Phishing scams are nothing new to McGill staff and students, but some have reported feeling like the number of fraudulent messages in their university inboxes is increasing. The Tribune unpacks the threats phishing poses to members of the university, McGill’s efforts to mitigate it, and what staff and students should do if they are targeted by a phishing attempt.
What is phishing?
Phishing refers to a type of fraudulent message designed to trick recipients into providing scammers with personal or financial data. They often take the form of fake offers, such as employment opportunities or sales discounts, designed to entice the target into clicking malicious links or offering private information.
In an email to The Tribune, the McGill Media Relations Office (MRO) highlighted that phishing scams are on the rise in Canada, and that the university is a particular target for these cybersecurity threats.
“Generally speaking, organizations are more attractive phishing targets than individuals because organizations have more resources to exploit (e.g., financial information, research data),” the MRO wrote. “People may, therefore, experience more phishing attempts on their organizational accounts (e.g., school or work emails) than on personal accounts.”
In addition, the MRO noted that a perceived increase in phishing may also result from greater awareness of cybersecurity risks, allowing individuals to more consistently identify scam emails as phishing.
What cybersecurity risks does phishing pose?
Cybercriminals can use information stolen in phishing scams to access financial assets, research data, and even to extort victims. The MRO explained that those conducting phishing scams may also try to access digital resources, such as academic journal subscriptions, and take advantage of an organization or individual’s trusted reputation to create other scams.
What does McGill do to mitigate phishing attempts?
According to the MRO, the university has “security measures (for example, malware and phishing detection, threat intelligence, etc.)” in place designed to “reduce the volume of phishing emails that make it through to McGill inboxes.”
McGill also has enhanced anti-phishing protection, which includes scanning incoming messages for signs that they are fraudulent. When a suspicious email is detected, this feature warns the recipient that they do not often receive messages from the sender, alerting them to a potential phishing attempt. In July 2023, McGill also introduced a “Report Phishing” button in the university’s Outlook accounts to alert IT Services of it.
The MRO went on to stress the importance of cybersecurity literacy, especially as the complexity of phishing schemes increases. The university conducts free training courses on cybersecurity awareness for staff and students and offers informational resources on cybersecurity through the McGill IT Knowledge Base to help community members better identify and respond to phishing.
To increase cybersecurity awareness, the university also conducts phishing simulations for academic and administrative staff. In November 2021, eight per cent of the 12,000 recipients of a scam simulation email clicked on a malicious link, and just three per cent reported it to the IT Service Desk as McGill recommends.
What to do if you discover or interact with a phishing attempt in your university inbox
McGill recommends using the “Report Phishing” button in Outlook to notify IT Services of any phishing attempts. Reporting the message will automatically remove it from your inbox. Phishing scams on a personal email account can be reported to the Canadian Anti-Fraud Centre.
If you interact with a phishing email on a McGill-owned device or give away your McGill credentials, the university recommends calling the IT Service Desk to disable the compromised McGill account. If you expose your financial information in a phishing scam, McGill suggests notifying your bank and calling a credit reporting agency to place a fraud alert on your credit report.
Consult McGill’s“Phishing 101” guide for more information on phishing scams.
