Queen's Gazette | Queen's University

Search form

Learn how Queen's is planning for our safe return to campus.

National Cyber Security Awareness Month: Phishing

Throughout October, Queen’s University is recognizing National Cyber Security Awareness Month.

At Queen’s, the goal is to increase awareness about cybersecurity while educating the campus community on ways to better protect your devices, networks, data, and personal information from cyber threats.

In support of the effort, the Gazette is publishing a series of informational articles focused on online threats and tips on how to maintain and improve cyber security at the university."Cyber Security Phishing"

What is phishing?

Phishing is a cybercrime in which people are contacted by email, telephone or text message by someone posing as a legitimate institution. The idea is to lure these individuals into providing sensitive data, such as personally identifiable information, banking and credit card details, and passwords. 

The information is then used to access important accounts and can result in identity theft, financial loss, and data loss. 

What should I watch out for?

Phishing scammers are becoming more creative and savvy than ever before. These scammers are intent on extracting sensitive information from you in a way that you don't suspect. You may receive an email that looks completely legitimate, complete with headers, footers, and email signatures from a reputable company. The email will ask you to take an action (such as click on a link to ‘verify your account’) and will then direct you to a bogus site to enter your credentials. Once you enter your email and password, the phisher has obtained access to your account. 

How could this work in a place like Queen’s? 

There are many ways phishers can attack in a university environment. For instance: 

  • An imposter can pose as Queen’s IT support calling or emailing to assist with an urgent upgrade 
  • The imposter references a few people and key systems familiar to you, such as Outlook or Microsoft 
  • They then ask for your NetID and password to begin the upgrade 

What is Queen's doing to protect me?

While there is no way to completely block out phishing emails (phishers are getting more and more savvy as technologies improve), Queen's has put some measures in place to protect our community:

  • March 7, 2017: Exchange Online Protection
    There were two primary reasons for moving our email protection service to an online service; the first was for reliability, to remove our reliance on our campus infrastructure for email delivery, the second was to enable us to take further steps in protecting the campus from email threats in the form of phishing emails.

  • March 20, 2017: Port Blocking at the Border
    With the increase in attacks on the Internet, the need for security and protection rises. At Queen's University, ITS has installed a number of blocks and protections into the gateway between Queen's and the Internet. 

  • June 8, 2017: Microsoft Safe Links
    When a web link (e.g. URL) in an email or Microsoft Office Online document is clicked, Safe Links performs a scan to determine if the URL is malicious. It does so by rewriting the URL (i.e. http://www.google.ca) with the Safe Link. Safe Links also scans any documents within Office 365 Online at the time of click to prevent malicious file downloads to your system.   

How can I prevent being phished? 

The short answer is: you can't. Some phishers spend considerable time researching their targets in order to make their messages seem more credible. You will receive phishing emails in your inbox, on the phone, via text message or other medium. The only way to ensure you do not fall victim to these schemes is by educating yourself. 
Legitimate messages – including those from Queen's University – will NEVER ask for sensitive information (password, baking information, credit card details, etc.) via email, phone, or text message. 

Queen's offers an Information Security Awareness course that helps you identify phishing scams. Taking the course ensures you have the upper hand in identifying a phish. 

Other best practices include: 

  • Don’t use the same password for each login. (I.e. don't use your banking password to access your desktop computer). 
  • Never provide passwords, banking information, or personally identifiable information from an unsolicited message (e.g. email, text, phone). 
  • Never email your account credentials to anyone
  • Stay current on security news and share your experiences with friends, colleagues, family and peers. 

What do I do if I've been phished? 

If you suspect you've fallen for a phishing email: 

  • Immediately change your passwords and security challenge questions 
  • Contact the IT Support Centre to ensure your account is not compromised