Skip to Main Content
You are now in the main content area

Handling Email Spam and Phishing

Spam

Email spam is unsolicited mass email. Some spam email can contain offensive content or it may have an attachment that contains a virus that has the potential to harm your computer or the network.

All incoming outside email messages are passed through the TMU mail filters to determine whether they are legitimate senders or from "spammers".

Appropriate measures will be taken to try and reduce the amount of incoming spam and reduce the number of messages that have been falsely flagged as spam.

Currently, incoming outside email messages passed through the TMU mail filters which are considered to be spam are quarantined and not delivered to your mailbox.  This may cause potential problems because some legitimate messages are falsely flagged as spam, quarantined and the users don’t know about it.  Currently, users contact CCS to check if a message they were expecting has been quarantined and if so CCS will manually release the message from quarantine.

Find more on how to manage spam in your TMU Gmail account.

Often when CCS troubleshoots an email issue, or reported spam, it’s useful to have the “full headers” of a message.  This helps to accurately track where a message came from.  

  1. Select the message.
  2. Using the drop-down menu in the upper-right, select Show original.
  3. Select Copy to clipboard.
  4. Paste into a new message.
  1. Select the message.
  2. From the View menu select Headers then All.
  3. Forward the message.
  1. Double-click the message to open it in a new window.  
  2. Select the File tab in the new window and click the Properties button.  
  3. The headers are in the bottom portion of the window (beside Internet headers:). Copy headers.
  4. Forward the original message and paste the copied headers into that message before sending it.

Gmail

  • Mark the message as “not spam” by clicking the not spam button above the message.
  • If the yellow bar above the message (“Why is this message in Spam?”) indicates that it was blocked due to your “organization's request” (see below), forward the message (with full headers) to notspam@torontomu.ca.
Example of yellow bar above the message

Because of the way some external sites block Google content, it’s best to use an image from the TMU branding site (opens in new window) . Download and unzip the Logo Download file. Upload the TMU-rgb.png file to your My Drive on Google Drive.

You can add this to your Gmail signature. Select on the gear icon and select Settings General Signature. Then use the Insert Image iconselect the My Drive tab and select the TMU-rgb.png file. Select on Select. Select on the image and choose the appropriate size.

Phishing

Phishing emails are designed to deceive you into:

  • Clicking a link and entering personal details like your TMU username and password;
  • Giving away personal details like your credit card or bank account numbers; 
  • Opening an attachment and installing malicious software; or
  • Impersonating someone in an attempt to commit fraud with your help.

Each month, our university fields 1,500 increasingly convincing phishing emails attempting to target students, faculty and staff.

What to do with a phish

Step 1:
Keep yourself safe

Avoid clicking unverified links or opening unexpected attachments provided in emails.

Step 2:
Keep your community safe

Report a phish by forwarding it to spamrec@torontomu.ca.

How to catch a phish

Protect yourself by knowing how to recognize phishing attempts so you can report and delete them.

  • The sender's address is suspicious.
  • The "To" field is blank or for another person.
  • The email includes typos or grammatical errors.
  • The message contains an urgent request for personal information.
  • The message requires immediate action to avoid a problem like losing access to your TMU account.
  • When you hover over a link or button in the email, it directs you to an address (usually suspicious) unrelated to the text in the link.

Spear phishing is a phishing tactic that targets a specific person by sending fraudulent emails that include personal information about the victim, tricking them into believing the email is legitimate.

Learn tips for spotting spear phishing attacks.

Here is an example where the sender is pretending the email is from a TMU address, but the actual address is really from uniswa.szabc.

Sender is from: 'no-reply@torontomu.ca' but the actual address is really from 'pjmusi@uniswa.szabc'

Here is an example of an email that claims to be from FedEx where the actual address is from specweldfab.revitalsite.comabc.

Email that claims to be from 'FedEx International Ground' but the actual address is from 'richard.shepherd@specweldfab.revitalsite.com'abc

It’s always worth taking a moment to carefully check the full email address of the sender.

Here is part of an urgent request that included a link to a fake TMU login page:

Phishing email stating, 'Due to high numbers of inactive library accounts on our server, you are urged to validate your library account within a week after receiving this e-mail'

Here’s another example of an urgent request:

Urgent request 2: We would be shutting down several TORONTOMU MAIL Accounts. You will have to confirm your TORONTOMU MAIL Account. So you are required to provide us with the following information. Full Name: Username: Password: Telephone

Both of these fake messages include tell-tale grammatical errors and demand you take action to avoid losing access to your account.

Hovering over a link with your mouse and carefully checking the URL is one of the best ways to detect a phishing email. If you are using a tablet or smartphone carefully press and hold the link, rather than tap, to reveal the true URL. Here's an example of a link that goes to a fake TMU login page hosted in a server in another country.

If you hover over the link without clicking you will see a very long URL (it may appear in the bottom-left of your browser) like this:

Hovering over the link within the email reveals a much longer URL at the bottom of the screen.

It may remind you of what you see in the location field of your browser when you log into the my.torontomu.ca portal. But it is not the same. Here is the valid address that you see when you login to my.torontomu.ca:

https://cas.torontomu.ca/login?service=https%3A%2F%2Fmy.torontomu.ca%2FLogin

Aside from the fact the fake link is longer, how can you tell which one is a link to a server at TMU and which one is not?

  1. The legitimate URL has a forward slash after cas.torontomu.ca/, the fake one has a forward slash after cas.torontomu.ca.eduq.tkabc/.
  2. Another give away is that the fake URL starts with http:// while the valid one starts with https://. TMU login pages will always start with the secure https://.

Here is a fake URL that has been well-crafted to look like a TMU address:

https://cas-torontomu.com/login?service=https%3A%2F%3Fmy.torontomu.ca%2FLogin

Notice how a hyphen has replaced the dot. A valid TMU host name that isn’t simply https://www.torontomu.ca must end with .torontomu.ca/

Let's look at two Fedex URLs. Which one takes you to a Fedex site and which one to somewhere more dangerous?

  1. https://www.fedex.com/apps/myprofile/loginandcontact/?locale=en_ca
  2. http://www.fedex.info.szabc/apps/myprofile/loginandcontact/?locale=en_ca

To tell the difference, locate the first forward slash after the https://:

  1. https://www.fedex.com/apps/myprofile/loginandcontact/?locale=en_ca
  2. http://www.fedex.info.szabc/apps/myprofile/loginandcontact/?locale=en_ca

The first link takes you to the real fedex.com site. The second just has Fedex in the name.

If you aren't sure about a link, type a link that you know is correct like my.torontomu.ca or fedex.com into the location bar of your browser instead of clicking.

The TMU community makes extensive use of Google Workspace apps including Drive, Calendar, and Groups. The URLs for these applications can be very long but they all start with a host name that ends with .google.com:

  • https://drive.google.com/
  • https://docs.google.com/
  • https://calendar.google.com/

The host name always ends before the first forward slash with .google.com/

Some attackers have used personal Google accounts and Google Forms to try to get people to "login" to a Google Form. This is relatively easy to spot because Google Forms don't look like TMU's or Google's login screens. Google has even added a warning at the bottom of every Google Form that says: "Never submit passwords through Google Forms."

Hackers can also target you by directing you to malicious phishing websites or contact you via your mobile devices.

How to report a phish

If you think you’ve received a phishing email:

Forward the email to spamrec@torontomu.ca using the “forward” function.

Delete the email from your mailbox without clicking on any links or attachments.

Tip: Avoid using the “Report phishing” option that’s built into the TMU Gmail platform. Forwarding the phish to spamrec@torontomu.ca ensures you’re reporting it directly to us so we can stop it from reaching others at the university.

How to reveal a true link

A crucial skill in defending against phishing is knowing how to check a link to reveal its true URL before clicking on it.

Links in phishing emails and on fake websites often don’t match what or who they claim to be. If a URL is unfamiliar or differs from what you expected, don’t click.

On a computer:

Hover your cursor over a link—the true URL will show at the bottom of your browser.

On a mobile device:

Press and hold the link (rather than tap) to preview the true address.