McGill's phishing expedition

Educating computer users on the consequences of phishing is a challenge, especially since cybercriminals develop more sophisticated-looking emails and schemes every day. We’re all incredibly busy and bombarded with emails; even the most tech-savvy among us have fallen into their trap.Last week, IT Services phished all faculty and staff members of the McGill community. Yesterday, March 11, they did it again. Some people ask why is this necessary?

Phishing_iStockBy Maria Gosselin

Last week, IT Services phished all faculty and staff members of McGill community. Yesterday, March 11, they did it again.

Educating users on the consequences of phishing is a challenge, especially since cybercriminals develop more sophisticated-looking emails and schemes every day. We’re all incredibly busy and bombarded with emails; even the most tech-savvy among us have fallen into their trap.

That’s why McGill’s IT Services has chosen to try an active learning approach by sending out its own mock phishing emails. Since phishing emails come in all flavours, IT Services has planned different varieties, most based on real phishing emails that have been sent to the McGill community in the past year.

The costs associated with phishing rise each year, as their effects reach far beyond restoring locked accounts, having to reset passwords, block spam and so forth.

The phishing email sent yesterday is almost identical to one sent in 2014.

“The more people are able to spot a phishing email, the less the University has to deal with the wide-ranging consequences of being phished,” said Chief Information Officer Ghilaine Roquet. “IT Services devotes significant time, energy and resources to dealing with the effects of phishing. At least 1,000 McGill accounts are compromised a year.”

Last week, one in six recipients clicked on the link in the phishing email. Because a successful phishing attack can result in unauthorized access to McGill data, confidential research, and personal information, IT would like to reduce that number.

When IT Services gets reports of phishing attacks targeted at McGill, it can block suspicious URLs from being accessed on campus. Unfortunately, it doesn’t always get a report in time to prevent someone from clicking on a link and compromising personal information or work credentials. IT Services also can’t block links that are accessed off-campus.

“The good news is that yesterday many people recognized that the email was suspicious, and reported it to the IT Service Desk,” Roquet said. “IT Services got mixed reviews on the initiative; many loved it, some weren’t sure what exactly happened, and a few hated it.

“In the end, however, it proved a valuable learning lesson for IT Services as well, and some course corrections are planned before continuing with this ongoing initiative to educate the McGill community about how to spot phishing attacks and how important it is to avoid them.”


Comments on “McGill's phishing expedition”

  • Avatar
    Tom Fullerton

    Trying to catch users who click on links in phishing emails by tricking them is highly unethical. I’m appalled that a research university would use this strategy to “educate” members of the community.
    It further surprises me that the Reporter describes this as an “active learning approach.”
    I agree that more education and awareness is needed. I would hope that IT Services reaches out to the Education Faculty to collaboratively design a more ethical, proactive campaign.

  • Avatar
    Kathryn Gill

    A big thank you to IT services for trying to educate users about phishing, and for working on protecting the McGill system. Simulations are a great way to sensitize us to the sophisticated approach that many hackers are taking. I don’t mind the exercise, and feel quite grateful that someone is being proactive in dealing with this problem.
    I guess the lession should be to always check with IT before clicking on any unusual, or unexpected email links.

  • Avatar
    Steven Cape

    I respectfully do not agree with Tom Fullerton’s response. What is “unethical” about the IT Services phishing emails? There were no ill effects, no risks, no dangers, no damage, etc, and the intentions were only good. I am not sure why he is “appalled”. Perhaps the words “Unethical” and “appalled” are too intense. I can understand how one might have been INITIALLY surprised and possibly felt a bit boundary-crossed or tricked — but then on reflection, realise that the benefit that came from the overall learning experience would ease those negative feelings. I feel this was a creative way to teach a valuable lesson. I appreciate that the IT people are trying to help us avoid potentially big problems related to nefarious phishing. Thanks.

  • Avatar
    Tom Fullerton

    (Unfortunately, this blog format does not allow me to respond to Steven directly, so I’ll create a new comment.)
    What is unethical, Steven, is the mis-use of the email directory to trick and embarrass users by employing the same tactics that spammers use.
    If the intent is to educate, then teach. This is not “active learning” and I hope not a strategy you would employ in your teaching. Trick learners into make a mistake and then say “Aha! gotcha!?” Surely we have come further along than this in our educational practice. This fake phishing preys on user’s lack of understanding. That, to me, makes it unethical.
    If the intent was also to gather user data, then I would be very surprised if the REB would approve this tactic.
    I think we can come up with creative solutions to educate the McGill community about phishing, data storage and protection, backups, passwords, encrypting drives, and so on. My hope is that it will be transparent, honest, and designed with a respectful pedagogical approach that values the learner.

  • Avatar

    Tom, do you also consider fire drills embarrassing and unethical?

  • Avatar

    I’m still not so sure why you consider this whole exercise “unethical,” Tom. Was there some conflict of interest that I missed? Some sort of ill-gotten financial gain that resulted because of it?
    Sometimes the very quickest and most lasting lessons in life are learned through first-hand experience. IT has been sending us all sorts of information regarding phishing and cyber-safety for months now, trying to educate people through McGill’s various communication vehicles — and still 1 in six people got “stung” in the phishing exercise. I’m betting most of those people who did get caught will be significantly more careful now because, rather than just reading yet another message about online security, they lived it. But the beauty is, instead of paying a heavy price for getting caught phishing (like having their identity stolen or giving criminals access to their bank accounts, etc.) they were educated probably came out of the whole thing a lot wiser about such things than they were before. Where is the bad in all this?
    As someone who has been phished before, I know too well the incredible time and energy one spends trying to get the genie back in the bottle. I wish I had gone through something like this beforehand.
    I know Security Services used to (maybe still does) an exercise at the beginning of each semester in which they patrol study areas. When they find an unattended laptop, they leave some sort of note that basically says “Your laptop has just been stolen,” even though they don’t actually take it. Is that unethical or embarrassing? I don’t think it is. It is a quick, effective way to hammer home a point that would have, in many cases, been lost in yet another email warning people about thieves skulking around the university.
    People who were upset at getting “caught” should ask themselves if they would rather have been phished for real and learned this important lesson the hardest way of all.

  • Avatar

    One other point, Tom. You wrote “What is unethical, Steven, is the mis-use of the email directory to trick and embarrass users by employing the same tactics that spammers use.”
    But I think the whole point of the exercise was exactly that — to employ the same tactics that spammers use. That way, those 1 in six people found out exactly how easy it is to get duped. If the enemy is spammers and cyber criminals shouldn’t we employ the old adage “know thy enemy” to protect ourselves?

  • Avatar
    Tom Fullerton

    Morning Tony,
    I take it from the fact that you are not using your full name that you are uncomfortable having a public discussion. Or perhaps you were involved in the email and have taken personal issue with my comments. Either way, if you’d like to discuss it further, brainstorm solutions to what I agree is a problem, or just chat, you can find me in the McGill directory. Be happy to buy you a coffee,

  • Avatar
    Tom Fullerton

    Good morning Elena,
    I don’t think your comment is productive to this discussion. Fire drills are not a form a trickery, nor do they mis-use privileged access to information or dupe users into thinking that there is a real emergency.
    If I may, I’ll elaborate.
    A friend of mine just went through what they are now calling “First Person Shooter” training at McGill. I’m glad that they are preparing staff and I dearly hope that they will never have to rely on their training. Like a fire drill, this is an exercise in emergency preparedness. Even though not everyone takes the simulations seriously, they are advised that there will be simulations, they are provided proper training and they are not tricked into thinking that the fire is real. We do not fill the halls with smoke or fire blanks at people who have not followed proper procedure. That would be unethical.
    There is obviously a great difference between safety and emergency preparedness and phishing. Again, I don’t think this is a useful comparison.

  • Avatar
    Tom Fullerton

    This post on the IT website could have been sent out as an email notification to all users in advance:
    It’s time for a phishing expedition
    Unfortunately, in the first minute of the course’s video, users are tricked into clicking on a link….
    With some revision to this course and information posted on the IT website (Phishing scams and how to protect yourself), I wonder if we could design a required mini-course before users can access their McGill email for the first time?
    I’m glad McGill IT staff are raising awareness of this issue.

  • Avatar

    Hey Tom,
    No, I have absolutely no problem with public discussion. I just don’t see the need to have my full name out there.
    Still, if you’d like to address some of the points I’ve made, I’d love to engage in one such discussion.
    Unfortunately, I’m not a coffee drinker, but thanks for the kind offer!

Comments are closed.