My daughter received a somewhat innocuous looking e-mail from the Canadian Student Loan Services (or so she initially thought), asking her to send a form in to confirm that she is still at school, so that they wouldn’t start charging interest on her student loans. It ended up being yet another Phishing example or if the victim is richer a Spearphishing example.
At first blush the letter seemed fairly normal (a bad phishing example) , until you start unraveling a few facts:
- She had already received her student loans for this term, because she had already filled in forms for OSAP (Ontario Student Assistance Program)
- In the e-mail there is no mention of a Canada Post mail address (no post office box or nothing), which is very odd for a “Government Agency”, not to include.
- The phone number is also a problem (highlighted in Yellow I hope, and the real number not included), because the area code is 807, normally a government agency uses either 1-800 numbers or other toll-free numbers, but 807 is not a toll-free number.
- The e-mail return address is also a give away (in green) if you look closer, because NSLSC is actually the correct acronym, however, all federal government domain names include their translated acronym in the domain name (in fact the real domain is csnpe-nslsc.cibletudes-canlearn.ca )
The actual e-mail received
From: do-not-reply <email@example.com>
Date: September 20, 2016 at 11:08:48 AM EDT
To: Little Cajun Daughter
Subject: Urgent Information from the National Student Loan Service Centre
But Why would some nefarious “baddy” want a new grad’s information? If you look at the form they want you to FAX to their “phone number”, the first line of the form is your Social Insurance Number, and then the rest of the form is easily enough information to create a complete identity (or more correctly steal an identity). New Grads and students may not be the best folks to Phish, they could pay out later?
Anyhow, hopefully some of these simple tips will help you not be the victim of those nefarious bad folks out there, attempting to Phish your identity. Use this as a good phishing example. Don’t Click That!