Over the past week, UBC has experienced a high-volume phishing campaign that utilized several compromised university email accounts and led to the distribution of tens of thousands of fraudulent messages. These messages offered free high-value items (such as pianos, gaming consoles, or cameras) and appeared to come from legitimate UBC senders.
This type of scam preys on goodwill within our community, mimicking the style of internal “giveaway” emails. Once targets engage, scammers request payment for “shipping fees,” resulting in financial loss.
Remember: UBC business email accounts should not be used for personal sales or giveaway messages. If something feels off, even if it comes from a UBC address, always verify the legitimacy of the email.
Protect yourself
- Use strong passwords or passphrases: Create a passphrase of at least 16 characters (e.g., sunshine blue trees swimming), or a password of at least 10 characters mixing letters (uppercase & lowercase), numbers, and symbols (e.g., SrahoSi#1986). Never reuse UBC passwords elsewhere, instead use a password manager.
- Be cautious of offers and gift card requests. Verify through trusted channels like MS Teams or a known phone number.
- Report phishing. Forward suspicious messages as attachments to security@ubc.ca
- Watch your MFA. If you get a Duo push and aren’t logging in, deny it immediately and report to security@ubc.ca
Your reports help keep the entire UBC community safe.