Stay alert for UBC-wide self-phishing messages
October 13, 2020
Further to the UBC Broadcast on September 30, UBC is taking a number of measures to help us prepare for the expected increase in targeted phishing campaigns as a result of the upcoming launch of Workday. This includes the launch of a self-phishing campaign, in which UBC is sending fake phishing emails to faculty, staff and student employees. Not all of the emails are safe to open, and some may be “phishing” for sensitive credential information.
How to recognize a phishing email
Phishing messages can come in many different disguises, from sophisticated deception to obvious fraud. Watch out for these five common characteristics of phishing emails:
- The email communicates a sense of urgency and time constraint
- You may be asked to verify accounts or credit card numbers
- The email contains PDF attachments
- The message contains poor grammar and spelling
- Links don’t look quite right (e.g. www.u-bc.ca instead of www.ubc.ca
You are advised to treat all suspicious emails as a phishing attempt.
What to do if you receive a phishing email
Report phishing attempts by forwarding them as attachments to the UBC Information Security office at security@ubc.ca
If you report an email that was sent to you as part of the self-phishing campaign, you will receive an email reply to let you know that you have successfully identified a phishing email.
If you fall victim to a phishing attempt that was sent to you as part of the self-phishing campaign, you will be notified and sent materials to help you identify future attacks.
About the self-phishing campaign
The self-phishing campaign is ongoing. Unfortunately the cyber criminals are constantly on the attack with new variations and techniques to their own phishing messages. As long as those attacks continue, the self-phishing training campaign will be in effect, helping faculty, staff and student employees stay informed and alert for possible attacks.
Campaign results are kept confidential and the collected results for individuals will not be shared with anyone, including your manager/supervisor or any of your co-workers. Information entered during the campaign, like usernames or passwords, is not retained and is not available for review by anyone including service operators.
What to do if you accidentally fall for a real phishing email
- If you respond to a phishing email with your password, change it immediately and notify the UBC Information Security team at security@ubc.ca. They will work with you to protect your account.
- If you accidentally open an attachment from a suspicious email, delete it immediately (and empty the Recycling Bin on your desktop) and send an email to security@ubc.ca to let them know about the incident.
For more information about this initiative please visit the self-phishing campaign page on the Privacy Matters website (CWL required). You can also see how to tell if a Workday email is legitimate.
- Health, safety and wellbeing
- University news
- Announcement