Listen to Phish

This activity requires you (or someone physically near you) to receive a scam communication. So I recommend starting this activity a bit earlier than others since it is hard to control when a scam might happen. If you really don’t receive any scams, try talking to your friends or family about ones they have seen recently.

All you need to do is read or listen to the full scam communication and then think critically about the following questions. There is no need to progress past the initial communication. It is fine to hang up after the initial pitch by them, you do not need to speak to anyone, and you do not need to click any links. Please also review the safety guidance below.

Questions to think about

  • Who is the scammer claiming to be?
  • What would a real communication from that group or individual look like? (It is ok to answer that you do not know.)
  • How did you determine this was a scam/phishing?
  • What do you think the scammer is trying to achieve? This one may be challenging to impossible to answer, but trying guessing.
  • How confident are you in your assessment? Could you be wrong?
  • If you are unsure, how might you double check if the communication is valid or phishing?

Safety

Do not:

  • Give out real data
  • Click on links in suspected scams/phishing (unless you are on a safe VM, and even then be very careful)
  • Give them your real name or contact details
  • Email them back - many email providers (though maybe not UWaterloo) use Greylisting where the mail server considers if you have ever emailed the sender before when creating its spam score. The reasoning is that you normally only email valid contacts. But if you email a scammer, then the next email they send will get a score boost from the greylist and consequently may not catch a subtle scam. Avoid emailing scammers.

You can:

  • Run wget on any links and look at the resulting page in a text editor. Do not open it with a web browser.
  • Give the scammer a fake name or address
    • Avoid using the contact information of the University you attend. Better to pick a large location in a populous city like Toronto.
  • Talk vocally to the scammer. There is some risk that by answering you may git put on a “willing to answer” scammer list. But otherwise just talking to a scammer is not harmful if you pay attention to the rules above.

Reflection questions

  • Answer the questions above.
  • Add at least one sentence of self-reflection.

Learn more

Scams are often obvious because they occur outside the context we expect. That makes them easy to identify. But scams work by finding one person where that message does make sense. And just about anyone can fall for phishing: