Frequently Asked Question

Recognizing Phishing Emails
Last Updated a year ago

Phishing is the act of impersonating an authority you trust and is becoming a major security concern for organizations of all kinds everywhere in the world.  

This is often your bank, the CRA, your IT team, Human Resources, or Finance

It can come via email, text message, or even a phone call.

They are most often trying to obtain your password but sometimes are interested in other sensitive details like your credit card or valid PO#’s.

  1. Treat every e-mail as suspicious - Here are some indicators to look for.
    1. Use common sense. If it was not an e-mail you were expecting, there’s a good chance it might not be legitimate.
    2. Check the contents of the e-mail. Strange grammar is indicative of malicious e-mail.  Unusually formal salutations is another red flag.
    3. Check the sender and recipient addresses, but be aware that it is possible for these to be faked.  Phishing emails will often originate from public domains like gmail/yahoo/hotmail.
    4. A sense of urgency is common.  They do this to skip over common sense. As an example.. your account will never be deleted 5 minutes after a notification email.. slow down and take a moment to look closer.
    5. Attachments that are behind a link or at any point ask for a password are very suspicious.

  2. Avoid clicking links in e-mails. Check carefully if you must click.

    One way attackers compromise accounts is by sending you to an official-looking, but fake website. This can easily trick you into entering your password, which then gets sent to the attackers.

    If you must click a link in an e-mail, check where it is sending you to. The URL tells you which website you are being sent to. Most importantly, verify the domain component of the URL: this is the part directly after the protocol (usually http:// or https:// for websites), through to the following slash (/). For example, in the URL, the domain is

    If the domain is not what you’re expecting, close the browser window and delete the e-mail. Verify this carefully; a common tactic is to use domains that look close to official domains, but have misspellings.  You may also see domains with extra length like:

  3. Avoid opening attachments in e-mails.

    It is very easy to make malware look like a legitimate file. Never open attachments unless you are highly confident it has come from a legitimate source.

  4. If you think your account may have been compromised, change your password immediately.

    The best defense against an account compromise is to block further access. Changing your password should invalidate any login sessions you have open, and make it so the attacker can no longer access your account.

    If you suspect your computer may have been compromised as well, do this from another computer.

    Instructions for changing your password are here:

  5. Follow up with tech support.

    Open a ticket. The tech department should be made aware of every compromise. Not only can we help you identify how your account was compromised so it doesn’t happen again, we can also assist in taking any necessary remedial actions.

2023 update:

With the advent of AI technology many phishing scams now have much improved grammar. There are also cases of voices being imitated by AI to resemble colleagues or loved ones. Be wary of any request for financial transfers - particularly using unusual means like Western Union or Gift Cards.

Please Wait!

Please wait... it will take a second!