Phishing & Social Engineering

Cybercrime is evolving.
Don't fall victim to modern forms of cyber threats.

What is Phishing? What is Social Engineering?

Cyberscams

Cybercrime is evolving. Cybercriminals are constantly updating their tactics to trick victims into believing that a scam is legitimate.

"Phishing" and "Social Engineering" are two ways that cybercriminals can steal your financial information, open accounts in your name and steal your identity.

The best defence against cybercrime is being able to spot the signs. Knowing what phishing and social engineering looks like can help protect you against these kinds of scams.

Do You Know the Statistics?

1 in 10 Canadians say they've unknowingly replied to phishing messages

22% of data breaches involve social engineering.

x

Phishing

Usually taking the form of an email, text message, social media message or phone call, phishing is a common impersonation tactic that cybercriminals use to steal your personal and financial information. Unlike social engineering that targets a specific individual or corporation, phishing is usually done en masse, sending thousands of messages hoping that at least one of their recipients will take the bait. 

Cybercriminals will impersonate corporations or other trusted institutions, such as banks or government bodies.

What Can a "Phisher" Look Like?

Government Organizations

Phone/Internet providers

Online Stores

Banks

Streaming Services

People You Know (friends, colleagues, employers, etc.)

x

Social Engineering

Social Engineering is conducted by cyber threat "actors" who research and target specific individuals.

These actors will devise a plan to deceive or trick these specific individuals into providing personal and financial information, instead of sending generic messages to thousands of people or attacking devices directly.

What Can a "Social Engineer" Look Like?

Friend

Boss/Employer

Relative

Colleague

Familiar Company

Another Trusted Source

Cyberscams are More Common Than You Think

1 in 99 emails are phishing emails.

98% of cyberattacks rely on social engineering

Phishing: How is it Done?

Initial Email

Criminals (hackers) send out spoof/fake emails to thousands of random email addresses using urgent or threatening language to trick you into responding to their requests for sensitive information.

Embedded Links

These emails often have embedded links that will direct you to fake login pages that ask you to update your account information and/or demand your financial information. 

Recorded Information

Recorded information is then used to gain access to your account. If you use the same password in multiple locations, then multiple accounts can be compromised. The result can be fraudulent emails being sent from your account, cybercriminals gaining access to your computer files and/or your private information, and your identity being stolen. 

Communications Security Establishment

Social Engineering: How is it Done?

Research

A cybercriminal does research on search engines and social media to learn more about you or your company. 

Initial Message

They send you a message that appears to be from a friend, a colleague, a relative,  your boss or a familiar company.

Data Breach

They then trick you into sending sensitive information like your financial data, passwords and/or credit card numbers.

Canadian Centre for Cyber Security

Spot the Red Flags

Watch for the following signs of scams and fraudulent messages.

They are usually followed by a request for personal information, for you to click a link or attachment, or for you to make a money transfer.

Remember: UCalgary, governing bodies and law enforcement agencies will never use messaging or emails to request sensitive information.

Urgent or Threatening Language

  • Pressure to respond quickly.
  • Threats to close your accounts or take legal action against you.
  • Telling you there's a warrant out for your arrest. 

Suspicious Attachments

  • You're the winner of a contest you didn't enter.
  • You have to click on a link to receive your prize or learn more information. 
  • You've received an inheritance from a long-lost relative. 

Unprofessional Design

  • Incorrect or blurry logos.
  • Image-only emails with no highlightable text. 
  • Company emails with little, poor or no formatting. 

Unexpected Emails

  • Receipts for items you didn't purchase. 
  • Updates on deliveries for items you didn't order. 
  • Attachments you didn't ask for.
x

IT Service & Support

  • IT uses spam-blocking technology which identifies and blocks 85-90% of all inbound email messages.
  • This works out to include 99% of the spam directed at University of Calgary faculty and staff.
  • Unfortunately, even with the best spam-blocking technology, some spam will get through to your inbox.

    This is why it's important to educate yourself on cybersecurity best practices for staying cybersafe

Visit UCalgary IT

Will IT ever ask for my password?

NO. UCalgary will never directly ask you for any personal information or passwords. Anyone who asks for any personal information, by phone or email, claiming to be IT, is phishing for your information!

If you're still suspicious, please contact IT at reportphishing@ucalgary.ca or 403.210.9300 for advice.

How to Spot & Report Phishing

Safety Tips

  • DON'T take technical advice by phone, email or messaging from anyone claiming to be from Microsoft or Apple.
  • DON'T click on links in an email claiming to bring you to a secure site.
  • DON'T provide passwords, credit cards or any personal information in an email. Trustworthy companies, or individuals, will not ask for personal information via email nor will they ask you to do something to your computer. 
  • DO report phishing scams. If it is an email to your ucalgary.ca account, forward the message through your junk mail tool or forward it as an attachment to reportphishing@ucalgary.ca
  • DO regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate.
  • DO contact the organization by using a telephone number from a credible source like an independent search or from a bill (never from the suspicious email or text).
Learn more