Think twice before you respond to an email or click an email attachment this month since it could be a scam—or Ryerson disguised as a scammer.
Computing and Communications Services (CCS) at Ryerson launched an educational campaign and contest on Oct. 2 for Cybersecurity Awareness Month to teach Ryerson community members how to protect themselves online.
Students and staff will receive fake phishing emails and online self-defence tips via pop-ups when they log into the my.ryerson portal during October.
“We’re going to send you our own phish, deceptive emails, to try and trick you into clicking when you shouldn’t,” said Brian Lesser, Ryerson’s chief information officer.
“We’ll send an email that says, ‘there’s something wrong with your Ryerson account, it’s urgent, click here immediately and log in,’ and then (if you click) you’ll go to a page that says, ‘OK, we fooled you, we’re sorry, but here’s what you should look for to avoid being phished in the future,’” he added.
He said CCS wants to teach community members how to recognize phishing, be cautious of downloading malicious software—documents that contain viruses, worms or cause other harm to a computer—and use two-factor authentication.
Two-factor authentication adds an additional login step when signing into accounts that protects your personal information. After entering a username and password, it requires a code generated by an authenticator app like Google Authenticator to be entered.
The initiative comes at a time when, Lesser said, Ryerson is increasingly at the receiving end of cyber attacks.
Ryerson blocks up to 500 malicious email attachments every day and detects one million password guessing attempts in a typical week, according to CCS my.ryerson pop-ups.
“The average person doesn’t understand the gravity of an unsecure online presence,” said Jaskiran Lamba, co-chair of RU Hacks, Ryerson’s official hackathon.
“A person who has bad intentions only needs one person to mess up and everything can get hacked.”
There have been a number of cybersecurity attacks at Canadian universities over the past few years. The University of Calgary paid $20,000 to a cyber attacker who compromised the university’s email system in June 2016. Hackers disabled Carleton University’s computer system in November 2016. More recently, Edmonton’s MacEwan University was victim to an $11.8 million phishing attack in August.
“Machines and systems are vulnerable and people are vulnerable,” Lesser said. “People can be tricked into doing things that aren’t in their interest.”
He said Ryerson has been working on their computer systems’ vulnerability for years. Now, they’re shifting focus to target student and faculty online behaviours.
Story continues below infographic (credit Angela McLean)
CCS sent a list of ways to recognize a phish in an email to students during Cybersecurity Awareness Month last year. The list included looking out for suspicious sender addresses, blank “to” fields, urgent requests for personal information or immediate action and typos in an email’s body.
The chief information officer said such informational emails weren’t effective.
“What we’re doing right now is trying our first attempt to change people’s behaviour at scale,” said Lesser, referring to the different approach CCS is taking this year. “We’re putting messages in their face they can’t ignore, providing information on the website that we’re constantly pointing to and incenting them through contests to do the right thing.”
Students participating in the CCS Cybersecurity Awareness Month contests can win a number of prizes, including money on their OneCard, an iPad Pro or one of 20 $200 pre-paid Visa gift-cards.
“Even if I wasn’t going to win something, I would want to report phishing,” said Jamie Holman, fourth-year graphic communications management. “I think the people who are doing it are really terrible.”
Holman said she doesn’t click on links in emails unless she hovers over the link first to make sure keywords in the web address make sense.
“If it’s a random long string of letters and numbers then I assume it’s going to be a pop-up and I wouldn’t open it,” she said.
Lamba said the campaign won’t really change Ryerson community members’ habits.
“We’re trying to be proactive here which is good, but most people are reactive so they only care when shit hits the fan,” said Lamba. “Unless a security breach actually happens at Ryerson, no one’s really going to care.”
Lamba’s advice to internet users is: use common sense.
“Never use the same password for any login and don’t use the password: 1234,” he said.
“And if it’s too good to be true, don’t click on it.”