We regularly see fraudulent emails from parties claiming to represent the University requesting that you reply with your user name and password, or that you verify these at a fraudulent website (sometimes this will look like a link to a legitimate website, but the link points to something else). We will never request that you send us your password by email.
Often these emails can be spotted because they use phrasing that seems out of place (TORONTO University instead of University of Toronto), poor grammar, and a number of typos. This is not always the case. As a general rule: Never provide usernames (UTORid), passwords or any other personal information by email. This is not specific to UofT; banks and other institutions will never request that you send them an email containing your password. If you have concerns about the validity of a request you can forward the email to email@example.com or call us at 416-978-HELP (416-978-4357).
Never use your UTORid and Password on a site that you are not 100% sure is a legitimate U of T website. The best way of making sure you are at a U of T site is to start at www.utoronto.ca and search for the desired content there - for instance if you search for "UTORmail quota" from U of T the first result will be one of the Information Commons Help Desk Knowledge Base (this website) - from there you will find instructions to get to the page you need. Personal Information like username and passwords should only be entered on on known websites and these websites should be secure. Secure websites are preceeded by the prefix HTTPS insteat of just HTTP. When you are on a secure website you should see a little padlock icon either in the address bar, just above it, or on the lower right corner of your browser window where it looks like this:
U of T's websites are also verified as secure by third-party EV (extended verification) providers. Web browsers will disply display text in green or in a green background. Different browsers will look slightly different.
For more information about Phishing Wikipedia has a fairly up to date look - http://en.wikipedia.org/wiki/Phishing