Phishing season: The rise of pandemic scam emails

741
A person surrounded by a bunch of letters looking overwhelmed.

You open your inbox and find an email about a job offer. As a student looking for work during the pandemic, you open the message and find the perfect listing. It has a high pay, flexible hours and is remote. All you have to do is click on a link to apply. 

After excitingly following the instructions in the email, the illusion is shattered. You’ve been targeted by a phishing scam.

This is an example of one of the many job scam emails sent to Carleton University students during the COVID-19 pandemic. On Sept. 7, Carleton released a statement warning students about these phishing emails.

Nikki Aghavali, a fourth-year psychology student, has received similar spam emails this year. 

“Since quarantine, I have probably gotten several phishing emails, which is more than I got before the pandemic,” she said. “They were all advertising … just very sketchy stuff.”

Aghavali said she thinks Carleton should do more to make information about scams more accessible. 

“I think that Carleton can do a much better job in informing students how many phishing emails there are, especially for first-years. They might not have heard of these phishing scams and might be more likely to fall for them,” Aghavali said. 

Carleton emails sometimes include banner warnings advising of active phishing scams. 

In June 2021, Information Technology Services (ITS) at Carleton launched a report phishing button, allowing students to report phishing attempts. ITS also maintains a webpage with information about scams and launched a new security awareness course earlier this month. 

The [modules] aim to help students be more cyber secure while studying or working,” Steven Reid, Carleton’s ​​media officer, wrote in an email to the Charlatan. “Going forward, ITS plans to participate in Cyber Security Awareness month in October 2021, during which we’ll spread awareness by encouraging students, faculty and staff to sign up for our launched eLearning course on security awareness.” 

The course covers phishing, ransomware, Wi-Fi security, social engineering, risky USB devices and more. 

Despite efforts to label scam emails and educate online users this Cyber Security Awareness month, members of the Carleton community say more should be done to protect their security.

A person looking at a scam email trying to figure out whether or not it is real.
While some scholars found the scams were realistic to users, others say a certain level of unbelievability is woven into the phishing emails’ design. [Graphic by Sara Mizannojehdehi]

The bigger picture 

Jason Jaskolka, a systems and computer engineering professor at Carleton, explained phishing emails are part of a larger cybersecurity issue. Jaskolka is also the director of the Cyber Security Evaluation and Assurance (CyberSea) research lab, a research lab powered through Carleton. 

“Cybersecurity refers to the protection of computer systems, services, communications and information to ensure its availability, integrity, authentication, confidentiality and accountability,” Jaskolka wrote in an email statement to the Charlatan. “It reflects a system’s ability to protect itself from accidental or deliberate attacks.” 

Since the pandemic started, many things have changed and cybersecurity is no exception. 

“The pandemic has exposed that knowledge and training about good cyber hygiene are still lagging behind,” Jaskolka wrote. 

Cyber hygiene refers to steps users take to improve their online security, according to Jaskolka.

“With the move to ‘work-from-home,’ the adoption and reliance on cloud services and technologies has transformed how many organizations operate,” he added. ”This has impacts on the way in which systems are accessed from home, often using home PCs or devices that may not have the same levels of protection as on-premise devices.”

Human-computer interaction (HCI) researcher and practitioner, Sana Maqsood, is an expert in human-centric cybersecurity. 

“It is all about protecting the user and designing security systems that are easy for the user to use,” Maqsood said. 

Maqsood agreed phishing emails became more prominent during the pandemic, especially at Carleton. 

“There was an uptick in phishing emails during the pandemic,” she said. “[Phishing emails are] extremely stressful for students because the COVID-19 pandemic was really hard on students financially.”

Graphic of a bottle that reads "Cyber Hygiene" being put into someone's hand to "ward off" scam emails.
Cyber hygiene refers to steps users take to improve their online security. [Graphic by Sara Mizannojehdehi]

Why phishing emails occur

Phishing emails often include links. Maqsood explains people have a tendency to click, which is why phishing emails are so successful—they leverage human instinct.  

“As humans, when we are overloaded with information or we are really busy, we are more likely to click on a phishing email because we are not paying attention,” Maqsood said. “The attackers know this. Oftentimes, they will send phishing emails at opportune times where the user is more likely to click on them because of what is happening around them.”

Many of these phishing emails resemble real emails so closely that the user has a hard time differentiating between what is real and what is fake. One study from the School of Computer Science at Carleton discussed this topic. 

The study, published in 2015, aimed to find out whether increased awareness helps users differentiate between real emails and phishing scams. The research team took popular websites and made them into fake websites. Then, they brought in 21 Carleton students and had them differentiate between which websites were real and fake, which proved to be quite difficult.

According to the study, users detected about 53 per cent of phishing websites and spent little time looking at security indicators.

“You would think [participants] would be on a higher alert level,” Maqsood said. “Even at that level, they were not able to differentiate.”

Graphic of a lock with weird monster figure inside. Someone is reaching towards the lock.
According to one expert, systems should do a better job at filtering out scam emails. [Graphic by Sara Mizannojehdehi]

Efficient security systems 

According to Maqsood, these attacks are able to happen because emailing systems allow phishing emails through to people’s inboxes.

“The systems should be doing a better job at filtering these emails so the burden is not on the user to not click on the link,” Maqsood said. “Instead of putting the burden on the users to do ‘the right thing,’ there should be more burden placed on the systems themselves.”

But this detection is not all that simple. 

“In cybersecurity, we are always playing the catch-up game, where the attackers are always two-steps ahead of the people who are defending the systems,” Maqsood said. 

“It is their full-time job to create these attacks,” she added. “We’re always going to be a little behind because they’re always coming up with new attacks, and we often know about the attack once it takes place.” 

Jaskolka added that learning from such attacks enables researchers to predict future attacks.

“Attackers will continue to target vulnerable populations (such as students, the elderly, etc.) with scams and frauds through phishing emails because they have success in doing so,” he said. “Until this becomes too difficult for attackers … it will continue.” 

With people continuing to work from home even after the pandemic, there is an evergrowing need to reinforce online security, Jaskolka said. 

According to Maqsood, users should receive better training. Instead of simply telling users not to click on links, users should learn how to double-check and properly identify phishing scams. 

“A lot of these phishing emails that you get, if you put in their title in Google, it’s going to tell you oftentimes that ‘Hey, this is a spam email that’s been going around,’” Maqsood said. 

Graphic of a person with "You've been scammed" behind them along with a monster figure.
Many students have been receiving several scam emails to their Carleton email accounts. [Graphic by Sara Mizannojehdehi]

Social stigma 

There is also a level of embarrassment around scam emails that might stop people from seeking help, Maqsood said.  

“People who click on phishing links might have their information compromised but do not seek out help because there is a sense of embarrassment there,” she said.

Sophia Kamal, a fourth-year cognitive science student at Carleton, said students who fall for scam emails may feel embarrassed because the scams seem obvious. She said this is because the job email scams, for instance, have unrealistic offers such as 11 hours of work a week for $36 an hour.  

Many students are turning to online platforms such as Reddit to verify whether something is a phishing email or not. Some have expressed their frustration that these scams are not being filtered better.   

Though Kamal has only received one scam email, she said her boyfriend has received seven in the past three weeks. Kamal’s scam email did not have a banner warning from Carleton. 

While some scholars found the scams were realistic to users, others say a certain level of unbelievability is woven into the phishing emails’ design.

Anil Somayaji, a computer science professor at Carleton, said the reason social stigma exists is because most scam emails are designed so most people dismiss them. 

“[Scammers] don’t want someone who’s skeptical to contact them because it wastes their time. They want the gullible to contact them,” Somayaji said. 

According to Somayaji, scammers may target university students with job offers because they are aware students are in need of employment. However, the scammers still put in tells so most people do not fall for the scam email, which is where the social stigma comes in. Tells may include strange use of capital letters, bolding and italicizing, as well as sending the scam emails from weird unidentifiable email addresses. 

To best protect themselves, people should update their computers, keep different passwords for each account, avoid clicking on links especially in emails and pay attention to what permissions applications are asking for, Somayaji said. 

“It’s like walking down the street and maintaining situational awareness. You should have some amount of online situational awareness,” Somayaji said. “When information is coming at you from arbitrary places, you have to be a bit skeptical.”


Featured graphic by Sara Mizannojehdehi.