Phishing Awareness Module

Pre-Quiz: Test Your Knowledge

Before learning more about phishing, take a quick quiz to see how well you can recognize phishing attempts.

What is Phishing?

Phishing is a form of cyber attack where malicious individuals impersonate legitimate entities to deceive individuals into revealing sensitive information, such as usernames, passwords, or credit card details. This practice is prevalent across various platforms, including emails, websites, and SMS messages, and poses significant risks to all users, especially students and international audiences who may be less familiar with local digital security threats.

According to the Cybersecurity & Infrastructure Security Agency (CISA), phishing attempts have increased by over 65% in the last few years.

Common Phishing Techniques

• Deceptive Emails (Email Phishing): Attackers send emails that appear to originate from trusted organizations, such as educational institutions, banks, or service providers. These emails often prompt recipients to click on malicious links or download harmful attachments, leading to credential theft or malware installation.
• Spoofed Websites: Phishers create counterfeit websites that closely mimic legitimate ones. Unsuspecting users may enter personal information into these fake sites, inadvertently providing attackers with access to sensitive data.
• Fraudulent SMS Messages (Smishing): This involves sending deceptive text messages that appear to come from reputable sources, urging recipients to click on malicious links or disclose personal information.
• Voice Phishing (Vishing): Attackers make phone calls pretending to be from legitimate organizations, such as banks or government agencies, to extract personal information from individuals.
• Social Media Deception: Fraudsters use social media platforms to impersonate friends, family, or organizations, sending messages that contain malicious links or requests for personal information.

What are Scams?

Scams encompass a broader range of fraudulent schemes designed to deceive individuals into providing money, personal information, or other valuables. These schemes often exploit the trust and naivety of individuals, presenting false promises or threats to elicit the desired response.

Common Scams Targeting Students

• Employment Scams: Fraudsters post fake job listings or send unsolicited job offers, enticing students with attractive salaries for minimal work. Victims may be asked to pay upfront fees for training or equipment, or provide personal information that can be used for identity theft.
• Accommodation Scams: Scammers advertise non-existent or unavailable rental properties at attractive rates. Students are persuaded to send deposits or personal information before viewing the property, leading to financial loss and potential identity theft.
• Online Purchase Frauds: Students may encounter counterfeit or non-delivered goods when shopping online from unverified sources, resulting in financial loss and compromised personal information.
• Scholarship and Grant Scams: Fraudulent entities offer guaranteed scholarships or grants in exchange for an upfront fee, resulting in financial loss and compromised informaion
• Support Scams: Scammers pose as tech support representatives, claiming the student's device is compromised and requesting remote access or payment for unnecessary services.

Why It Matters

Understanding and recognizing phishing and scam tactics are crucial for students to protect themselves from financial loss, identity theft, and other adverse consequences.

Potential Consequences

• Financial Loss: Victims may lose money through fraudulent transactions, upfront fees for fake services, or unauthorized use of their financial information.
• Identity Theft: Personal information obtained through scams can be used to create fake identities, access existing accounts, or commit other fraudulent activities in the victim's name.
• Academic and Professional Repercussions: Falling victim to scams can lead to compromised academic records, loss of educational opportunities, and damage to professional reputation.
• Emotional Distress: The stress and anxiety resulting from being scammed can affect mental health and overall well-being.

Recognizing Phishing Attempts

Cybercriminals use phishing tactics to deceive individuals into providing sensitive information, but these attacks often include subtle clues that can help you identify them. By knowing the red flags, you can protect yourself from falling victim to these scams.

Red Flags to Look Out For

Phishing emails, messages, and websites often share common characteristics that can help you recognize them. Here are the key warning signs:

1. Suspicious Email Addresses

Attackers often use email addresses that look similar to official ones but contain slight alterations.

• Legitimate: support@university.edu
• Phishing Attempt: support.univeristy@gmail.com

What to Look For:

• Official organizations won’t use free email services like @gmail.com, @yahoo.com, or @outlook.com.
• Attackers may use misspelled domain names (e.g., support@univeristy.edu instead of support@university.edu).
• Hover over the sender’s email to reveal the real address—attackers can spoof display names to appear legitimate.

2. Spelling and Grammar Mistakes

Professional organizations rarely send out emails with poor grammar or spelling errors.

• Phishing Attempt: "Dear costumer, your account has been locked due to suspicious activty. Pleese verify your credentials immediately!"
• Legitimate Email: "Dear customer, we detected unusual activity on your account. If this was not you, please reset your password using the link below."

What to Look For:

• Typos and grammatical errors in subject lines or body text.
• Unnatural phrasing or missing words.
• Random capitalizations or formatting inconsistencies.

3. Urgent Language or Threats

Phishing emails frequently use fear-based tactics to pressure victims into acting quickly before they have time to think critically.

• "Your account has been compromised! Immediate action required!"
• "Failure to respond within 24 hours will result in account suspension."
• "Confirm your billing details now, or your service will be interrupted."

What to Look For:

• Emails pressuring you to act immediately.
• Threats of negative consequences.
• Emotional manipulation.

4. Requests for Personal or Financial Information

Legitimate companies and institutions will not request your login credentials, Social Security number, banking details, or credit card information via email, text, or phone call.

"Dear User, Due to recent suspicious activity, we require you to confirm your account details. Please click the link below and enter your banking information to verify your identity. Failure to do so will result in account suspension."

What to Look For:

• Requests for passwords, PINs, or security codes.
• Links to enter credit card or Social Security numbers.
• Unexpected attachments.

Phishing Examples

Example 1: A Fake University Email

📧 Subject: "URGENT: Your Student Portal Access is About to Expire!"

Sender: admin@univeristy-support.com (Note the misspelling in "university")

🚩 Red Flags in This Email:

• Misspelled domain name → univeristy-support.com instead of university.edu
• Urgent language → "Your access is about to expire!"
• Clickbait-style CTA → "Click the link below to prevent deactivation"
• Fake link → http://university-verify.com (not the official portal)

Example 2: Fake Banking Notification

📧 Subject: "Your Scotiabank Account Has Been Locked. Immediate Action Required!"

Sender: security@scotiabank-secure.com

🚩 Red Flags in This Email:

• Fake sender address → scotiabank-secure.com (Real Scotiabank emails come from @scotiabank.com).
• Threatening language → "Your account has been locked due to suspicious activity."
• Suspicious link → "Click here to verify your account" (link actually leads to a phishing site).
• Request for credentials → A real bank **will never** ask for your login details via email.

How to Stay Safe from Phishing and Scams

Identifying Legitimate Communications

Phishing emails often look real, but following these steps can help you verify whether an email, text, or call is legitimate:

• Go to the official website manually: Instead of clicking links in an email, type the organization's website address into your browser.
• Check the sender’s email address carefully: Official emails will always come from a verified domain (e.g., @canada.ca, @scotiabank.com).
• Look for grammar and spelling mistakes: Government agencies and banks don’t send emails with poor wording or typos.
• Call the organization directly: If you receive a suspicious message, contact the company using the official number listed on their website.

Using Technology to Stay Safe

Technology can provide extra layers of security. Here’s how you can protect yourself:

• Password Managers: Use a trusted password manager to generate and store unique, secure passwords for every site.
• Multi-Factor Authentication (MFA): Enable MFA on your email, banking, and student accounts. This requires a second step (e.g., SMS code, authenticator app) before logging in.
• Secure Your Devices: Keep your software and antivirus up to date to protect against malware and security breaches.

Avoiding Common Scams

Students, especially international students, are often targeted with scams. Here’s how to avoid them:

🏠 Rental Scams

• Never send money before seeing a place in person: Scammers post fake listings and demand deposits before providing details.
• Use trusted rental websites: Avoid deals that seem too good to be true.
• Verify the landlord: Search the landlord’s name and phone number online before signing anything.

💼 Job Scams

• Be wary of unsolicited job offers: If you didn’t apply for a job, it's likely a scam.
• Never pay for training or application fees: Legitimate employers won’t ask for money upfront.
• Research the company: Look for official websites, LinkedIn profiles, and online reviews.

💰 Financial Fraud

• Beware of unexpected messages about "overpayments": Scammers may claim they accidentally sent you extra money and ask you to return it.
• Be cautious with money transfers: Once you send money via e-transfer, it’s often impossible to get it back.

🌎 Immigration and International Student Scams

• Fake Universities: Some fraudulent institutions target international students with fake admissions offers.
• Government Impersonation Scams: Scammers pretend to be from Immigration Canada (IRCC) and demand immediate payments for "visa issues." The real IRCC will never ask for personal information via email or phone.
• Verify with the official website: Always check Canada’s official immigration website.

Online Safety Review

• Verify Email Senders: Always double-check the sender’s address before clicking on links.
• Hover Over Links: Inspect links before clicking to ensure they lead to legitimate websites.
• Use Multi-Factor Authentication: This adds an extra layer of security in case your credentials are compromised.
• Report Suspicious Emails: If you receive a phishing email, report it to your IT team or email provider.

Post-Quiz: Assess Your Learning

Now that you've completed the phishing awareness module, test your knowledge again.