Information Technology Services (ITS)

Watch out for spear-phishing attempts

Published on: August 14, 2018

On August 8, 2018, a phishing email instructing readers to purchase $500 worth of gift cards was sent to a University of Toronto (U of T) employee from what appeared to be a senior U of T official.

This kind of deceptive email is called a spear-phish. Spear-phishing targets specific people within organizations, exploiting their trust in order to obtain sensitive information. These scammers use emotional triggers such as urgency and fear to coerce recipients into sending information or money.

Below are a set of tips and best practices for avoiding spear-phishing attacks:

  • Check the actual email address attached to the anchor text or display name by hovering over the link with your mouse cursor. Look out for domains that do not have the “” handle.
  • Be mindful of what kind of personal information you have online, especially if they are answers to secret questions for account password recovery features.
  • Emails can have links that may be embedded with a malicious URL. For example, can lead to a completely different website. Hover over the link with your cursor to check.

This is an image of a website with a link that has an embedded link that goes elsewhere.

  • Use different passwords for your work-related accounts and stronger passwords for accounts that have a higher degree of security risk.
  • If your account is hacked, report the incident immediately to your local IT group or

Read more about this particular spear-phishing attack.

Learn more about how to protect yourself against phishing.