At UBC, we invest heavily in secure systems—from advanced firewalls to strong identity controls. Yet, even with the right tools in place, one truth remains: the biggest security risk is often people, not technology.
Cyber threat actors understand this. Rather than relying solely on technical attacks, they increasingly focus on the human element—persuading someone to click, share, approve, or act before thinking. This reality is especially important at a large, decentralized institution like UBC, where faculty and staff manage significant research, academic, and administrative information.
If we are experienced, capable professionals, why do we still fall for scams? The answer lies in human psychology—not technical skill.
Why People Are Targeted
More About Trust Than Technology
Many cybercriminals behave less like hackers and more like expert con artists. Their success depends on social engineering—manipulating people into revealing confidential information or taking unsafe actions.
These tactics work because they take advantage of natural human behaviours, such as trust, curiosity, helpfulness, and fear. When a message feels urgent or appears to come from someone in authority, even highly skilled people can make a quick decision that leads to a security breach.
It only takes one moment—one click—to give an attacker a foothold.
How People Get Manipulated
| Phishing and Spear Phishing | Phishing messages are designed to look legitimate—often posing as banks, vendors, or internal UBC services—while hiding malicious links or attachments. Spear phishing is even more targeted. Attackers may impersonate a colleague or leader and reference real details found online. One familiar example is a message pretending to be from senior staff urgently asking someone to buy gift cards. On the surface, it looks real; under pressure, people sometimes comply. |
| Quid Pro Quo | In the quid pro quo tactic, an attacker offers something in return—such as help with a “technical issue”—but only if you provide access or information. Someone pretending to be IT support might urgently request your login credentials to fix a problem. In reality, legitimate support teams will never ask for your password. |
| Evolving Techniques | Attackers continually adapt. New tools, such as artificial intelligence and deepfakes, help create more convincing emails, messages, or even voice calls. These advanced techniques make social engineering increasingly difficult to detect. None of these methods rely on technical flaws. They rely on human ones. |
The Best Defence: Thoughtful Habits
Even the strongest technical controls cannot fully protect us if we are caught off guard. Across UBC, security depends on a shared commitment to thoughtful and cautious behaviour.
The most powerful protection is critical thinking. If a message feels urgent, unusual, or too good to be true, pause before responding. A few seconds of skepticism can prevent a serious incident.
Practical Habits to Reduce Risk
- Enable Multi-Factor Authentication (MFA)
MFA adds an extra layer of protection by requiring a second check—like a PIN or approval prompt—before access is granted. Even if your password is compromised, MFA can prevent unauthorized access.
- Verify Unusual Requests
If you receive an unexpected message asking for sensitive information or money, confirm through a different channel before taking action. For example, if someone calls about an IT issue, hang up and contact the UBC IT Service Centre directly using a known, trusted number. - Keep Software Updated
Routine updates help ensure you have the latest security protections and reduce the chance that attackers can exploit known vulnerabilities. - Report Suspicious Messages
If you receive a message that seems off, avoid clicking links or opening attachments. Forward it as an attachment to security@ubc.ca so that our cybersecurity team can investigate.
These small steps can make a big difference.
Protecting UBC—Together
Cybersecurity is not just a technical issue; it’s a human one. At UBC, we all share responsibility for protecting the systems and data we rely on every day.
By completing mandatory privacy and information security training, joining phishing prevention workshops, and applying critical thinking, you help reduce risk for the entire community.
Staying informed and engaged builds resilience. It also helps create a culture where everyone plays a role in keeping UBC safe.
Smart people get hacked—not because they are careless or uninformed, but because attackers are skilled at manipulating human behaviour. By understanding the tactics used against us and adopting simple protective habits, each of us strengthens our individual security and contributes to the safety of our university.