The University of Waterloo is currently seeing an increase in phishing attempts. This can be expected at certain times of year, like when it’s time to find housing, pick your courses, start your holiday shopping, or even do your taxes! It’s safest to be cyber aware all year round.
Common student-focused scams
1. Academic and employment scams
You may receive phishing emails and scams related to academics and employment, such as fake job offers, research positions or co-op placements promising easy work or quick decisions. Messages typically include offers that move unusually fast, requests to continue the conversation over text or messaging apps, and early requests for personal information.
2. Housing scams
Housing scams are another common issue, especially during busy periods like the beginning of a term or before co-op placements. These often feature copied listings, urgent demands, or deposit requests before viewings. Scams spike during busy times in the academic year, like the start of the school year or a co-op term.
3. Gift card scams
One of the most common financial scams we see is the gift card scam. These messages often claim to come from someone in authority, a manager, supervisor, professor, or department and ask you to buy gift cards quickly. The request is usually framed as a favour, a reward or something time‑sensitive.
This can be confusing as there are real situations when staff ask students or co‑op students to purchase gift cards, for example, as rewards for study participants or events.
If you’re working or on co‑op, agree in advance with your manager or supervisor:
-
which email addresses they will contact you from
-
whether they would ever text you about work tasks
-
how purchases or reimbursements are normally handled
4. International student-specific scams
International students can also be specifically targeted through messages that appear to come from official organizations. These scams often create fear by mentioning immigration, compliance concerns, or consequences that require “immediate action.”
"Learning about the different types of scams made me realize how easy it is to click something without thinking, especially when you're already overwhelmed with your workload.”
Don't take the bait! Use the PAUSE framework
When messages use urgency or authority to push quick decisions, use PAUSE to stay in control. It's a simple way to interrupt that pressure and keep control of the situation.
P — Pause
Take one breath to interrupt the reflex to react. This helps break the automatic urge to click, reply, or comply.
A — Awareness
Notice how the message makes you feel.Stress or urgency is a clue, it’s information, not a command. Messages may appear to come from authority figures, making you feel like you need to respond immediately.
U — Unpack the message
Look at the message calmly and objectively. Check for clues:
- The sender: does the name and email match?
- The “from” address: any misspellings or non-UW domains?
- The tone: is it urgent or pressuring?
- The request: are you being asked to click, share info, or bypass normal steps?
- The context: does this match how UW normally communicates?
You don’t need to catch everything, just check if it feels reasonable without pressure.
S — Select the next step
Selecting the next step means you choose the response on your terms. That might mean waiting, checking with someone you trust, verifying through a known channel or deciding the message isn’t legitimate. The key is that the message does not get to set the pace or the path.
E — Email it (as an attachment) to SOC
If you suspect a message is phishing, email it Security Operations Centre (SOC). If you already clicked or responded, report it anyway, no shame. The more reports we receive, the faster we can protect others.
UWaterloo account access and lockouts
When there is a security concern with a UWaterloo account, IST may temporarily restrict access to protect you and the University. Students are not contacted in advance when an account is locked due to suspicious activity. For security reasons, we do not send messages explaining why an account has been locked. Instead, students become aware of the lockout when they attempt to log in, at which point they are prompted to contact the IST Help Desk for assistance. A temporary lockout is a protective measure, not a punishment. It does not mean your data has been deleted or lost. Your email, files, and academic work are not erased because an account is temporarily restricted. Phishing messages that claim your account will be deleted unless you act immediately, or that ask you to “confirm” actions by replying or sharing codes, are designed to create fear not to help you secure your account.
Overcome Phishing scams and access support resources
University life already comes with enough deadlines, applications, emails and notifications competing for your attention. Scammers count on pressure to catch people off guard. The next time something feels urgent, pause before reacting.
Get on-campus scam support:
Stay curious, stay cautious, and remember: not every message deserves an immediate response.