On Thursday, March 1, a phishing email was sent to the general population of McMaster. Purporting to be from University Technology Services (UTS), the email asked email users to go to a non-McMaster website and provide log in credentials. Failure to do so would allegedly result in termination of one’s email account.
As stated by Julia Kraveca, manager of Client Services for UTS, “such attacks happen every so often.” Out of all incoming e-mail messages that McMaster receives, approximately 22 per cent are legitimate e-mails. The remaining e-mails are types of spam that may be caught by filters, and just like catching fish with a net, it is to be expected that one may fall through.
The main difference is that senders of phishing e-mails are aware of the different security mechanisms, and swim around them in order to be the one that lands in student inboxes.
In such circumstance, when the unauthentic email was not prevented, UTS used defensive measures in order to control its effects, noted Kraveca.
The phishing note was reported to UTS at 2 p.m. on March 1, and by 2:30 p.m. UTS had blocked on-campus access to the website noted in the e-mail, and had published a cautionary note through the McMaster University website.
After careful evaluation, it was determined that only two per cent of the targetted population received the spam email, and only 0.05 per cent actually visited the website. However, it is unknown out of this percentile how many email users actually responded to the request in the phishing e-mail. Additionally, a campus-wide notice was released the following morning.
Although the sender is unknown, “it is evident that their intent in sending the e-mail was malicious, and was sent with the purpose of collecting private information that could somehow be misused,” said Kraveca.
Based on the available statistical data, it appears that the phishing e-mail was caught before it was able to travel too far, making its impact quite insignificant. UTS interpreted the given data as affirmation to having successfully educated the McMaster community on protecting themselves from fraudulent emails.
However, UTS did not want to undermine the impact the email had for the 0.05 per cent whose world was turned upside down as a result of the leaked spam.
The hope is that such an incident does not happen again, however, it is not entirely preventable, explained Kraveca. Students and faculty are therefore strongly urged to exercise caution in order to protect themselves from duplicitous emails.
In the event that such an occurrence does repeat, students and faculty are urged to report the potential phishing scam to the UTS Service Desk as soon as possible.
Suggested protective measures may include refraining from opening e-mails if the source is unknown or appears suspicious. Often phishing schemes are designed to imitate legitimate companies or institutions, thus users are encouraged to acknowledge the use of distorted logos and misspelt words, which are telltale signs that the sources are not genuine.
Lastly, one must resist clicking embedded links or verifying confidential information, as these are often connected with fraudulent online activity.
UTS is actively involved around the clock in the prevention, detection and investigation of potential electronic fraud within the University. On any given day UTS processes 1.4 million e-mail messages.