An email lands in a student’s inbox pretending to be from an unnamed recruiter at the University of Toronto. It claims to have received an application for an easy-sounding, part-time and remote job that pays $700 every two weeks – no experience required. Just follow the link to apply.
The fake job offer is one of many real phishing attempts recounted on the university’s Security Matters page in an effort to warn the U of T community about recent cyber scams.
Shannon Howes, U of T’s director, high risk, community safety and crisis and emergency preparedness, says such cyber frauds are not only becoming more common – they are also becoming sneakier.
“Even rudimentary phishing attempts, there’s an estimate that one in 10 people will fall victim to them,” she says. “If you think about some of the more sophisticated attempts being made, the statistic jumps up to more like three in 10. So, it is a pervasive problem right now and we have had a lot of people who have been targeted at the university.”
Howes recently spoke to U of T News about how people can protect themselves from cyber fraud and what they should do if they are duped.
What do these cyber scams look like?
There are a number of different types of frauds and scams that we’re seeing right now. One kind that is really prevalent – and members of the community will have seen examples in their inboxes – are phishing attempts.
These attempts are perpetrated by people who are trying to mine user information so that they can compromise personal accounts such as bank or credit cards, or engage in identity theft. There are very sophisticated ways of masking an email address so that an email appears to be from someone who might be an actual official at the university, a bank employee or someone from the Canada Revenue Agency, for example. When recipients click on the embedded link they are redirected to an online form, where the scammer requests a number of different pieces of personal information. That could include a date of birth, social insurance number, credit card numbers and photos of personal IDs such as a driver’s license. There are many different types of information that can be requested and then used against you.
Some of the scams we are seeing reported at U of T are admission frauds, where individuals are posing as faculty members and are advertising supposed “pathways” for gaining admission to U of T in exchange for a hefty application fee, or, in some cases, full tuition fees paid up front. There’s quite a wide range of types of scams, but for the most part they're monetarily driven.
We have also seen a lot of frauds targeting our international students. Incoming international students can be particularly vulnerable because they’re new to Canada. They don't necessarily have local supports that can help them do things like open a bank account or seek trusted advice when confronted with something like apparent criminal charges or threats of deportation. They may also be less familiar with how things work in another country (the consumer protections, privacy rules, etc.) and may not realize how suspect some of these demands are.
How big is this problem?
The scams we are seeing are actually growing in prevalence and in sophistication. There is some research that indicates that scams, and especially email scams, go up in frequency during times of crisis. The COVID-19 pandemic has provided a ripe environment for fraudsters to try to take advantage of people, particularly while people have been facing a lot of change, isolation, instability and uncertainty. Email scams are socially engineered to prey on the emotions of readers and to instill a sense of urgency to respond, and these emotions are already heightened during a time of crisis.
I think most people will be familiar with seeing an email come into their inbox that doesn’t look quite right. The sender could be posing as your bank, asking you to log in through a link or an email could come in looking like it’s from the Canada Revenue Agency, saying there’s a problem with your Social Insurance Number. There may be spelling mistakes or generic greetings used in these emails, whereas you would expect to be contacted by your name if the email was legitimate.
Unfortunately, these types of attempts, while they've been around for a long time, are increasing in sophistication and the credibility of how they present themselves. So, it’s actually becoming much more commonplace right now – and people are falling victim.
Even with rudimentary phishing attempts, there’s an estimate that one in 10 people will fall victim to the ruses. If you think about some of the more sophisticated attempts being made, the statistic jumps up to more like three in 10. So, it is a pervasive problem right now and we have had a lot of people who have been targeted at the university.
Some of the frauds that have been reported at the university this fall involve relatively small amounts of money and some involve very large amounts. It’s important to note that falling victim to fraud is not just a student issue – this is affecting faculty and staff as well.
What are the red flags to spot in a phishing attempt?
The Office of the Chief Information Security Officer is currently piloting an online training session that they are hoping to roll out broadly to members of the university community about different types of cyber fraud – not only specific to phishing, but also ransomware and other cyber threats and fraud attempts.
One of the top recommendations to identify a phishing attempt is for people to pause and assess an email. Often, these fraudulent emails try to prey on our emotions. If it’s a phishing attempt, it could say you’ve won this fantastic cruise in a lottery – even though you never entered a sweepstakes. Your sense of curiosity, your excitement triggers this emotional response leading you to think, “Oh my gosh, did I actually win something?”
Likewise, a lot of phishing attempts manufacture a sense of urgency. They might say your system has been compromised, or your SIN number has been compromised – act now by clicking this link. This triggers a fear response.
One of the best things you can do is “practise the pause” – stop what you’re doing, take a breath, and actually evaluate what you’re being told to do, and whether it makes sense. Is this an organization that you normally deal with and is known to you? Is this a person who you actually know in real life? Does what they’re asking you to do make sense?
What happens if the person contacting you says that they are from an official agency – law enforcement for example?
The same recommendations apply here. Pause, take a breath and assess what you are being told and what you are being asked to do. Does it make sense? Did they use your proper name when they addressed you? Were you contacted by a recorded message?
It is important to note that no legitimate agency will ever hold it against you for hanging up the call and taking the time to follow up with them on the phone through a legitimate number – that you might find on the back of your credit card, for example, or on their website. Tell the person that you are speaking with that you would like to verify who they are and will call them back. No legitimate government agent or member of law enforcement personnel will fault you for double checking that they are who they say they are. If they get upset or start to escalate on the phone they are more likely a fraudster trying to use a sense of urgency and fear to prey upon you.
Another very important point: Bitcoin and gift cards are not a legitimate currency for official purposes in Canada. The university won’t accept them and neither will the Canadian government or law enforcement authorities.
Also, you should never have to pay to avoid criminal charges. That’s not something law enforcement does. If you’re being asked to pay someone claiming to be a police officer to avoid being charged with criminal activity, that’s a big red flag.
Would you recommend adjusting your email filter to prevent being targeted by scams?
Definitely look into your security settings, including your email filters, on your personal accounts.
Through our UTmail+ accounts, we’re really lucky to have a good filter feature already built in and a reporting structure in place for when phishing emails find their way through. You can click on “Report Email” and send it through to firstname.lastname@example.org for IT Security’s awareness and action. There’s also something at the university called the Phish Bowl, where real-life examples of fraudulent emails that have been reported are posted. It's a good idea to review the Phish Bowl from time to time to stay current on the types of scams that are actively going around.
The IT Security team also has excellent resources about getting “cyber safe” on their Security Matters Website. They also address how to maintain your UTORid safety and share a lot of information about how to identify phishing or ransomware attacks.
Additional steps that can be taken include: paying attention to the external email notification banners that have been activated on UTmail+ accounts; connecting to Virtual Private Networks (VPNs) when accessing the university’s system from remote locations; and ensuring that multi-factor authentication (MFA) is set up for your Microsoft account – U of T recently introduced a new MFA program to the tri-campus community called UTORMFA.
What about safety on social media platforms?
In terms of social media safety, one of the things we recommend is conducting an annual refresh on the privacy policies on your different platforms and reviewing who your online friends are. Do you actually know everyone on your friends list personally? If you are engaged in some work online around influencing and you need to have a platform with followers who are unknown to you, make sure you keep a distinct platform for your personal pages and be cautious about what information you share on your public-facing accounts.
Additionally, consider whether moments need to be shared live or if they can be shared at a later date/location. Geo-tagging can unwittingly let scammers know where you are physically and when, especially if you are active with your posting. Consider turning off geo-location tags all together. Also, know how to actually delete your accounts when you close them. Inactive accounts that are still accessible to other users can often be a source of a lot of information about you.
Finally, be wary of who you connect with online, especially if you do not know them in real life. Online dating sites and chat rooms can be a dangerous breeding ground for different types of romance scams and catfishing. These can sometimes lead to sextortion attempts. Sextortion is a form of extortion where scammers create fake profiles on social media and dating websites. They use these profiles to lure victims into a relationship and coerce them into performing sexual acts on camera with the intent to record the session. Once the images are in the scammer’s possession they threaten to distribute if the victim doesn’t pay them, or sometimes provide additional sexual images.
What should you do if you’ve been duped, clicked on a malicious link or, worse, transferred money to a stranger?
If you believe you’ve become a victim of a fraud you should contact Campus Safety, Special Constable Service to file a formal report. They are a tri-campus service and work directly with local law enforcement – Toronto Police for U of T Scarborough and St. George and Peel Police for U of T Mississauga – on criminal matters. Campus Safety officers work closely with the fraud divisions within municipal police services on incidents of fraud.
If the fraud occurred via your UTmail+ accounts or if your UTORid may be compromised, you should also report the incident to email@example.com
In terms of university resources and support services, if you think that you’re in a situation where you’ve mis-stepped or divulged too much personal information – perhaps shared photos of yourself or your personal identification cards – we advise you to contact the Community Safety Office (CSO), even if you’re not being scammed yet. This team has case managers available that can meet with you to try and do some proactive work to help prevent you from falling victim to fraud, to help you consider what may be compromised and whether there are organizations you need to proactively reach out to, and how to set up a monitoring plan.
In the event that a critical piece of information has been compromised, such as your Social Insurance Number, a member of the CSO team can help you manage the reporting pathway. They can also provide personal support and assist you in navigating any accommodations that may be needed as a result.
What is the university doing to protect its community from cyber fraud?
The university is taking a very proactive stance on fraud. University offices are engaged with local law enforcement and cyber security to stay on the cutting edge of data security and protection software, as well as practices and areas of concern for law enforcement. Additionally, the university has established a Fraud Prevention Working Group that will be rolling out a number of education and awareness initiatives across the three campuses.
One of the most effective ways to prevent fraud is to educate members of our community about what fraud looks like. We have been working on a central Fraud Prevention Website that will offer members of the university community a one-stop location to learn about different types of scams with real life scam examples, tips on how to protect yourself from fraud attempts, as well as resources – both at the university and in the community – that can assist individuals who find themselves targeted.
Knowing that a significant number of the frauds that have been reported to Campus Safety are by international and first-year students, a lot of the initial education efforts will be focused around residences, commuter students and international students – with additional focus around issues such as income tax season, application scams and personal data hygiene to come.
How else can you protect yourself?
Again, one of the best ways you can take steps to protect yourself is to “practise the pause.” That pause is something that helps us in a number of ways in our daily lives. Stop, take a breath, and think about the situation. If we know that scams are socially engineered to prey on our emotional responses – be it fear, excitement, curiosity, etc. – then a great way to combat fraud is to give ourselves the time to evaluate the request objectively.
Another way of protecting yourself is by protecting your personal information. This includes good password hygiene (using different passwords for your different accounts). It sounds like a lot to remember, but you can download some very secure apps that can help you with password management.
Protecting your privacy also means being careful about your social media presence, including making sure that your geo-locators are off when you’re posting things so your location isn’t being tracked and being wary about how much information you share. One thing scammers do to appear more legitimate is mine your social media, so they know your parents’ names, your birth date and even your dog’s name when they make contact with you.
Finally, identify who you are dealing with. Verify the identity of the email sender or the person on the other end of the line. Make sure there are no spelling mistakes in URLs and email addresses. Remember – no legitimate authority figure will question you hanging up and calling them back to verify their identity through a trusted source. The same principle is true for social media. Know who you are speaking with. Be wary of requests from people you only know via online chat rooms and social media platforms.
Being careful about what you share, how you share it, and who you are sharing it with, is a key way to protect yourself.
More information can be found at the following websites:
- Community Safety Office
- International Education Centre at U of T Mississauga
- International Student Centre at U of T Scarborough