MONTREAL: Anyone getting an email from McGill University that sounds a little “phishy” ought to beware.
The university was forced to call in Montreal police after being targeted by identity fraudsters in a recent phishing attack designed to acquire confidential information from staff and students.
Although 36 McGill Minerva accounts were hacked and 14 had deposit information changed to another account, McGill believes that it contacted the banks in time and was successful in recalling all payments, a spokesperson said on Monday.
“No one has suffered any financial loss, we believe,” said the spokesperson.
This is a worldwide problem and universities across the globe, as well as across the country, have been targeted in phishing attacks.
Phishing attacks or scams trick users into revealing confidential information with the aim of gaining illicit access to systems. Most phishing attacks are conducted by emails which mimic legitimate establishments and urge potential victims to enter account numbers and/or passwords. Attempts to log in reveal financial information and account details to the phisher, who then has control of the account.
Concordia University sent out an email in May alerting its community to the fact there were “several email phishing scams” going on.
“We have been the victim of phishing attacks and we’re not alone,” said Chris Mota, director of media relations at Concordia. “As much as we try and remind and warn people, there are always the few exceptions who click on a link coming from Concorida.ca (notice the misspelling) or the Help Centre, or other seemingly reliable sources.”
However, a spokesperson at the Université de Montréal said on Monday that phishing hasn’t been a particular problem there recently. Jenny Desrochers, director of media relations at the Université du Québec à Montréal, said UQAM hadn’t been targeted in as big a way as McGill either, although phishing is always a concern.
“We are always very attentive and vigilant about this phenomenon that targets many large institutions,” Desrochers said.
She said measures have been taken to prevent phishing, primarily through informing students and staff about the existence and the risks of this type of identity fraud.
Phishing attempts can be very convincing despite universities’ and banks’ constant reminders that they would never send an email asking for confidential information, nor ask people to log on to a website to do so.
In a message to all members of the McGill community, Michael Di Grappa, vice principal of administration and finance, said the phishing attack started July 11 and directed users to a website that looked very much like the school’s Minerva page, while asking them to supply their McGill username and password and/or their McGill ID and PIN.
“Upon discovery, the Information Security Office disabled access to all 36 affected user accounts and Human Resources are in the process of notifying all individuals affected,” Di Grappa said.
Students and staff are reminded to be on the lookout for a phishing email — one that targets McGill users and appears to be coming from McGill — that asks for any personal information. McGill is providing tips on phishing at: http://kb.mcgill.ca/it/phishing. Anyone who believes they have been a victim of phishing can contact: ITsupport@mcgill.ca.