Frequently Asked Questions
UBC Mathematics: MathNet FAQ [Phish/Fraud Email]



UBC Mathematics: MathNet FAQ [Phish/Fraud Email]




Question: What is phish and when should you be suspicious of divulging private information?
Author: Joseph Tam
Date: Nov. 28, 2013

The Mantra

Be skeptical of any request for private information.

As a general rule, don't give out private information unless you are sure to where, and to whom, you are giving them to. This means any private information (passwords, bank PIN, SIN, etc.) over any communication medium: web form on an unfamiliar site, telephone conversation with someone you don't know, Email, etc.

Practical Rules

The mantra is a great rule of thumb, but lacks the clarity of concrete actions. This is by no means a comprehensive list, but it will go a long way toward preventing you from getting fooled:

  • Do not give out passwords or any private information by Email.
  • Do not give your MathNet password to any web site that does not end with .math.ubc.ca. Do not give your UBC CWL password to any web site that does not end with .ubc.ca. (Check what your browser reports the URL as.)
  • Do not give private infomation over the phone unless you know who the other person is, or if you called them yourself using contact information you've obtained by independent trustworthy means (not Google Maps).

What is Phish

Phish is a term that means fraudulent Email instructing you to divulge confidential information, such as passwords, PINs, credit card numbers, or personal identity data like date of birth in order to impersonate you and take resources that belong to you. Phish Emails are written by criminals with bad intentions -- don't fall victim.

Examples of Phish

A common example is an Email notifying you there is a problem with your Email account (e.g. out of storage, needs maintenance, upgrade, etc.), and advising you to supply your Email address and password to fix it. They might ask for this information by reply Email, or to enter into a web form. These fraudsters are trying to gain control of your Email account, so that they can send out more spam or to gain further access to your private data.

Another common example are 419 scam, where the sender is posing as a bank/government/wealthy official requiring your assistance to carry out a financial transaction. In return, they will pay you a fee/commission, but in reality, it's an elaborate ruse to take your money.

There are many other examples, but the one thing they have in common is that they want you to give them information that they can use to take something from you. Don't do it -- [repeat the mantra].

Characteristics of Phish

Phish usually have some or all of these superficial traits, but you should not use these traits as the sole determination of whether a message is genuine. Fraudulent Email is evident by what it tries to make you do, not by what it looks like -- [repeat the mantra].

  1. Generic salutations (e.g. "Dear Sir", "Webmail user") that displays no intimate knowlege of who you are.
  2. Lack of credible contact information (no local phone numbers or real names) to verify assertions in the message.
  3. Spelling and grammar mistakes.
  4. Weird formatting and word usage (e.g. gratuitous upper casing, inconsistent spacing, etc.).
  5. Unfamiliar sender/recipient Email address or web URLs or outside our domain (math.ubc.ca).
  6. A tone of urgency (e.g. "Do it now!", "You may lose Email privileges!").

What should you do when you receive a Phish Email

Receiving phish is harmless, but you should never respond to it, nor act upon any information within e.g. visit web page.

Neither the MathNet, nor University campus, IT staff will ever ask you for your password, nor any confidential information via Email. If in doubt, please contact the IT staff using trusted channels (known Email address, phone number, in person).

If you have responded to Email like this, please contact the MathNet IT staff immediately. It is also a good idea to change your password -- fraudsters only need a few minutes to take advantage of the information. Then [repeat the mantra] until you are out of breath.

Phish Tank

If you have received what you suspect to be a fraudulent Email, please forward the entire Email (full headers and body) to the IT staff. We'll probably ask you to [repeat the mantra].

But before you report it, take a look at our

Phish Tank
which has all the samples that have been previously spotted or reported to us. If you see a copy here, it's not necessary to report it again.

More information

  • Wikipedia entry (Phishing)
  • Tutorial Video
  • Comedy Phish Skit: this is a humorous take on phish and spam in general, but it highlights the observation that if the content of spam was conveyed in the same analogous method as in person, you would have no trouble discerning it as fraudaulent.
 
Top