Students are seeing a rise in scam and phishing campaigns delivered straight to their university email.
UW students particularly receive emails such as tax refund emails pretending to be from the Canada Revenue Agency, fake blackmail emails that lie to students about release embarrassing (non-existing) footage of students for digital currency, and fake job ads for a position of “Mystery Shopper” from strangers pretending to be UW students.
In light of these scams, is UW becoming a a target for hackers and scammers? The answer is a bit complex.
Florian Kerschbaum, Executive Director of the Waterloo Cybersecurity and Privacy Institute, said UW is not being targeted any more than any other university.
Kerschbaum pointed out that online scams aren’t an isolated incident happening only to UW or even to Ontario universities. Kerschbaum went even further by giving the example of Justus Liebig University, a university in Germany, dealing with hackers and scammers as well.
But higher educational institutions are a increasing favourite among phishing campaigns according to one cybersecurity professional.
Mark Sangster, Vice President and Industry Security Strategist at eSentire, answered in an email that “Students and educational skills institutions are fast becoming a popular target. Academic records are also tied to financial records via tuition payments. And this information can be used to steal money directly, or defraud both the institution and students. Students receive fake payment info and pay through a fake portal.”
“We have also witnessed social engineering tactics like phishing campaigns that look to come from the registrar of the school, but lead back to criminal operations. Often it refers to a financial refund for overpayment. The student logs into the fake portal and thereby surrenders their legit credentials. We’ve also seen student targeted with job offers that require them to provide banking info to receive payment. They are fake,” Sangster explained.
Sangster said that Waterloo in general receives attacks from hackers and scammers on a regular basis.
“The KW region is regularly the target of cybercrime. Local businesses, hospitals and likely individuals are victims. Hospitals in southwestern Ontario, including Listowel were disrupted last year by ransomware attacks. And we are aware of local businesses that were targeted,” Sangster said, “asking about regional risk touches on a major point. Most [local companies] don’t see themselves as targets. They can’t imagine criminal groups in Asia and Russia targeting KW. But they do. In short, KW business is already under attack. Victims suffer silently and criminals operate at home, here, with impunity,”
In addition, Sangster noted that important data many people overlook can be stolen, sold and resold for money. Data such as email addresses, names and credentials, school records, IP addresses. People volunteer some of these of their own free will in lotteries or draws that require contact information.
When asked why people should be expected to protect themselves, Sangster answered that people should expect to be protected, but it doesn’t always work in practice.
“Police and intelligence agencies are pivoting to protect people against such attacks but they often operate outside the reach of conventional law. Local police work with national police and intelligence to combat foreign crime organizations,” Sangster explained. Sangster associated this predicament to the Wild West. The law exists, people to uphold the law exist as well, but that’s not enough.
“Think before you click,” Sangster says. Be suspicious, if an email or notification doesn’t seem right. Ask questions and investigate using trusted sources. If using a public WiFi, one protect their IP address with a VPN they can count on. On the university campus alone, students can find various sources, such as The Centre in Irene Needle’s Hall, with staff willing to help however they can.
