Sophisticated Phishing Attacks

Generative artificial intelligence (AI) has made it easier for hackers to quickly craft phishing emails that seem like they’re from someone you know. With AI introducing such ease, you might notice even more sophisticated phishing attacks in your inbox over time, and they’ll get harder to spot.

AI allows hackers to:

• Create phish personalized just for you, with details about your school, workplace or social accounts referenced.
• Replicate legitimate communications with great accuracy, from organizations you trust.
• Remove language barriers and respond to you instantly, automating phishing campaigns in a short amount of time and leading you to believe you’re talking to a real person.

• Any time an email makes a request of you, exercise a healthy skepticism and pause.
• Before clicking, check a link’s true URL by hovering your cursor over it—the true source will show at the bottom of your browser. On a mobile device, you can press and hold the link (rather than tap). If a URL is unfamiliar or differs from what you expected, don’t click.
• Trust your gut and verify the sender’s legitimacy by contacting the organization via a means you know to be legitimate.

This form of cyber attack attempts to deceive you into scanning a QR code from an email or physical poster. Malicious QR codes allow hackers to:

• Steal data such as your login credentials, banking information or personal information.
• Infect your device with malware and potentially leave you vulnerable to ransomware.

• When you want to scan a QR code, pause to review the URL of the website you are being directed to before proceeding.
• Double check the destination address for clues to anything suspicious and check that the website domain is consistent with that of the organization. For instance, a QR code from a TMU department is unlikely to send you to a domain that does not end with "torontomu.ca".

• Hackers can gain access to email accounts of people and organizations you know, allowing them to reach out to you with less suspicion.
• When you recognize the sender, you’re more likely to trust the message and click links or provide details they request.

• Even when a sender looks legitimate, pay attention to:
• Improper greetings or language—often, emails from colleagues won’t start with formal greetings and most organizations typically will not use casual language.
• Whether the email is trying to manipulate you by:
  • Demanding urgent action (e.g. asking you to pay for or buy something immediately), 
  • Offering something too good to be true (e.g. you’ve won a lottery); or
  • Presenting a fake TMU login page that steals your username and password once you’ve entered them.
• Whether any links are genuine. Before clicking, check a link’s true URL by hovering your cursor over it—the true source will show at the bottom of your browser. On a mobile device, you can press and hold the link (rather than tap). If the URL is unfamiliar or differs from what you expected, don’t click.

• Spear phishing is a tactic designed to target a specific person. They often contain identifying information to convince the recipient that the email is coming from a legitimate source. Like traditional phishing tactics, spear phishers try to get you to share personal information or download malware disguised as files or software.

Common trends in spear phishing

• Emails related to remote learning and work. These commonly include:
  • Information about missed classes or meetings
  • Requests to share sensitive document
  • Calls for urgent action or unusual business practices, e.g. an email disguised as coming from your teaching assistant or supervisor urgently requesting that you make a bulk gift card purchase and email them the authorization codes.
• Spear phishing emails may start with a hacker asking you to respond to an urgent question. However, this can initiate a conversation designed to gain your trust before you’re asked to purchase something on their behalf or share sensitive information.
• Emails related to current or world events, including requests for donations to support disaster relief or emails claiming to be from government or health organizations.

• Be alert to your emotions, especially if you feel suspicious, rushed or alarmed. Hackers often evoke these feelings in hopes you’ll do what they ask without taking the time to think first.
• If there are links provided in the email, ensure they don’t lead you to a login page where your username, password or other personal details could be stolen once you enter them. 
  • Before clicking, check a link’s true URL by hovering your cursor over it—the true source will show at the bottom of your browser. On a mobile device, you can press and hold the link (rather than tap).If the URL is unfamiliar or differs from what you expected, don’t click.
• Pay attention to visual cues on websites you’re sent to. Red flags include URLs that don’t match the URL of an official site, spelling and grammatical errors, poor formatting and images and logos that are stretched or blurry.

Smishing, also known as SMS phishing, is a phishing tactic that targets your mobile devices by sending misleading texts posing as communications from a trusted organization. 

Common traits of smishing attempts include:

• Texts from a phone number that is unknown to you. 
• Texts with typos or grammatical errors.
• Messages containing an urgent request for personal information like login information or bank account details.
• Texts that require immediate action to avoid a problem like retaining access to an account or rescheduling delivery of a package.
• Messages that ask you to click a link or download a file of vague origins.
• Texts offering you something that sounds too good to be true with little to no action on your part.

• Check the authenticity of the sender’s phone number by visiting the website of the organization they claim to be from—if their number is listed, it’s more likely to be genuine.
• Check each link before clicking by pressing and holding the link (rather than tap) to reveal the URL. If the URL is unfamiliar or differs from what you expected, don’t click.
• Contact the organization directly via email or publicly-listed phone numbers to confirm if the text came from them.
• Verify your personal records to confirm if you have any services or subscriptions from the company in question.
• Ask yourself, “Would this company contact me via text message?”.

If you suspect that a text is a smish, don’t respond to the message and avoid clicking any suspicious links. Always block the number and delete the text to avoid further smishing attempts.

Vishing, also known as voice phishing, is another phishing tactic that targets you via mobile devices using live agents or automated calls claiming to be from a trusted organization. Vishing attacks usually take one of three forms:

AI voice cloning

Artificial intelligence (AI) has made it possible to replicate a person’s voice using a few seconds of audio found in, for example, a voicemail greeting or video posted to social media. Cybercriminals then identify your friends or family members and use the AI-cloned voice to stage a phone call asking for money or other personal details that can be used to defraud you.

Cold calls

In this scenario, you’ll receive a phone call from an unknown number claiming to be from an official organization requesting personal information or remote access to your device to solve a fake issue with an account or device.

Misleading ads and websites

Malicious actors may create fake online ads or websites that encourage you to call a number to sign-up for or purchase a fake service or product.

Common traits of vishing attempts

• The calls come from a phone number that’s unknown to you.
• The caller makes an urgent request for personal information or remote access to your device to resolve an issue like canceling a subscription or removing malware from your device.
• The caller makes use of social engineering tactics like keeping you on the call to gain your trust.
• The caller offers you something that sounds too good to be true with little to no action on your part.
• Ads or websites with typos or grammatical errors encouraging you to call a phone number to sign up for a service or resolve an imaginary issue with your device.

AI voice cloning

• Listen for unnatural pauses or robotic-sounding speech.
• Question unexpected requests for personal or financial information.
• Verify the caller's identity by contacting them through a different mode of communication.
• Stay calm and avoid succumbing to pressure tactics.
• Check for inconsistencies in the caller's story.

Cold calls and misleading ads or websites

• If the caller or number are unknown to you, end the call without providing personal information or granting remote access to your device.
• Check the authenticity of the caller’s phone number by visiting the official website of the organization they claim to be from and verifying if their number is listed.
• Contact the organization directly via email or publicly-listed phone numbers to confirm if the call came from them.
• Verify your personal records to confirm if you have any services or subscriptions from the company in question.
• Ask yourself, “Would this company contact me over the phone?”.

If you suspect that a call is a vish, always block and delete the number to avoid further vishing attempts.

You can prevent future vishing attempts by registering your phone number with the Government of Canada’s National Do Not Call List for telemarketers (external link) . By registering your number, many telemarketers will be prevented from cold calling you, although it’s important to remember that this will not protect you from all vishing attacks.