University of Toronto Logo

Information + Technology Services

Small normal big

September BEC phish alert

September 20th 2018


On September 18, 2018, a phishing email was sent to University of Toronto (U of T) employees from what appeared to be a senior U of T official. The message asked readers to respond quickly to a request.

This type of deceptive email is called business executive compromise (BEC). A  BEC phish is a form of phishing where a cyber criminal impersonates an executive in an attempt to get another employee to send sensitive information and transfer funds from gift cards or e-currencies. If you receive an email like this, please forward it to: report.phishing@utoronto.ca.

Follow these tips and best practices for avoiding spear-phishing attacks:

  • Check the actual email address attached to the anchor text or display name by hovering over the link with your cursor. Look out for domains that do not have the “@utoronto.ca” handle.
  • Do not reply or forward these emails to other colleagues or anyone else as it will open touchpoints for fraudulent activities and further threats to information security.
  • Do not use non U of T emails for work-related activities. When in doubt, contact the person through phone or in-person to confirm who sent the email.

Read more about this particular BEC attack.
Learn more about a similar incident in August.
Learn more about how to protect yourself against phishing.