Protecting UBC’s information security: precautionary phishing measures

If you are a manager of staff whose work is not computer-based, please print this email and display it in a common work area for them to review.

As a public institution with a significant research focus, UBC has seen an increase in cyberattacks. As you know, we are also about to implement a new enterprise system, Workday, which is likely to generate targeted phishing campaigns with the aim of tricking unsuspecting faculty and staff into providing their credentials.

“Phishing” refers to an attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain.

UBC is constantly being phished, with many criminals using tools to further target faculty, staff, and student employees who have already responded to a phish. Most common to UBC are email messages sent with a deceptive link in the message that may appear to have one destination, but actually leads to another. While we attempt to screen email at the source, far too many emails prevail in tricking our faculty, staff, and student employees to click or give up their UBC credentials, posing ongoing risks for the university.

On Monday, many of you noticed a warning tag on external email messages received from non-UBC sources. The tag is a reminder to verify the authenticity of the email before clicking on links, opening any attachments, or responding to the message. Many of you have shared feedback on the external email warning tag, and these have been shared with the Cybersecurity team to consider and improve.

We should also note that in the last 24 hours, there were more than 53,000 phishing attempts blocked. In the last month, there were 1.7 million phishing attempts blocked.

In the lead‐up to Workday, it is more important than ever that the UBC community is prepared and diligent when it comes to potential phishing attacks. To combat phishing, a number of activities are being undertaken to mitigate the risks, including:

  • Self-phishing campaigns: Self-phishing is an educational technique in which fake phishing messages are sent by the institution as a training exercise to help faculty and staff prepare for an actual attack;
  • Implementing mandatory multi-factor authentication (MFA);
  • Training and phishing information sessions during Cybersecurity Month (October).

Please note that given the urgency and immediacy of phishing attacks ahead of the Workday launch, a UBC-wide self-phishing campaign will be deployed during two weeks in October. This will help prepare and educate you on how to quickly spot some of the most common types of phishing and avoid falling victim to their attacks.

We know our community is already experiencing a great deal of change as we adapt to recent events. Anti-phishing measures are important for us to understand our part in being responsible for protecting UBC’s information. For more information on how to report phishing emails, please visit UBC’s Privacy Matters website.

Thank you for your attention to this important matter.

Andrew Szeri
Provost and Vice-President, Academic, UBC Vancouver
Chair, Privacy and Information Security Management (PrISM) Executive Leadership

Jennifer Burns
Associate Vice-President, Information Technology and Chief Information Officer

Rob Einarson
Associate Vice-President, Finance & Operations, UBC Okanagan

This message was sent to faculty and staff in Vancouver and the Okanagan.

UBC Broadcast is used to communicate time sensitive, organization-wide information to faculty, staff and students. Learn more