My account would NEVER be hacked … Would it?

GryphReaper impersonation on University of Guelph ID card

September 29, 2017

Here’s a sobering reality: In 2016 CCS InfoSec locked 1043 accounts, the vast majority compromised and used by criminals to send spam to many more victims.  So far in 2017, we have had to lock over 1200 accounts. Many owners are intelligent and savvy, and most would have agreed that their account would never be hacked. Yet it happened, and continues to happen at alarming rates.  The consequences for the victims are distressing. You feel violated, criminals have access to all your email, including personal, all your U of G access is affected while your account is locked. You may even lose real money. The U of G also experiences consequences. We have to investigate and deal with each lock, we may have to report a privacy breach, or some sites may block the whole University from sending mail, and the U of G could lose real money, as some Universities have.  Sobering indeed.

We often hear from confident people who think their account would NEVER be compromised.  Can you really say that you would not fall for ANY of these (anonymized) real incidents or near-incidents?

  • An administrator forwards a routine-looking email from his (impersonated) supervisor for payment. The fraud was averted when the payment clerk questioned why we wouldn’t pay in Canadian Dollars instead of British Pounds
  • An IT professional downloading the latest update to a utility they often use, finds their computer infected with keystroke logging malware.
  • A committee treasurer receives an (impersonated) email from the chair, to pay a reasonably small amount out of the committee’s budget. It looks a bit unusual, and she phones the chair to find out they never sent it. Their “offices” appear publicly on a small website.
  • Having accepted into a prestigious U of G program, a student receives a job offer for a few hundred dollars per month. The student accepts, and does the work for a month, hoping for a little extra income. After a month, the ‘company’ tries to make the first deposit. The automatic transfer does not work, so they ask for a bit more bank information. It is enough to empty the student’s bank account.
  • A student whose first language is not English checks his phone first thing in the morning and sees an urgent mail from the IT department that his account will be locked within two hours unless he verifies that he is still active. The link looks legitimate, and with a big assignment due, this is not a day he can afford to lose his account.  He clicks, giving criminals his password, and CCS had to lock his account.

At CCS, we aim to reduce the problem as much as possible.  Upward of 95% of all email to the campus is spam.  Of the less than 5% legitimate email some malicious email still makes it through to your inbox, making situations like the ones above, and many more, an unfortunate reality.  When we become aware of a credible scam or phishing attempt, we take any or all of the following actions:

  1. Create a scam page for that attack at https://infosec.uoguelph.ca
  2. Block this sender from sending email
  3. Reach out to the site of the compromised account or mail server
  4. In some cases we may remove the offending email from users mail boxes.

But, as members of the U of G community, we all have a responsibility by policy to keep our account credentials safe. What can you do to reduce the scourge of scams and phishing?  Here are some tips:

  1. Have a radar sense about things that seem not quite right. When in doubt, check our home page (https://infosec.uoguelph.ca) or forward the suspicious email to the CCS Help Centre.
  2. Keep your password strong and private. Do not tell anyone, and don’t re-use it for other services or websites.  Change it about once per year minimum.
  3. Avoid open WiFi or use the U of G VPN solution when you need to use unsecure WiFi.
  4. Don’t forward your account to an off-campus address.
  5. Finally, do not keep or transmit sensitive (such as Personally Identifiable information) about others in your email.

Make a commitment today to be super-vigilant and to do your utmost to protect your account credentials.

Written by: Gerrit Bos (IT Security Officer, CCS Information Security)