McGill thwarts phishing attack, but concerns remain
Information Security Office reminds community to be aware of online trickery
By James Martin
“The only defence we really have with these types of fraud is education,” says a frustrated bunko detective in 419, Will Ferguson’s Giller-winning novel about Internet scams. McGill’s Information Security Office agrees. With a new semester gearing up, the ISO wants to ensure that the University community knows how to protect itself from a threat that, alas, is not just the stuff of fiction.
Cybercrimes are big business. According to the 2012 Norton Cybercrime Report, online attacks cost Canadians $1.4-billion annually, not including several billion more in related lost productivity. One of the major concerns is “phishing,” in which would-be e-thieves masquerade as trusted entities, such as a bank, in an attempt to trick someone into sharing login or financial information.
The McGill community experienced phishing firsthand in July. Staff and students received a duplicitous email directing them to log on to Minerva – except it wasn’t really Minerva, it just looked like it was. Thirty-six people unwittingly entered their McGill ID numbers and passwords into the bogus site. The phishers then used that information to change people’s banking deposit information, in the hope of rerouting paycheques. The Information Security Office was able to intervene before irreparable damage could be done.
July’s phishing attack serves as a reminder to remain vigilant and to add a few good habits to your online work routine. See sidebar for the ISO’s tips on how to identify a phishing attack and how to protect yourself from becoming a victim.
Nine tips for staying safe online:
• Never respond to an email asking you to validate your McGill username and password. (The same goes for any of your external accounts.) Reputable institutions will never ask you to confirm your user information via email.
• Never reply to a phishing email, even in jest. Responding only validates that your email address is active, and keeps you on a scammer’s list.
• Never click on a link within an email. Instead, type the URL into your Web browser.
• Install a mobile security app on your phone.
• If you’re no longer using a social networking account, delete it. Unused accounts are ripe for being hijacked – and using your good name to scam others.
• Check the privacy settings on your social networking accounts.
• Do not copy confidential documents, or documents containing personal information, to your computer or devices like USB keys. Instead, use your departmental network drive.
• Change your password periodically. Make sure to choose strong passwords that mix upper- and lower-case letters, numbers and at least one symbol.
• Update your computer’s antivirus software at least once a month. Online banking and other confidential services are only safe if your computer is free of malware.
For more information on protecting yourself from phishing, see the McGill IT Knowledge Base.
Category: In Focus