Question: What is phish and when should you be suspicious of divulging private information?
Author: Joseph Tam
Date: Nov. 28, 2013
Be skeptical of any request for private information.
As a general rule, don't give out private information unless
you are sure to where, and to whom, you are giving them to.
This means any private information (passwords, bank PIN, SIN,
etc.) over any communication medium: web form on an unfamiliar
site, telephone conversation with someone you don't know,
The mantra is a great rule of thumb, but lacks the clarity of
concrete actions. This is by no means a comprehensive list, but
it will go a long way toward preventing you from getting fooled:
- Do not give out passwords or any private information by Email.
- Do not give your MathNet password to any web site that does not end with .math.ubc.ca.
Do not give your UBC CWL password to any web site that does not end with .ubc.ca.
(Check what your browser reports the URL as.)
- Do not give private infomation over the phone unless you know who
the other person is, or if you called them yourself using contact
information you've obtained by independent trustworthy means
(not Google Maps).
What is Phish
Phish is a term that refers to fraudulent Email that instructs you to
divulge confidential information such as passwords, PIN numbers, credit
card numbers, or personal identity information like SIN numbers in order
to impersonate you and take resources that belong to you. Phish Emails
are written by criminals with bad intentions -- don't be a victim.
Examples of Phish
A common example is a message notifying you that your Email account
needs to be reset (e.g. increase storage quota or maintenance or some
other reason), and that you must supply your Email address and password
to continue to use your Email account. They may ask you to reply to an
unfamiliar Email address, or enter into a web form. These fraudsters
are trying to gain control of your Email account to send out more phish
Another common example, the Nigerian 419 scam, has the sender pose
as a bank or government official requiring your assistance to carry out
a financial transaction. In return, they will cut you in on part of
the proceeds. These senders are trying to exploit you and eventually
take your money.
There are many other examples, but the one thing they have in
common is that they want you to give them information that they can
ultimately use to take something from you. Don't do it -- [repeat
Characteristics of Phish
Phish usually share several traits, but even if none of these traits
are present, [repeat the mantra]. Fraudulent Email is evident
by what it tries to make you do, not by what it looks like.
- Generic salutations (e.g. "Dear Sir", "Webmail user").
- Lack of credible contact information (no local phone numbers
or real names) to verify the contents.
- Spelling and grammar mistakes.
- Weird formatting and word usage (e.g. gratutious upper casing,
inconsistent spacing, etc.).
- Sender/recipient Email address or web URLs that are unfamiliar
or lie totally outside our domain (ubc.ca).
- A tone of urgency (e.g. "Do it now!",
"You may lose Email privileges!").
What should you do when you receive a Phish Email
Receiving the Email is harmless, but you should never respond to,
nor act upon information within, such Email.
Neither the MathNet, nor the UBC, IT staff will ever ask you for your
password, nor any confidential information via Email. If in doubt,
please contact the IT staff using trusted channels (known Email address,
phone number, in person).
If you have responded to Email like this, please contact the IT staff
immediately. Also, it is a good idea to change your password
as soon as you can -- fraudsters only need a few minutes to take
advantage of the information. Then [repeat the mantra] until
you are out of breath.
If you have received what you suspect to be a fraudulent Email,
please forward the entire Email (full headers and body) to the IT staff.
We'll probably respond by asking you to [repeat the mantra].
But before you report it, take a look at our
which has all the samples that have been previously spotted or reported
to us. If you see a copy here, it's not necessary to report it again
to the IT staff.
- Wikipedia entry (Phishing)
- Tutorial Video
- Comedy Phish Skit:
this is a humorous take on phish and spam in general,
but it highlights the observation that if the content
of spam was conveyed in the same analogous method as
in person, you would have no trouble discerning it as