Scammers use many different tactics, including sending email and creating web sites that resemble well-known, trusted institutions. Their goal is to trick you into providing information that they can use to infiltrate university systems or to steal your personal financial information and commit identity theft.

The bottom line is that you need to be aware of the risks:

At work:

If you give your university login credential to a phisher, you give up the keys to the university’s data and systems, putting the integrity and security of the university at risk. With this data, criminals can lock up university systems, destroy data, or steal sensitive business or personal information.

At home:

Scammers can use your personal data to access your bank or credit card accounts. From there, it’s easy for criminals to clear your accounts, max out your credit, open new bank or credit cards in a your name, and steal your identity.



Phishing most commonly involves sending fake email or text messages under the name of a trusted institution in order to trick you into providing personal information.

MacEwan University, like any reputable institution, will never ask you to verify login credentials, account numbers or passwords by clicking on a link in an email.

Giving up your university login credentials gives scammers access to university systems and data, putting MacEwan at risk for data theft and destruction, or ransomware (software that blocks access to a system until a ransom is paid).

Spot a phishing message

The following are some signs that indicate an email could be a phishing scam:

  • It has a generic salutation, like "Dear customer," or "Dear Sir or Madam" 

  • It has a sense of urgency and gives deadlines: "Immediate action required"

  • It threatens you in some way ("Account status is in danger!) or puts you in fear of losing money

  • It's too good to be true. Look for unreasonable free offers (You are a winner!)

  • It asks you to disclose personal or business information

  • It requests that you click on a link to verify a password, account information or credit card number

  • It comes from businesses or services you do not use

  • It includes attachments (e.g. PDFs, Word or Excel documents) 

  • It contains poor grammar and spelling

  • It is an unexpected and out of character email from someone you know. Don't click anything or reply. Call your friend. 

  • It includes attachments, files or links that require you to download software to view

  • Links in the message are close, but not quite right. For example, links may contain all or part of a real company's name (e.g. Links are usually "masked," meaning that the text you see in the link does not take you to that website, but to somewhere else, probably a malicious website.
    Here’s an example of masking (this example is safe, don't worry):
    1. Hover your cursor over this link: 
    2. As you do, look in the bottom left of your screen - you'll see the actual destination of the link:
    So, the linked text tells you that you are being directed to the MacEwan University website, but clicking on it will take you to the City of Edmonton site. That's masking.

Protect yourself from phishing

Keep your software up-to-date

Sophos anti-virus software: The university offers free anti-virus software for work and home; links are within the Tech Support pages in — both staff and student.

Visit the staff portal Tech Support page (Information is under "Software")

Visit the student portal Downloads page

Browser software

Make sure you have the latest version of your Internet browser installed. Most browsers identify and warn you of potential security threats. For more information, visit the browser’s websites:

If an email looks suspicious, don’t open it, or any attachments that came with it. If you opened the email and the contents look suspicious (see Spot a Phishing Message, above):

  • Don’t click links. More often than not, they’ll take you to fraudulent or malicious websites.

  • Don’t open attachments that come with emails

  • Do not reply to messages

  • Delete suspicious emails immediately

What to do if you get phished

If you think you’ve disclosed personal information like passwords or credit card numbers to a malicious website, here’s what to do:

At work

  1. Contact Tech Support immediately.

  2. Block the sender.

  3. Change your university network password.

At home

  1. Contact the company whose website was faked to report the scam. Don’t reply to the scam email: call the company or go online to find their real website.

  2. Go to the real website for the company in question and change the password for your account.

  3. Review your statements or accounts from that company to identify unexpected charges/changes.


Phishing and malicious websites

The URLs (malicious URLs) in phishing attacks will most often lead you to a malicious website. These sites look like the real deal, and trick you into providing personal information or downloading a virus that allows hackers access to your computer or institution’s network. Even legitimate-looking ecommerce sites can be fronts for a malicious websites.

Some malicious websites don't try to trick you. They attack you through security gaps in your web browser to install malware that can do anything from interfering with the operation of your computer (changing your default browser home page and installing pop-up ads, etc.) to collecting your personal information or even getting total access to your computer.

Find out more about malicious websites on the Data Security page »

Protect yourself from malicious websites

There are several things you can do to protect yourself from malicious websites. First and foremost:

  • Avoid them.

  • Never click on a link in an email or text to go to any site. Always type in the address manually or use a bookmark that you know is legitimate.

  • Make sure your computer, browser and important software are always up to date. See “Protect Yourself from Phishing” in the previous section.

Check the URL

Spell check

Is the URL spelled correctly? Scammers will set up website URLs that are nearly identical to the spelling of a legitimate URL. Or they may use a legitimate website name like "Amazon" as part of their own malicious URL (e.g.

Look for the “s”

The URL of any secure, legitimate site that asks you for information (e.g. your credit card number) will begin with “https” rather than “http.” The “s” at the end of “http” stands for “secure.” These sites encrypt your information before it’s sent to a server. If you don’t see “https” in the URL, don’t type in your information.

Look at the site’s content and design

A site may be malicious if it:

  • asks you to download or update software before you’re able to do something. 

  • offers free stuff, or prices so cheap it doesn’t seem possible. If it looks to good to be true, watch out – these offers are probably bait. Do some research before you offer up any information.

  • is poorly laid out or it contains grammatical or spelling errors

IT Security Icon Illustration

Don't get hooked by the phish

If you are worried that you have been a victim of a phishing scam or any other security breach, contact us for information. Don't be afraid to notify Tech Support about any breach of security or with any questions.