How post-secondary institutions are becoming lucrative targets for cybercriminals

When Stephane Lemieux, a MacEwan computer science professor,  received an email from a fellow faculty member on July 24, he immediately knew something was wrong with it. Over the summer, two MacEwan faculty members’ accounts had been compromised and were used for a mass phishing attack. The messages sent out used the guise of a job offer to encourage recipients to click on a link and give over their personal information.

---

“Phishing, in general, is really common at the university.”

Stephane Lemieux, MacEwan professor and cybersecurity expert.

---

Lemieux, who is a cybersecurity and risk assessment expert quickly flagged the email, which was soon processed by MacEwan’s cybersecurity team and promptly deleted from the system before most recipients could even look at the perilous message.

But, out of the few that did, some ended up clicking on the link.

“Phishing, in general, is really common at the university,” Lemieux says. “I don’t think it’s a huge problem at MacEwan versus any other place.”

The recent attack is just one of many to target Canadian institutions recently. The University of Toronto reported a similar attack in late July which also used a job offer as a lure. Lemieux notes that most attacks are mainly “phishing” for personal information to sell on the black market where they go for from $100 to $300 depending on how complete the profile is. 

However, some phishing attacks can be much more costly, like when a McMaster University student was defrauded for over $100,000 in an elaborate phishing incident last September.

Lemieux says that attacks known as spear phishing or executive phishing are hyperspecific, complex and usually go after high-profile or high-value targets. Recent developments in AI are making the more common “machine gun” style phishing attacks more sophisticated, like spear phishing, but at a higher rate of attack and at a much lower cost to the perpetrators. 

David Almond is the associate vice president of information systems and chief information officer at MacEwan. Put more simply, everything related to technology at MacEwan goes through him. Almond says the threat actors who target institutions like MacEwan are like clever business people simply making sound business decisions. The instigators could be anyone from state-sponsored espionage to organized criminals and even activist groups.

“They’re aware that our funding doesn’t keep up with the newer threats — threats are constantly emerging and public institutions’ ability to fund and stay current is a problem right now,” Almond says. “They can size up relative weaknesses pretty clearly and they know how much to invest to go after a certain institution.”

Lemieux and Almond both agree that training people to a base level of understanding on phishing is one of the best ways to prevent attacks. Almond is already incorporating basic cybersecurity training at MacEwan. After all, it’s becoming a life skill.

---

“They [cyber-criminals] are aware that our funding doesn’t keep up with the newer threats — threats are constantly emerging and our ability to fund and stay current is a problem right now.”

David Almond, associate vice president and information systems and chief information officer at MacEwan.

---

According to Lemieux, with phishing, you don’t need a complex understanding of cybersecurity, you just need to follow a couple of simple rules:

1: Don’t give out personal information unless you initiate the interaction. For example, if you call your bank because you’re moving, you will expect them to need information.

2: Good news or bad news, if it’s legitimate, they will make more than one attempt to contact you. Sometimes, with job offers, they might not, which is where rule three is useful. 

3: Don’t use the information they’re giving you to contact them. If it’s a job you applied for, contact the hiring manager directly to respond. 

4: Lastly, check if the information all makes sense in relation to everything. Ensure the message makes sense on its own. Make sure it makes sense in relation to you and in relation to whoever else has been CC’d on the email.

Almond says vigilance is key. It only takes getting caught off guard one time to become a victim, even if you do things the right way a thousand other times. When we receive hundreds of emails a month and consume an immeasurable amount of digital information everyday, it can be difficult to protect yourself, no matter how smart you are. 

“The parallel I can draw is to magic tricks. Sometimes, the easiest people to fool with magic are the smartest people in the room. Because there’s a belief, you can’t be fooled,” Almond says.

Graphics by Shelby Mandin