Faculty and staff at the University of Calgary (U of C) are about to put their online vigilance to the test. The university is planning to send out a series of fake phishing emails to educate employees about the convincing appearance and dangers of online scams.
Linda Dalgetty, the university’s vice-president of finance and services, said the school has been openly discussing phishing since 2010 and wanted to add a practical component.
“Phishing is becoming so prevalent and so regular at the university that we just felt this was a logical next step,” Dalgetty said.
Last year, the U of C was victimized by a ransomware attack that resulted in the university paying $20,000 to a hacker to regain access to computer files. According to Dalgetty, the new phishing education program aims to protect the university and its employees’ security, but has “nothing to do” with the cyber attack last year.
Dalgetty suggested the emails might ask recipients to reset a password or validate a purchase.
“It’s going to be something that would be a normal thing to receive . . . because really, that’s what a phish capitalizes on,” she said.
Sonia Chiasson, the Canada Research Chair in human-oriented computer security and a computer science professor at Carleton University, said phishing
“They make something seem urgent so that people are less likely to stop and scrutinize it–they convince people that there’s someone who needs their help, they give them ‘good news’ such as having won a prize,” Chiasson said in an email. “Other times, they make it seem completely mundane so that people won’t even recognize that it’s a situation that requires extra vigilance.”
She said the U of C’s method is a reasonable way to raise awareness about cyber security, but phishing detection and prevention software must intervene because education will not solve the issue.
“The problem with phishing is, of course, that attackers are actively trying to deceive you and they are sometimes very good at it. There’s no way to ‘train’ users to never fall for phishing attacks,” Chiasson said. “They’re never going to be 100 per cent successful no matter how much you educate them.”
According to Dalgetty, the U of C’s program will go beyond simply sending out fake emails.
Users who fall for the first mock scam email will be directed to a pop-up explaining they have been “fake phished,” and providing tips on how to stay safe online. If staff fail to detect the scam a second time, they will receive a call from an employee at the university’s IT department for a discussion, and the third time, a supervisor would meet with the user for a face-to-face lesson, according to Dalgetty.
“This is all educational. It’s not meant to be punitive but what we’re trying to do is find the best way to get people educated so that they don’t click again,” she said.
Chiasson said checking for security indicators, such as a lock icon and “https” in a web address, and manually entering URLs in a browser instead of clicking on hyperlinks in an email, are simple steps that can go a long way in detecting phishing.
Dalgetty said the university is working with a third-party vendor to come up with the dummy emails that will be sent out beginning in April. If the program is successful, she said the U of C would consider spending the extra money to make the fake emails a regular occurrence and to expand the program to encompass students.
“[Phishing] is not going to go away. It is an increasing trend and we just want our users and anyone to be aware and really be taking those precautions to keep themselves and their networks safe,” Dalgetty said.
Victims who suspect they might have been phished should change their passwords, contact their banks and report it to the Canadian Anti-Fraud Centre, Chiasson said.
– Photo illustration by Angela Tilley