While thousands of students continue to report fake, malicious emails sent by the university’s cybersecurity initiative, some students are asking Ryerson to cut the phishing line.
Ryerson’s Computing and Communications Services (CCS) launched a campaign this month called Cybersecurity Awareness Month. The campaign intends to educate students on phishing attacks.The initiative cautions students against downloading malware and encourages them to enable two-factor authentication when logging into accounts.
Brian Lesser, Ryerson’s chief information officer, said four Ryerson students were removed from the Cybersecurity Awareness Month fake phishing email list as of Oct. 24.
CCS has received complaints about the emails causing stress from students, Lesser said.
“If somebody made the effort to say, ‘look, I really, just don’t want to receive (phishing emails),’ and communicated that to us, we took them off the list,” he said.
During the first week of the campaign, Lesser said there were around 3,000 people who participated in the initiative by reporting the phishing emails. Lesser said the phishing emails are being sent to 65,126 recipients in total.
One student posted on Ryerson’s class of 2019 Facebook group about concerns the initiative is triggering for victims of phishing attacks and students living with mental health issues.
“I believe we should be able to unsubscribe to the ‘fake’ emails we are receiving from the institution we are paying for our education,” the post reads.
The student would like to remain anonymous because of harassment and death threats made on their post.
They added that they felt distressed when they started receiving emails from CCS. At the time, they were in the hospital for mental health issues.
They also asked members of the page if anyone was interested in starting a petition to make the phishing emails an opt-in program.
Despite the backlash, Lesser said that the CCS has also received a lot of positive feedback.
“The goal is not to stress (students) out, the goal is to send them something that an attacker might send them and then safely train them,” he said.
He said that while 19 per cent of recipients clicked on the first phishing email link, only six per cent clicked on the link for the second simulated phish. That number decreased again for the third phishing email, where only four per cent of recipients clicked the link.
Lesser said he wasn’t aware of any petitions to alter the program.
CCS staff will reflect on the initiative and consider alterations for the future at the end of this month.
Kieran Ramnarine, a student who commented on the petition post, which has since been deleted, said many students have been posting about the phishing emails.
The computer science student said the positive impact the campaign has had on students outweighs reasons to stop or make Ryerson’s fake phishing initiative optional.
“It’s kind of like the fire alarm ideology: doing a fire drill will help you be more prepared for a fire alarm than an actual fire,” Ramnarine said. “So why not do that as well for cybersecurity.”
Even on the post about the phishing petition, Ramnarine said there was a fake Facebook account commenting.
“They sent me a private message and then I did some digging on their Facebook profile and I Googled one of their pictures and realized it was a photoshopped picture of a celebrity.”
Ramnarine said he messaged the account, and was immediately blocked.