Frequently Asked Questions

The Mantra

Never give out your password or any private information by Email.

(More generally, don't give out private information unless you are sure where, and to whom, it is going to. This means entering information into a web form on a site that you are unfamiliar with, over a telephone with a someone unknown to you or who cannot prove their identity, or any communication medium for which you are unable to confirm the identity of the other party.)

Always be skeptical of any request for private information.

What is Phish

Phish is a term that refers to fraudulent Email that instructs you to divulge confidential information such as passwords, PIN numbers, credit card numbers, or personal identity information like SIN numbers in order to impersonate you and take resources that belong to you. Phish Emails are written by criminals with bad intentions -- don't be a victim.

Examples of Phish

A common example is a message notifying you that your Email account needs to be reset (e.g. increase storage quota or maintenance or some other reason), and that you must supply your Email address and password to continue to use your Email account. They may ask you to reply to an unfamiliar Email address, or enter into a web form. These fraudsters are trying to gain control of your Email account to send out more phish or spam.

Another common example, the Nigerian 419 scam, has the sender pose as a bank or government official requiring your assistance to carry out a financial transaction. In return, they will cut you in on part of the proceeds. These senders are trying to exploit you and eventually take your money.

There are many other examples, but the one thing they have in common is that they want you to give them information that they can ultimately use to take something from you. Don't do it -- [repeat the mantra].

Characteristics of Phish

Phish usually share several traits, but even if none of these traits are present, [repeat the mantra]. Fraudulent Email is evident by what it tries to make you do, not by what it looks like.

1. Generic salutations (e.g. "Dear Sir", "Webmail user").
2. Lack of credible contact information (no local phone numbers or real names) to verify the contents.
3. Spelling and grammatical mistakes.
4. Format weirdness (e.g. gratutious upper casing, inconsistent spacing, etc.).
5. Sender/recipient Email address or web URLs that are unfamiliar or lie totally outside the campus domain (ubc.ca).
6. A tone of urgency (e.g. "Do it now!", "You may lose Email privileges!").

What should you do when you receive a Phish Email

Receiving the Email is harmless, but you should never respond to such Email.

Neither the MathNet nor the UBC IT staff will ever ask you for your password, nor any confidential information via Email. If in doubt, please contact the IT staff using trusted channels (known Email address, phone number, in person).

If you have responded to Email like this, please contact the IT staff immediately. Also, it is a good idea to change your password as soon as you can -- fraudsters only need a few minutes to take advantage of the information. Then [repeat the mantra] until you are out of breath.

Phish Tank

If you have received what you suspect to be a fraudulent Email, please forward the entire Email (full headers and body) to the IT staff. We'll probably respond by asking you to [repeat the mantra].

But before you report it, take a look at our

Phish Tank

More information

• Wikipedia entry (Phishing)
• Tutorial Video
• Comedy Phish Skit: this is a humorous take on phish and spam in general, but it highlights the observation that if the content of spam was conveyed in the same analogous method as in person, you would have no trouble discerning it as fraudaulent.