Bitcoin.

DO NOT provide any personal information, send a reply, nor interact with the sender in any way.

Recent examples of this scam include messages with subject lines such as:

Vacant Position
WORK FROM HOME
Seeking a part time Administrative Assistant
ACT NOW
Part-time work offer
Running personal errands
Personal Assistant
* �Ӱ�ԭ�� University
�Ӱ�ԭ�� University Employment Offer For Staff and Students
Part-time work offer for current staff/students
PERSONAL ASSISTANT NEEDED
GOOD DEY
JOB OPPORTUNITY!!!
Job Offer

How can you tell if an email or online post is a scam?

• The email appears to come from someone at the University, but has an [External Email] tag, it may be a phishing message
• Requires a fee to apply for a job or asks you to send money, Bitcoin, gift card, cheques, etc.
• Requests your password or directs you to a webform asking for your password
• Has an immediate action such as “download this now” or “click on the link below”
• Tries to invoke an emotional response to get you to take an action without thinking
• Is filled with spelling and grammatical errors

See an example of Employment Offer below:

For more information on phishing emails, visit the ITS Information Security Phishing website.

For more information on scams and how to protect yourself, visit the .

If you suspect you may be a victim of this type of scam, please contact Campus Safety Services immediately.

The messages may:

• Indicate a university-related account or access to a university service will be disabled, terminated, or closed unless you submit information or login to a website to keep the account active.
• Offer jobs as personal assistants, secret shoppers or marketers. They may request that you visit a website or send an email to apply for a job.
• Have subject lines such as:��We Received A Request From You, You have got an urgent message, ACT NOW, JOB VACANCY, JOB OFFER, WORK AT YOUR CONVENIENCE

The “Report Phishing” button allows you to easily report phishing emails. You no longer need to manually forward email messages or attachments to the Service Desk or to phishing@carleton.ca��to report a phishing message.

By using the button to report phishing attempts, you will be helping the security team to better identify dangerous attacks in order to protect your personal information and University data.

If enough people report a phishing attempt, machine learning will automatically block it – even after hours.

For more information, please visit the Report Phishing help page.

The messages may:

• Indicate that a university-related account or access to a university service will be disabled, terminated, or closed unless you submit information or login to a website to keep the account active.
• Offer jobs as personal assistants, secret shoppers, or marketers. They may request that you visit a website or send an email to apply for a job.
• Have subject lines such as: We Received A Request From You, Terminate your Office365 Email, GET A PART -TIME JOB, Campus Announcements – Student and Staff Part-time Employment

DO NOT provide any personal information, send a reply, nor interact with the sender in any way.

If you have clicked on a link or submitted any information through one of these emails, please change your password immediately. If you require assistance, please contact the ITS Service Desk at 613-520-3700.

Examples of Recent Phishing Email Messages

Account Closure Phishing Email Example

Job Scam Phishing Email Example

Please visit our��IT security��web page for more tips on protecting yourself online