With school starting and registration emails at their peak, it is the most convenient time for phishers to scam unsuspecting members of the McGill community. Emails were sent from familiar sources with text reading “Cannot show this message” and a green box directing the user to an error page and subsequent account errors, have been sending students and staff alike into cyber turmoil this past month.
Phishing is an attempt to obtain sensitive information by posing as a trustworthy or legitimate entity in electronic communication, such as an email. A common tactic usually requests the victim to click on a link that leads to a fraudulent website that encourages the victim to submit their personal information. In cases specific to McGill, phishers usually try to acquire the student’s login information to gain access to their McGill email. From there, they can use the compromised email to send out additional fraudulent emails or reset passwords on a number of other accounts.
Benjamin Fung, Canada research chair in data mining for cybersecurity and associate professor in McGill’s School of Information Studies, says that it is no coincidence that a spike in phishing scams coincides with first-years starting class.
“Phishing campaigns targeting universities and colleges are more common in September because the phishers know that there are many new students who are not yet familiar with the university systems,” Fung said. “Some students are less alert to phishing as it seems to make sense that the system administrator may ask a student to change a password or reset something at the beginning of a school year.”
According to Fung, phishers may not have a specific target-demographic in mind when harvesting email addresses.
“After collecting enough email addresses, say one million, the phishers would then group them by domain addresses,” Fung said. “Therefore, they will pick large organizations [such as McGill] because there is a higher chance to find victims. After identifying a target organization, they will spend resources to customize a phishing email for the phishing campaign.”
U1 student Amrita Sandhu was the victim of the recent phishing scam, whose case exemplifies the issue. She appeared to have gotten an email from the intramural volleyball team with a link to access their game schedule. As the email seemed legitimate, she clicked on the link, which led her to a blank page. She eventually couldn’t log onto the McGill network, and her McGill email was compromised.
Fung advises students to avoid ever clicking on links in emails. He says that students should instead bookmark the websites that they often use and only access those websites via the bookmarks. Hovering the cursor on the link or tapping and holding on a tablet will often show the “actual” link, which can help in identifying frauds.
“Note that phishers may create a fake webpage that looks real,” Fung said. “[For example] mcgi11 or mcgiII where the last two characters are [the number one or an] uppercase ‘i’ instead of ‘L’.”
Staff are not exempt from receiving the phishing emails either.
“My dad’s credit card was [de]frauded a couple of thousand [dollars],” a respondent to The McGill Tribune’s survey wrote. “My father works [at] McGill and opened the email. His [credit card] company caught it.”
Some students caught onto the scam quickly and managed to avoid the consequences. Of the 66 respondents to the Tribune’s survey, 90 per cent saw the fraudulent email but only 30 per cent clicked on the attached link.
“A file titled “flash player” automatically downloaded but I did not install it [….] I [later] found out on Facebook about the scam and changed my password,” a respondent to the survey said. “I checked my sent folder and saw nothing weird had been sent out and [I suffered] no further consequences.”
For advice on phishing scams, students should register for McGill’s free IT phishing course and inform themselves by reading up on past cases in order to respond accordingly.
