You have been redirected here, which houses content from our former website; this content may or may not be current. Our official website may have more up-to-date information.
UBC Mathematics: MathNet FAQ [Phish/Fraud Email]



UBC Mathematics: MathNet FAQ [Phish/Fraud Email]




Question: What is phish and when should you be suspicious of divulging private information?
Author: Joseph Tam
Date: 2018-01-26

The Mantra

Be skeptical of any request for private information.

As a general rule, don't give out private information unless you are sure to where, and to whom, you are giving them to. This means any private information (passwords, bank PIN, SIN, etc.) over any communication medium: Email, unfamiliar web site form, telephone, etc.

Practical Rules

The mantra is a great rule of thumb, but lacks the clarity of concrete rules. This is by no means a comprehensive list, but it will go a long way toward keeping your account safe:

  • Do not give out passwords, nor any private information, by Email.
  • Do not give your MathNet password to any web site that does not end with .math.ubc.ca. Do not give your UBC CWL password to any web site that does not end with .ubc.ca. (Check what your browser reports the URL as.)
  • Do not give private information over the phone unless you know who the other person is, or by using contact information you've obtained by independent, trustworthy means (not Google Maps).

What is phish?

Phish is a term for fraudulent Email instructing you to divulge confidential information, such as passwords, PINs, credit card numbers, or personal identity data (e.g. date of birth) in order to impersonate you to steal resources that belong to you. Phish Emails are written by criminals -- don't be a victim. Don't underestimate how damaging losing control over your Email or identity is.

Examples of phish

You can see samples of phish reported to us in our

PhishTank

A common example is an Email notifying you there is a problem with your Email account (e.g. out of storage, needs maintenance, upgrade, etc.), and asking for your Email address and password to fix it. The message may ask for this information by reply Email, or by entering into a web form outside our domain (math.ubc.ca). These fraudsters are trying to gain control of your MathNet account, to send more spam or for other nefarious purposes.

Another common type are 419 scams, where the sender pose as a bank/government official or other person requiring your assistance to carry out a financial transaction. In return, they will pay you a fee or commission. They may even offer payment in the form of a cheque deposit, but written for an amount which will require some form of reimbursement. In reality, it's all an elaborate ruse to take your money.

There are many other examples, but the one thing they have in common is that they want you to give them information that they can use to take something from you. Don't do it -- [repeat the mantra].

Common characteristics of phish

Phish usually have some or all of these superficial traits, but you should not use these traits as the sole determination of whether a message is genuine. Fraudulent Email is evident by what it tries to make you do, not by what it looks like -- [repeat the mantra].

  • Generic salutations (e.g. "Dear Sir", "Webmail user") that displays no intimate knowledge of who you are.
  • Lack of credible contact information (no local phone numbers or real names) to verify assertions in the message.
  • Spelling and grammar mistakes.
  • Weird formatting and word usage (e.g. gratuitous upper casing, inconsistent spacing, etc.).
  • Unfamiliar sender/recipient Email address, different From/Reply Email addreses, or web URLs or outside our domain (math.ubc.ca).
  • A tone of urgency (e.g. "Do it now!", "You may lose Email privileges!").

What should you do when you receive a Phish Email?

Receiving phish messages is harmless, but you should not respond to it, and never act upon any instructions within e.g. visit web page.

Neither MathNet nor University IT staff will ever ask you for your password, nor any confidential information via Email. If in doubt, please contact the IT staff using trusted channels (known Email address, phone number, in person).

If you have received fraudulent Email (or have doubt to its veracity), please forward the entire Email (full headers and body) to the IT staff. Take a look our our PhishTank first to make sure it hasn't been reported before.

What should you do if you have been victimized?

If you have responded to Email or any communication method that was, in hindsight, suspicious or fraudulent, please go through this list of remedial actions. Speed is important -- fraudsters only need a few minutes to take advantage of information you've provided.

  • If you have divulged your MathNet password, change your password as soon as you can. Contact the MathNet IT staff immediately. If you use the same password elsewhere, it would be prudent to change those as well.
  • If you have given away financial information that can be used to commit identity fraud, contact your financial institutions such as bank or credit card company, to make them aware of the situation.
  • [Optional] This is not time critical, but you can report fraud to Canadian Anti-Fraud Centre. It won't help you immediately, but it may help someone else, and maybe even eventually help catch these creeps.
  • Lastly, [repeat the mantra] until you are out of breath.

More information

  • Wikipedia entry (Phishing)
  • Tutorial Video
  • Comedy Phish Skit: this is a humorous take on phish and spam in general, but it highlights the observation that if the content of spam was conveyed in the same analogous method as in person, you would have no trouble discerning it as fraudaulent.