McGill's phishing expedition

Educating computer users on the consequences of phishing is a challenge, especially since cybercriminals develop more sophisticated-looking emails and schemes every day. We’re all incredibly busy and bombarded with emails; even the most tech-savvy among us have fallen into their trap.Last week, IT Services phished all faculty and staff members of the McGill community. Yesterday, March 11, they did it again. Some people ask why is this necessary?

Phishing_iStockBy Maria Gosselin

Last week, IT Services phished all faculty and staff members of McGill community. Yesterday, March 11, they did it again.

Educating users on the consequences of phishing is a challenge, especially since cybercriminals develop more sophisticated-looking emails and schemes every day. We’re all incredibly busy and bombarded with emails; even the most tech-savvy among us have fallen into their trap.

That’s why McGill’s IT Services has chosen to try an active learning approach by sending out its own mock phishing emails. Since phishing emails come in all flavours, IT Services has planned different varieties, most based on real phishing emails that have been sent to the McGill community in the past year.

The costs associated with phishing rise each year, as their effects reach far beyond restoring locked accounts, having to reset passwords, block spam and so forth.

The phishing email sent yesterday is almost identical to one sent in 2014.

“The more people are able to spot a phishing email, the less the University has to deal with the wide-ranging consequences of being phished,” said Chief Information Officer Ghilaine Roquet. “IT Services devotes significant time, energy and resources to dealing with the effects of phishing. At least 1,000 McGill accounts are compromised a year.”

Last week, one in six recipients clicked on the link in the phishing email. Because a successful phishing attack can result in unauthorized access to McGill data, confidential research, and personal information, IT would like to reduce that number.

When IT Services gets reports of phishing attacks targeted at McGill, it can block suspicious URLs from being accessed on campus. Unfortunately, it doesn’t always get a report in time to prevent someone from clicking on a link and compromising personal information or work credentials. IT Services also can’t block links that are accessed off-campus.

“The good news is that yesterday many people recognized that the email was suspicious, and reported it to the IT Service Desk,” Roquet said. “IT Services got mixed reviews on the initiative; many loved it, some weren’t sure what exactly happened, and a few hated it.

“In the end, however, it proved a valuable learning lesson for IT Services as well, and some course corrections are planned before continuing with this ongoing initiative to educate the McGill community about how to spot phishing attacks and how important it is to avoid them.”

 

11 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Tom Fullerton
9 years ago

Trying to catch users who click on links in phishing emails by tricking them is highly unethical. I’m appalled that a research university would use this strategy to “educate” members of the community.
It further surprises me that the Reporter describes this as an “active learning approach.”
I agree that more education and awareness is needed. I would hope that IT Services reaches out to the Education Faculty to collaboratively design a more ethical, proactive campaign.

Kathryn Gill
9 years ago

A big thank you to IT services for trying to educate users about phishing, and for working on protecting the McGill system. Simulations are a great way to sensitize us to the sophisticated approach that many hackers are taking. I don’t mind the exercise, and feel quite grateful that someone is being proactive in dealing with this problem.
I guess the lession should be to always check with IT before clicking on any unusual, or unexpected email links.

Steven Cape
9 years ago

I respectfully do not agree with Tom Fullerton’s response. What is “unethical” about the IT Services phishing emails? There were no ill effects, no risks, no dangers, no damage, etc, and the intentions were only good. I am not sure why he is “appalled”. Perhaps the words “Unethical” and “appalled” are too intense. I can understand how one might have been INITIALLY surprised and possibly felt a bit boundary-crossed or tricked — but then on reflection, realise that the benefit that came from the overall learning experience would ease those negative feelings. I feel this was a creative way to… Read more »

Tom Fullerton
9 years ago

(Unfortunately, this blog format does not allow me to respond to Steven directly, so I’ll create a new comment.) What is unethical, Steven, is the mis-use of the email directory to trick and embarrass users by employing the same tactics that spammers use. If the intent is to educate, then teach. This is not “active learning” and I hope not a strategy you would employ in your teaching. Trick learners into make a mistake and then say “Aha! gotcha!?” Surely we have come further along than this in our educational practice. This fake phishing preys on user’s lack of understanding.… Read more »

Elena
9 years ago

Tom, do you also consider fire drills embarrassing and unethical?

Tony S
9 years ago

I’m still not so sure why you consider this whole exercise “unethical,” Tom. Was there some conflict of interest that I missed? Some sort of ill-gotten financial gain that resulted because of it? Sometimes the very quickest and most lasting lessons in life are learned through first-hand experience. IT has been sending us all sorts of information regarding phishing and cyber-safety for months now, trying to educate people through McGill’s various communication vehicles — and still 1 in six people got “stung” in the phishing exercise. I’m betting most of those people who did get caught will be significantly more… Read more »

Tony S
9 years ago

One other point, Tom. You wrote “What is unethical, Steven, is the mis-use of the email directory to trick and embarrass users by employing the same tactics that spammers use.”
But I think the whole point of the exercise was exactly that — to employ the same tactics that spammers use. That way, those 1 in six people found out exactly how easy it is to get duped. If the enemy is spammers and cyber criminals shouldn’t we employ the old adage “know thy enemy” to protect ourselves?

Tom Fullerton
9 years ago

Morning Tony,
I take it from the fact that you are not using your full name that you are uncomfortable having a public discussion. Or perhaps you were involved in the email and have taken personal issue with my comments. Either way, if you’d like to discuss it further, brainstorm solutions to what I agree is a problem, or just chat, you can find me in the McGill directory. Be happy to buy you a coffee,
Tom

Tom Fullerton
9 years ago

Good morning Elena, I don’t think your comment is productive to this discussion. Fire drills are not a form a trickery, nor do they mis-use privileged access to information or dupe users into thinking that there is a real emergency. If I may, I’ll elaborate. A friend of mine just went through what they are now calling “First Person Shooter” training at McGill. I’m glad that they are preparing staff and I dearly hope that they will never have to rely on their training. Like a fire drill, this is an exercise in emergency preparedness. Even though not everyone takes… Read more »

Tom Fullerton
9 years ago

This post on the IT website could have been sent out as an email notification to all users in advance:
It’s time for a phishing expedition
Unfortunately, in the first minute of the course’s video, users are tricked into clicking on a link….
With some revision to this course and information posted on the IT website (Phishing scams and how to protect yourself), I wonder if we could design a required mini-course before users can access their McGill email for the first time?
I’m glad McGill IT staff are raising awareness of this issue.

Tony S
9 years ago

Hey Tom,
No, I have absolutely no problem with public discussion. I just don’t see the need to have my full name out there.
Still, if you’d like to address some of the points I’ve made, I’d love to engage in one such discussion.
Unfortunately, I’m not a coffee drinker, but thanks for the kind offer!