Phishing and Social Engineering are deceptive tactics cybercriminals use to steal sensitive information like passwords, credit card details, and personal data. These attacks can have serious consequences, jeopardizing research integrity, compromising privacy, and causing financial losses for individuals and the university.
The High Cost of Business Email Compromise (BEC)
A particularly damaging type of phishing is Business Email Compromise (BEC). In BEC scams, attackers impersonate legitimate entities like trusted suppliers, department heads, or members of UBC Executive to trick individuals into making gift card purchases, wire transfers, or other fraudulent financial transactions.
Spear Phishing: A Targeted Attack
While traditional phishing attacks cast a wide net, Spear Phishing takes a more targeted approach. Attackers personalize emails for specific individuals or small groups within UBC, making them appear more trustworthy. For instance, a UBC faculty or staff member might receive a seemingly urgent email from a dean requesting an immediate payment or wire transfer.
Cybercriminals often invest time in researching their targets to personalize emails and requests. They might even spoof email addresses, using slight variations of real addresses or misspellings to trick recipients.
Recognizing the Warning Signs
Knowing the red flags is crucial for identifying phishing attempts. Here are some common indicators:
- No "Non-UBC Email" Banner: Emails from legitimate UBC colleagues and services will not have this warning banner.
- Sense of Urgency: Phishing emails often create pressure by emphasizing urgency, prompting you to act quickly without proper scrutiny.
- Requests for Sensitive Information: Be wary of emails requesting passwords, financial details, or other sensitive information. UBC departments will rarely use email for such requests.
- Suspicious Links and Attachments: Always hover over links to see the actual URL before clicking. Unfamiliar, shortened, or suspicious URLs are red flags. Do not open attachments in emails you don't trust.
- Unprofessional Design: Look for inconsistencies or unusual formatting that might suggest a fraudulent message.
- Generic Content or Greetings: Be cautious of emails lacking personalization or using generic greetings.
- Unexpected Requests: Be especially wary of emails requesting financial transactions, sensitive data, or login credentials.
Protecting Yourself from Phishing Attacks
Here are some essential steps to protect yourself from phishing attacks:
- Be Vigilant: Exercise caution and scrutinize all emails, especially those with unusual requests.
- Verify Sender Legitimacy: If unsure about the sender's legitimacy, contact them directly using Microsoft Teams, a known phone number, or an email address – not the information provided in the suspicious email.
- Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring a second verification step when accessing accounts.
- Report Suspicious Activity: Forward suspicious emails as attachments to security@ubc.ca
- Stay Informed: Join the Privacy Matters Champions Network to receive updates on cybersecurity threats and best practices.
- Think Before You Click: If you're unsure about a message or a link, don't open it. Forward it to security@ubc.ca for investigation.
Departmental Best Practices
UBC departments can also play a vital role in mitigating phishing and BEC scams:
- Regularly validate financial systems and implement strong technical controls to safeguard them.
- Ensure all faculty and staff have completed Privacy & Information Security – Fundamentals training, especially personnel involved in financial transactions.
- Conduct regular audits to ensure compliance with security policies.
Phishing attacks are constantly evolving. Staying informed and vigilant is key for faculty and staff to protect themselves and the UBC community. By working together, we can create a safer digital environment for everyone.