Protecting UBC’s information security: precautionary phishing measures

A message from Andrew Szeri, Provost and Vice-President, Academic, UBC Vancouver, Chair, Privacy and Information Security Management (PrISM) Executive Leadership; Jennifer Burns, Associate Vice-President, Information Technology and Chief Information Officer; Rob Einarson, Associate Vice-President, Finance & Operations, UBC Okanagan

As a public institution with a significant research focus, UBC has seen an increase in cyberattacks. As you know, we are also about to implement a new enterprise system, Workday, which is likely to generate targeted phishing campaigns with the aim of tricking unsuspecting faculty and staff into providing their credentials.

“Phishing” refers to an attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain.

UBC is constantly being phished, with many criminals using tools to further target faculty, staff, and student employees who have already responded to a phish. Most common to UBC are email messages sent with a deceptive link in the message that may appear to have one destination, but actually leads to another. While we attempt to screen email at the source, far too many emails prevail in tricking our faculty, staff, and student employees to click or give up their UBC credentials, posing ongoing risks for the university.

On Monday, many of you noticed a warning tag on external email messages received from non-UBC sources. The tag is a reminder to verify the authenticity of the email before clicking on links, opening any attachments, or responding to the message. Many of you have shared feedback on the external email warning tag, and these have been shared with the Cybersecurity team to consider and improve.

We should also note that in the last 24 hours, there were more than 53,000 phishing attempts blocked. In the last month, there were 1.7 million phishing attempts blocked.

In the lead‐up to Workday, it is more important than ever that the UBC community is prepared and diligent when it comes to potential phishing attacks. To combat phishing, a number of activities are being undertaken to mitigate the risks, including:

• Self-phishing campaigns: Self-phishing is an educational technique in which fake phishing messages are sent by the institution as a training exercise to help faculty and staff prepare for an actual attack;
• Implementing mandatory multi-factor authentication (MFA);
• Training and phishing information sessions during Cybersecurity Month (October).

Please note that given the urgency and immediacy of phishing attacks ahead of the Workday launch, a UBC-wide self-phishing campaign will be deployed during two weeks in October. This will help prepare and educate you on how to quickly spot some of the most common types of phishing and avoid falling victim to their attacks.

Read the full message