Skip to content

My daughter received a somewhat innocuous-looking e-mail from the Canadian Student Loan Services (or so she initially thought), asking her to send a form to confirm that she is still at school not to start charging interest on her student loans. It ended up being yet another  Phishing example, or if the victim is more affluent, a Spearphishing example.

At first blush, the letter seemed pretty normal (a bad phishing example) until you started unravelling a few facts:

  • She had already received her student loans for this term because she had already filled in forms for OSAP (Ontario Student Assistance Program)
  • In the e-mail, there is no mention of a Canada Post mail address (no post office box or anything), which is very odd for a “Government Agency” not to include.
  • The phone number is also a problem (highlighted in Yellow I hope, and the real number not included), because the area code is 807, normally a government agency uses either 1-800 numbers or other toll-free numbers, but 807 is not a toll-free number.
  • The e-mail return address is also a giveaway (in green) if you look closer because NSLSC is the correct acronym. However, all federal government domain names include their translated acronym in the domain name (in fact the real domain is csnpe-nslsc.cibletudes-canlearn.ca )
Will you Get Hooked

An Actual Phishing e-mail received

From: do-not-reply <[email protected]>
Date: September 20, 2016 at 11:08:48 AM EDT
To: Little Cajun Daughter
Subject: Urgent Information from the National Student Loan Service Centre

Phishing Example

This message is intended for Little Cajun Daughter.

Our records indicate that your period of study ended as of April 30th, 2016.

Currently, you are in your six-month grace period, which will end on October 31st and your first payment will be due on November 30th, 2016. If you are continuing your studies on a full-time basis in Ontario this September please visit your Financial Aid Office and ask for them to complete a Continuation of Interest-Free Status form for your OSAP loan. If you will be continuing your studies on a full-time basis outside of Ontario this September please print a Continuation of Interest-Free Status form from OSAP’s website and have your school complete the form.  Once completed please fax the form to OSAP at 807-XXX-XXXX. 

Please visit the following link to obtain the Continuation of Interest-Free Status form from OSAP: https://osap.gov.on.ca/prodconsum/groups/forms/documents/forms/tcont003388.pdf.If you have completed your studies or will not be continuing full-time studies in Ontario this September we will be mailing you a Consolidation Agreement in October to advise of your repayment details and options.  No action would be needed on your part until November.

What the Phishing example looked like

But Why would some nefarious “baddy” want a new grad’s information? If you look at the form they want you to FAX to their “phone number,” the first line of the form is your Social Insurance Number. Then the rest of the form is easily enough information to create a complete identity (or more correctly steal an identity). New Grads and students may not be the best folks to Phish. Could they pay out later?

Anyhow, hopefully, some of these simple tips will help you not be the victim of those nefarious bad folks out there attempting to Phish your identity. Use this as a good phishing example. Don’t Click That!

Are Phishing and Spear Phishing the same?

While they have the same goals, Phishing is typically a more generic attack trying to catch many folks, whereas Spear Phishing is usually aimed at a specific user who has access to something the “bad guys” want access to.

What if I fall victim to a Phishing scam?

Change all your passwords as fast as possible. Check out the Canadian Cyber Security web site as well. Contact your Bank and anywhere that your money or access might be used, to warn them as well.

How can I tell if I have been a victim of Phishing?

You will know fairly quickly if they are after your money. Your bank will most likely contact you. If they are trying to get access to sensitive material you have access to, that may take a bit longer to find out.


1 thought on “A Phishing Example”

  1. Pingback: The Difference Between Phishing And Spear-Phishing

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.