How to Spot and Avoid Phishing Attempts

Phishing attempts are nothing new, but the tactics behind them continue to evolve.

Over the past year, we’ve seen an increase in fraudulent messages designed to look like legitimate communications from hosting providers, online services, and well-known brands. These messages often aim to create urgency, push users to click a link, and ultimately steal login credentials or sensitive information.

While specific phishing campaigns may come and go, the underlying threat remains. That’s why it’s important to understand how phishing works today and how to protect yourself.

Common signs of a phishing attempt

Phishing emails often aim to trigger urgency or fear to prompt immediate action. Some customers have reported receiving misleading domain verification notices from suspicious addresses claiming to be affiliated with us.

Examples include [email protected] or [email protected]. Even though our name appears in these email addresses, they’re fraudulent. WHC will only contact you using official addresses ending in “@whc.ca.”

To stay safe, be mindful of these warning signs:

• Suspicious links: Always hover over links (without clicking) to confirm the URL directs you to our official website. In the example above, we can see that the URL does not link to whc.ca.
• Unfamiliar sender: Emails not originating from our official domain (@whc.ca) are likely fraudulent.
• Requests for sensitive information: WHC will never ask for passwords or confidential details via email.

To confirm legitimacy, type the URL directly into your browser. Here are some examples:

✅ whc.ca – LEGIT
✅ clients.whc.ca – LEGIT
❌ clients-whc.ca – FRAUD
❌ billing-whc.ca – FRAUD

How phishing is evolving

Phishing attempts have become harder to spot, so it's important to keep your eyes peeled. Some common trends include:

• More convincing language, often written to sound professional and natural
• Brand impersonation, using copied logos, layouts, and familiar wording
• Targeted attacks, based on publicly available information
• Urgent or threatening messaging, designed to override caution

Even experienced users can be caught off guard when a message looks familiar or appears to come from a trusted source.

What you can do right now

• Enable Two-Factor Authentication (2FA): If you haven’t already, activate 2FA for enhanced protection. This security measure ensures that only you can access your account, even if your password is compromised.
• Verify website authenticity: Always confirm you are on our official website, whc.ca, before logging in. Check for the secure lock icon beside the URL and ensure the address is accurate.
• Be aware of fake SSL certificates: Although attackers may use SSL-secured sites, you can review the website’s certificate to ensure it’s valid. Click the padlock icon and verify our name is displayed under the organization field.

What to do if you've been targeted

If you suspect you've fallen victim to a phishing attempt, don’t panic. Acting quickly can help limit potential damage:

1. Change your passwords: Update passwords for your Client Area, email, WordPress logins, and any other services you use. Always opt for strong, unique passwords and use official password reset methods.
   
   When resetting your passwords, always use official password reset methods. Never click on any links received from an untrusted email.
2. Enable 2FA: As mentioned above, adding two-factor authentication to your accounts will make unauthorized access significantly harder.
3. Check for suspicious activity: Review your accounts for any unfamiliar actions or files. Phishing attacks can sometimes involve malware uploads. If you detect anything unusual, contact our support team immediately.
4. Report fraud: If you believe your site or organization has been targeted, use the Canadian Competition Bureau reporting guide to file a formal report.

Stay protected

If you receive a suspicious email, do not click on any links or provide any information. Instead, report it to our support team right away and mark it as spam. We also recommend conducting regular reviews of your accounts and updating your passwords periodically as an added precaution.

By staying informed, skeptical of unexpected messages, and proactive about account security, you can significantly reduce your risk. Phishing tactics will continue to change, but awareness remains your strongest defense.