Last week, IT Services phished all faculty and staff members of McGill community. Yesterday, March 11, they did it again.
Educating users on the consequences of phishing is a challenge, especially since cybercriminals develop more sophisticated-looking emails and schemes every day. We’re all incredibly busy and bombarded with emails; even the most tech-savvy among us have fallen into their trap.
That’s why McGill’s IT Services has chosen to try an active learning approach by sending out its own mock phishing emails. Since phishing emails come in all flavours, IT Services has planned different varieties, most based on real phishing emails that have been sent to the McGill community in the past year.
The costs associated with phishing rise each year, as their effects reach far beyond restoring locked accounts, having to reset passwords, block spam and so forth.
The phishing email sent yesterday is almost identical to one sent in 2014.
“The more people are able to spot a phishing email, the less the University has to deal with the wide-ranging consequences of being phished,” said Chief Information Officer Ghilaine Roquet. “IT Services devotes significant time, energy and resources to dealing with the effects of phishing. At least 1,000 McGill accounts are compromised a year.”
Last week, one in six recipients clicked on the link in the phishing email. Because a successful phishing attack can result in unauthorized access to McGill data, confidential research, and personal information, IT would like to reduce that number.
When IT Services gets reports of phishing attacks targeted at McGill, it can block suspicious URLs from being accessed on campus. Unfortunately, it doesn’t always get a report in time to prevent someone from clicking on a link and compromising personal information or work credentials. IT Services also can’t block links that are accessed off-campus.
“The good news is that yesterday many people recognized that the email was suspicious, and reported it to the IT Service Desk,” Roquet said. “IT Services got mixed reviews on the initiative; many loved it, some weren’t sure what exactly happened, and a few hated it.
“In the end, however, it proved a valuable learning lesson for IT Services as well, and some course corrections are planned before continuing with this ongoing initiative to educate the McGill community about how to spot phishing attacks and how important it is to avoid them.”