You Have Just Been Phished by CCS Information Security!

Oops!

You Have Just Been Phished by CCS Information Security!

The good news is that we are here to help and nobody else needs to know!

Had this been a malicious phishing attempt your credentials may have been stolen and your computer infected with malware. Based on real-world experience, it just takes one person in an organization to get infected to cause a wide-scale cyber security incident, so we all need to be extra vigilent to protect the University.

 

What is Phishing?

Phishing is one of the most common methods for cyber criminals to access your personal information and University data.  They lure you into clicking on links to malicious content, try to convince you to share your identity information (e.g. passwords), or try to infect your system with viruses or other malware.

 

Why is CCS Information Security Doing This?

This simulated phishing campaign is being run by CCS Information Security as a security education exercise. Our goal is to raise awareness of the dangers of phishing and provide the campus community with useful information and tips on how to avoid phishing in the future. If you provide your credentials to a site other than the University of Guelph, your username and password could be in the hands of a third party with malicious intent. They could sell that information or use it to access your data such as your email, gain access to University systems, access University files and applications.  In addition, if you have used the same password on your U of G account as other internet sites, such as online banking or social media, the impact can expand very quickly to include your personal information.

 

Tips to Avoid Being Phished in the Future

  1. NEVER respond to an email asking you to provide your password or other personal information, even if the message looks legitimate.
  2. DO hover over any links in email messages to see that the address linked matches the text and is a legitimate site. (On mobile devices, tap and hold the link to preview it) 
  3. DO check the website address in your browser after clicking on links and know how to verify the University of Guelph login page (www.uoguelph.ca/ccs/infosec/evcertificates). If you do not recognize the address, don't enter your password or any other personal information.
  4. DON'T open unexpected email attachments as this can lead to a virus infecting your computer.
  5. DO forward any suspicious email messages to IThelp@uoguelph.ca. This will allow us to investigate and share the information with others.
  6. DO take the new security awareness training available to all staff and faculty in Courselink (courselink.uoguelph.ca).
  7. DO read the Information Security blog posts on the topic of phishing (infosec.uoguelph.ca).

 

How to Tell If a Message is a Phishing Attempt?

Phishing messages will look very convincing and appears to be coming from a legitimate account, such as the Help Centre. However, there are always indicators in the email and the associated links that prove it is not a legitimate request.

  • Pay close attention to the email address the message was sent from and the reply-to address. On a mobile device, tap and hold the sender address to see the full address.
  • Hover over any links in the message to verify they are directing you to a legitimate site. When viewing the email on the mobile device, tap and hold the link.
  • Cybercriminals tend to use email subjects containing an appealing call for action such as "Account Locked", "Emails Blocked", "Password Expired", or "Account Suspended". 
  • Pay special attention to the address bar in the second and third screenshots below. The second screenshot below shows a fake login page and the third is the genuine University of Guelph single sign-on page.
  • In the real University of Guelph page, you can clearly see that it is a secure site protected with an Extended Validation certificate owned by the University, where the fake page is labeled as 'Not Secure'

Sample phishing message

Fake SSO

Genuine SSO Login Page

 

Information Security does not track who has clicked on our simulated phishing links or record any of the data submitted. We will only ever generate consolidated metrics and statistics with no ability to identify individuals. This information will help us shape our security awareness training going forward.

 

Additional Phishing Awareness Resources

There are many additional resources available to help you learn more about phishing here:

  • CCS Information Security website (infosec.uoguelph.ca) - Our regularly updated site contains a wealth of information ways to protect yourself from phishing scams and other security threats.
  • Our Recent Scams and Phishing Attempts page (www.uoguelph.ca/ccs/recent-scams-and-phishing-attempts) lists all of the latest phishing scams of which to be aware.
  • Additional information on phishing scams (www.uoguelph.ca/ccs/news/phishing-scams-u-g-what-you-need-know)
  • We share  cybersecurity tips on our Computing & Communications (CCS) social media channels: @uofgccs on Twitter, Facebook, and Instagram.
  • The CCS IT Help Centre can always be contacted when you are unsure if a message is safe or not. Call them at 519-824-4120 x 58888 or reach out via email at IThelp@uoguelph.ca. We also provide in-person help at the IT Help Desk on the first floor of McLaughlin Library.

 

Who Do I Contact With Questions or Concerns?

If you have questions or concerns regarding this simulated phishing campaign, please contact infosec@uoguelph.ca.

 

Follow Us

Recent Scams and Phishing Attempts

More scams & phishing attempts