Since the summer, students have reported receiving ‘phished’ messages in their McGill emails. ‘Phishing’ is the fraudulent practice of impersonating a credible source and sending emails requesting the reader to hand over personal details. The emails had subject lines such as “Verify Your Email!,” or “Important Alert from McGill University Admin” and contained fraudulent links requesting personal account information.
Phishing attempts have recently received national media attention with organizations like Wells Fargo, Yahoo!, and the Democratic National Committee reporting breaches. Such attacks occur more frequently during times of the year when people need to submit personal information. For the general public, this is often during holidays such as Cyber Monday, Boxing Day, and Christmas, when massive increases in online shopping take place. In McGill’s case, the start of the semester and course registration typically mark a significant increase in fraudulent emails. In a statement to The McGill Tribune, the McGill IT Department explained how these phishing attempts endanger students.
“Once a criminal gets access to your data, they will likely sell personal information to third parties, and look for additional information that they may use to gain access into more lucrative sources, like your online bank account,” the statement read.
On Sept. 11, the History Students’ Association (HSA) released a statement to its student body verifying that they had fallen victim to a phishing scheme. HSA attempted to prevent further damage by sending out a follow-up email to its members, warning them not to click on the fraudulent links.
“The History Students’ Association list-serv was used as a vector [for] a phishing scam, claiming to be from the Better Business Bureau,” the HSA statement read. “Phishing scams generally work by using a trustworthy or well-known organization’s name […] and then a secondary email address […] to lure users into clicking on a link that will then attempt to take their private information.”
The McGill IT Department has screening procedures to prevent scams from reaching the student body. In an email to the Tribune, Rowena Espinosa, director of IT Communications, explained why these phishing scams were able to penetrate their cybersecurity defences.
“Filtering such attacks becomes more difficult when the phishing attempt involves spoofing the sender address in an email to appear as a reputable McGill University source and request sensitive information,” Espinosa wrote. “This is why it is so important that each of us recognize our individual responsibility to educate and protect ourselves and our information by remaining vigilant in our use of these technologies.”
The IT Department will continue to offer resources on how to avoid these scams, including informational videos, antivirus software for staff and students, and steps for reporting security incidents. There is also a list of known phishing emails published on the McGill website. Beyond these resources, Espinosa urges students to educate themselves on cybersecurity programs, to practice common sense for keeping their accounts safe, and to keep an eye out for signs of fraudulent emails.
“We can […] mitigate risks significantly by using a variety of best practices such as strong passwords unique for each [service], frequently changing [passwords], not sharing [passwords], and not recycling previously used ones,” Espinosa wrote. “We must be careful where we browse and what emails, texts and advertisements we respond to. We should also be more conscientious of the types and amount of personal data we make available through social networking platforms.”