At UBC, we rely on a digital environment that spans classrooms, office buildings, research labs, and remote connections. While the university continually invests in technical safeguards, attackers are increasingly focused on the most vulnerable—and human—part of our security system: the people behind the screens.
Their most effective tool is social engineering, a tactic that manipulates individuals into sharing information or performing risky actions. Often, the message itself is the first red flag: an offer or situation that feels too good to be true. Recognizing how these messages are constructed—and what they are trying to achieve—helps protect you and our community.
What Makes These Messages Convincing?
Social engineering works because it appeals to familiar emotions like trust, curiosity, and concern. Messages are crafted to look helpful, authoritative, or urgent, encouraging us to respond quickly and without questioning.
Here are three common techniques to watch for:
| 1) The “Quid Pro Quo” Hook | Many scams begin with a promise—something appealing offered in exchange for information or access. This might take the form of:
These messages are designed to feel helpful or exciting, but they are attempting to collect personal or financial details. If an offer seems unusually generous or unexpected, take a moment to pause—this is often the first sign of a scam. |
| 2) Targeting the University Community | Higher education institutions are especially attractive to scammers. Publicly available departmental information makes it easy for attackers to tailor their messages, and faculty and staff handle valuable data that cybercriminals want. A prime example relevant to university environments is the “payroll pirate” attack. Financially motivated attackers target employee accounts to access HR platforms—such as Workday—and change payroll details. These attacks are often highly tailored, appearing as:
The goal is to trick someone into providing login credentials or MFA codes, allowing the attacker to redirect salary payments. These attacks remind us that even messages that appear professional or administrative can be fraudulent. |
| 3) Using Urgency and Authority to Force Action | Attackers often add pressure by creating urgency. Messages may claim to be from:
Urgency encourages quick reaction, and authority makes the message feel legitimate. In a hurry, it’s easy to overlook details such as spelling errors, awkward phrasing, or unusual tone. Attackers are also adopting increasingly convincing techniques, including deepfakes—highly realistic audio or video that impersonates real people. This makes slowing down to verify requests more important than ever. |
Protecting Our Community: Simple Steps That Work
Cybercriminals rely on quick emotional reactions. Taking small, deliberate steps can make it much harder for attackers to succeed.
Here are practical ways to build safer digital habits at work and at home:
- Be skeptical and verify: If a message asks for money, information, or immediate action, take a moment. Do not click links or open attachments. Instead, verify the request using contact details you already trust—such as calling the department or the person directly.
- Use strong identity protections: Create strong, unique credentials
- Ensure Multi-Factor Authentication (MFA) is enabled everywhere possible. MFA helps prevent unauthorized access even if a password is compromised. Moving away from SMS-based MFA to more secure alternatives is also recommended.
- Limit personal information online: The less you share publicly—on social media or departmental pages—the harder it is for attackers to tailor their message to you.
- Report suspicious messages: If something seems off, report it to security@ubc.ca right away. Avoid interacting with the message until you’ve confirmed its legitimacy.
These small steps make it more difficult for attackers to exploit our community, helping protect personal data and university resources.
Why It Matters at UBC
Social engineering is one of the most common and effective ways attackers gain access to systems—and universities are particularly appealing targets. A single compromised account can provide access to sensitive personal information, financial systems, and research data.
Because of this, cybersecurity is most effective when it’s part of everyday habits. By recognizing the tell-tale signs of “too-good-to-be-true” messages and responding thoughtfully, we help safeguard both our personal information and the wider UBC community.
Security is a shared responsibility. When we stay aware and take action—by verifying requests, using MFA, and reporting suspicious messages—we collectively strengthen UBC’s defences and reduce the impact of attacks.