With the arrest of an Ottawa man accused of dozens of ransomware attacks across the continent, the prevalence of so-called phishing scams is at the forefront of cybersecurity efforts.

But it’s not just businesses and government websites that are attacked.

Even though many students are very tech savvy, Carleton University too is dealing with phishing and scam emails. And in 2021, these activities have become more elaborate and more targeted. For students, these attacks are downright irritating.

“I find it annoying and worrying that it’s been going on for months or maybe even a year since I’ve been getting these emails promising fake paid positions,” said Carleton student, Nadine Bendou.

This past summer, phishing emails began to flood into the school email inboxes of students. Most of them offered highly paid remote work to applicants. It’s a tempting offer. But if students are hooked by phishing, their identities can be stolen, along with account logins, compromised financial accounts, malware installation and more.

“During this time that we are in, working from home would be great. Therefore, you have been offered a campus employment office Job Opportunity,” one of the emails wrote, and provided a $400 dollars weekly salary. 

An example of phishing email received by students
A phishing email sent to students on Oct. 27©️Jingyao Yu

These emails often contain links for more information. Links led to websites that ask for passwords, personal information, or bank accounts.

“I also find it weird that Carleton hasn’t figured a way to get rid of these phishing emails,” said Bendou.

The confusion started with the suffixes of phishing email accounts. Like official Carleton emails, these external accounts also end with cmail.carleton.ca. 

“There is a myriad of ways that phishing groups obtain email addresses,” said Steven Reid, a media relations officer with the university. “While it is not a Carleton-specific problem, universities and colleges are heavily targeted by phishing campaigns.”

Reid said that the university has been working on email protection since the start of widespread email use. 

“Carleton, like most organizations, has worked constantly to evolve its email protections to match the tactics phishing groups employ to lure,” he said.

But some students aren’t satisfied. Ross-Gruben, a fourth-year student, said the school was “not doing well” at informing or protecting the students. 

“What Carleton is doing, sending out (warnings), or even just to try to prevent this from happening in the first place, is non-persistent,” said Ross-Gruben. “The amount of phishing email in my own inbox can probably rival my actual emails. This is how bad the security is.” 

Two years ago, Ross-Gruben was caught off guard because he was over-tired. He does not remember the exact content of the email, but he clicked on a link and gave away his bank information.

“When I woke up, I double-checked the email and then I noticed that it was worded weirdly. So, I went straight to my bank and told them I fell for a scam,” he said. Luckily, no money had been taken and he quickly changed the password. 

Ross-Gruben worries that other students could fall for one of these scams just like he did: “especially now, this is the worst time for people to fall for them. The emotional level of everybody is getting an all-time high because all of these deadlines are coming. So, something must be done.”

Controlling phishing emails

Reid said that in June 2021, Carleton’s Information Technology Services (ITS) launched a report phishing button that is available for students using cmail to report phishing via Outlook. The ITS website also maintains an informational page about phishing and reporting.

“We have also launched a series of Security Awareness courses open to students. The courses contain short, digestible online modules on a variety of cyber security topics, including a substantial amount of information on how to stay safe from phishing attempts,” he said.

@mrmay0r

How to use ITS’s report phishing button on Outlook#carletonuniversity

♬ Spring – Aesthetic Sounds

ITS will also be sending out safe, simulated phishing emails to inform what phishing attempts look like “in an effort to hone the Carleton community’s cyber security skills”.

Reid said the university has had some successes: Carleton has invested in email filters that work 24/7 to detect malicious traffic. In October 2021, for example, Carleton rejected 77 per cent of all incoming emails because the systems flagged them as containing spam, phishing attempts or other malicious content.

Evan Koronewski, team lead at Communications Security Establishment (CSE) said that in their  National Cyber Threat Assessment 2020 report, they assess that almost certainly, over the next two years, Canadians and Canadian organizations will continue to face online fraud and attempts to steal personal, financial, and corporate information.

Carleton encourages students to contact ITS if they think they have been phished and to install an up-to-date antivirus program on their devices. 

“The phishing industry is known for pivoting rapidly and adopting new strategies as quickly as the information security sector can find solutions. It is an ongoing fight that Carleton will continue to invest in,” said Reid.