Lessons on fighting phishing

by John Hewie, National Security Officer, Microsoft Canada

For this blog post, Get Cyber Safe has partnered with Microsoft, who, like us, understands how important cyber security is to businesses as well as individuals. This blog presents their perspective, and we thank them for being a dedicated partner in the cyber security of Canadians.

Cyber Security Awareness Month (Cyber Month) is an opportunity to take stock of our online habits to ensure we’re keeping our data and families safe. This year, we are focused on how to fight one of the most common types of cyber attacks – phishing. The more everyone can learn about phishing and how it works, the better prepared we will be to spot the lures and protect ourselves.

The accelerated use of all things digital since 2020 presents an attractive environment for cyber criminals to gain access to our information. They use creative tactics to convince us to hand over our own personal information, which is commonly referred to as social engineering.

Social engineering targets the person using the device rather than the device itself. Cyber criminals try to gain access to personal data such as accounts and passwords, banking information and our location to commit fraud or other illegal activities online. An overwhelming majority of cyber attacks today use social engineering because it targets our natural inclination to believe a seemingly trusted source..

Cyber criminals look to maximize their profits. It’s easier and less costly for them to create a compelling email that looks like it’s from a legitimate source, such as your bank, in an attempt to gain access to your account. Trying to hack into a device or banking app by exploiting a vulnerability in the software is typically much harder to do. This specific type of social engineering is called phishing. Canada saw a significant increase in phishing attacks between 2020 and 2022.

Phishing is a user-centric attack technique that combines technical and socio-psychological techniques to encourage users to carry out specific actions. It is the most common tactic criminals use to infiltrate networks to install malware or ransomware, or to steal your personal data for fraud. Cybercriminals successfully use emails, text messages and direct messages on social media or in video games to dupe people to provide their personal information. Remember, cyber criminals don’t have to “break in” if they can simply “login” with your stolen credentials.

So how can you protect yourself from a phishing attack? The best protection against phishing is awareness and education.

Here are common telltale signs of a phishing scam:

  • Urgent call to action or threats - Be suspicious of emails that claim you must click, call, or open an attachment immediately. Often, they'll claim you have to act now to claim a reward or avoid a penalty. Creating a false sense of urgency is a common trick of phishing attacks. Don’t panic, take a pause, review the email carefully and consult with someone you trust if needed.
  • First time or infrequent senders - It's not unusual to receive an email from someone for the first time, especially if they are outside your network, but this can be a sign of phishing.
  • Spelling and grammar - If an email message has obvious spelling or grammatical errors, it might be a scam. Beware that cyber criminals are becoming more professional and these types of obvious errors are less frequent.
  • Generic greetings - An organization that works with you should know your name and, these days, it's easy to personalize an email. If the email starts with a generic "Dear sir or madam" that's a warning sign that it might not really be your bank or shopping site.
  • Mismatched email domains - If the email claims to be from a reputable company, like Microsoft or your bank, but the email is being sent from another email domain like Gmail.com, or microsoftsupport.ru it's probably a scam. Also be watchful for very subtle misspellings of the legitimate domain name. Like micros0ft.com where the second "o" has been replaced by a zero. These are common tricks of scammers and called typosquatting.
  • Suspicious links or unexpected attachments - If you suspect that an email message is a scam, don't open any links or attachments that you see. Try to hover your mouse over the link to see if it looks legitimate.

Consider reporting phishing emails to Microsoft directly in Outlook.com or the Outlook app to help reduce future spam and phishing for yourself and others. Other email carriers should have similar options.

One more layer of protection that all users at home should consider is using a Domain Name Service (DNS) that blocks known malicious domains such as the free CIRA Canadian Shield. This way if you accidentally click on a phishing link in an email, you have an additional layer security that may help protect you when using any app.

If you feel you've been a victim of a phishing attack:

  • Report the incident immediately to your organization if you are on a work computer
  • Immediately change passwords associated with the accounts you suspect may be compromised
  • Report scams or fraudulent activity to the appropriate authority and the Canadian Anti Fraud Centre

Microsoft is committed to helping everyone stay safe online. Following security best practices, such as keeping devices updated, enabling multi-factor authentication (MFA) on your accounts, and developing awareness of phishing and other scams are top recommendations. Visit Security 101 | Microsoft Security to learn more about cyber security.


Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: