'I knew I’d been scammed'
October is Cybersecurity Awareness Month at Mount Royal
Take part in Cybersecurity Awareness Month
October is Cybersecurity Awareness Month. Mount Royal’s cybersecurity hub has information for students and employees about events on campus, training opportunities, tips on how to protect yourself and your family, what to watch for, and information about the latest scams.
Increasingly, post-secondary institutions are targets of cyberattacks, and Mount Royal University manages the threat with robust systems, sector collaboration and the vigilance of employees.
According to Statistics Canada, universities are second only to banking institutions in reporting the highest levels of incidents, based on 2017 data. At Mount Royal, frequent phishing emails target employees and upwards of 200 million suspicious challenges to the firewalls occur per day — or about 2,300 per second.
“Universities go through cycles and scammers understand the university cycle. Over the summer we’ll often see a little bit of a lull,” explains Bernadette Pasteris, IT security awareness training coordinator. The first day students were back on campus this fall, Information Technology Services saw a significant jump in activity from would-be hackers.
Mount Royal is a member of the Canadian University Council of Chief Information Officers (CUCCIO), a nationwide effort to share information and resources to protect institutions. Post-secondary institutions in Alberta also collaborate regularly.
One of the most persistent threats is a gift card scam, according to Pasteris.
“It usually starts with an email that looks like it comes from a supervisor saying ‘Can you do me a favour?’ or ‘Are you available’ and from there it progresses,” she says. If the recipient responds to the first couple of emails — which are sent by an outside source impersonating person in a position of power — they’re then asked to buy gift cards and send photos of the redemption codes. About 12 people a month at the University are targeted, mostly faculty members. Chairs and deans are the ones most often impersonated in the phony emails.
One faculty member who was a victim of the scam said the email created a sense of urgency to respond, which drew them in.
“It was about 4 p.m. I’m getting a ride in the car and a message comes in on my phone. It’s not like I was sitting at my computer and could run the cursor over the inbox to see where things were coming from — because I know enough to do that. When something comes in over your phone it’s not quite as obvious.”
The sequence of events unfolded just as Pasteris described.
“The message said ‘I’m in a meeting, no one else is around, can you do this for me’,” recalls the employee, who felt it was necessary to respond because the request appeared to be coming from the department chair and seemed urgent. "You don’t want to do something that could negatively impact your job or perceptions of you, even though in the back of mind I’m thinking, ‘Why would he ask me to do this?’
“It was there in the mind, but it’s kind of like half the brain wasn’t working. As soon as the pressure was off and I’d hit send, I instantly knew I’d been scammed. That’s what I want people to realize: something takes over in our brain that means calmer heads don’t prevail.”
The employee — who had always made a point of staying informed about cybersecurity — recalls reading a campus email last spring alerting employees to the scam. “I read that email. It was there, in my brain, but at the time it happened to me, it really does get an emotional hook into you that I was powerless to recognize at the time.”
Pasteris says the gift card scam has been successfully targeting employees for almost a year. “People are purchasing the gift cards, they’re sending the codes. It’s because they’re successful that scammers keep coming back again and again — especially with the gift card scam. It just hasn’t died.” The scam has hit universities in the United States and across Canada.
Employees aren’t compensated when they use a personal credit card in a scam, but are encouraged to report the fraud to the Calgary Police Service. “It cost me $300, so this was a pretty cheap lesson in the grand scheme of things,” says the faculty member.
Strength in numbers
Responding effectively to an increased threat involves cross-institutional efforts. Mount Royal has a comprehensive enterprise risk management program that supports effective management of cyber risk and the prioritization of cyber risk controls across all faculties and departments, notes Curtis Desiatnyk, manager of risk and insurance.
“Insurers have been slow to respond to this new global risk because it is evolving at such an alarming rate,” Desiatnyk says. “Not only are incidents spiking, but scammers are becoming far more sophisticated, sometimes developing a rapport with their targets for months. This is why educating our staff, faculty and students with the most up-to-date information and resources is absolutely paramount.”
Desiatnyk adds, “This is something that will continue to affect all members of our community and impact how we do business.”
While threats to the University are increasing in both frequency and sophistication, employees’ ability to spot and report cyberthreats is also increasing, according to Pasteris, and they’re adopting more responsible behaviours as a result.
“We’re seeing a marked increase in suspicious emails being reported to firstname.lastname@example.org as a result of our awareness campaign,” and click rates on phishing emails sent by ITS as part of training have dropped significantly from about 30 per cent to 10 per cent. The number of mtroyal.ca account holders who have set up two-factor authentication has doubled so far in 2019.
The vigilance of students and employees is necessary, and to the faculty member in this situation, that means more than being informed — it requires slowing down.
“I’ve read everything IT sends out about cybersecurity and how to protect yourself, and yet I still got caught up in this. I’ve done all the IT training and gone to the workshops they’ve had, all of that, because I am cautious and conscious that it happens.
Colleagues should know it can still happen to them. “My message is, it doesn’t matter how smart you are, doesn’t matter how savvy you are, doesn’t matter how much knowledge you have. Be aware that when the emotions get pulled in we sometimes lose that thinking power.”
Pasteris notes, “The number one reason scammers are targeting universities is they’re being successful at it. When an employee is willing to come forward and say ‘it happened to me,’ it’s a really powerful reminder to others to take the time to be careful.
It’s the tendency of people to act quickly that the faculty member hopes to change by sharing their story.
“If I had just waited until the next day it would have given me enough time to have a good night’s sleep and realize it sounded like the email I read in May about the gift card scams. We are so caught up in responding so quickly, and that’s where our emotions are involved, thinking that if we don’t respond right away something bad is going to happen, that we get caught up in this.
“It’s okay to double check with people. It’s okay to not react so fast.”
Learn about Mount Royal’s cybersecurity certificate program in Continuing Education. Find out how Mount Royal is addressing a worker shortage, and how the Canadian post-secondary sector is preparing students for careers in the growing field of cybersecurity.
Sept. 30, 2019 — Melissa Rolfe