Faculty, staff and students are being encouraged to be on alert for phishing emails impersonating Human Resources, payroll and/or university administration. UBC’s cybersecurity team has identified highly convincing emails that include links to fraudulent login pages and multi-factor authentication (MFA) prompts designed to compromise payroll systems. The phishing campaign uses deceptive HR- and payroll-themed emails possibly concerning pay, bonuses, or leave approvals to trick users into revealing credentials or approving uninitiated MFA prompts.
These tactics may also exploit MFA fatigue – where attackers repeatedly send MFA push notifications hoping that a user will accidentally or out of frustration approve one. Receiving an MFA prompt that you did not initiate is a clear sign that your username and password have been compromised. Never approve an MFA request you did not initiate, and report it immediately to UBC Cybersecurity at security@ubc.ca.
While there is no evidence of a Workday or system breach, these emails indicate the need for continued vigilance in our community.
Sample phishing email subjects seen at UBC include:
- “Paige Capece shared ‘Employee Salary Adjustment Approval1’ with you”
- “16.89% Salary Increase Letter – Monday, October 3, 2025”
- “Q2 Payroll and Compensation Update – Action Needed University of British Columbia”
- “Bonuses Distribution, Payroll Upgrade, and Health Insurance for All”
- “[Approval Rejected] Your Annual Leave/Vacation application have been rejected by HR Coordinator (Review & Re-Apply)”
These same lures have been used across multiple universities.
We are reminding all members of the UBC community to be vigilant and suspicious of any email that asks you to click on links that require you to enter your UBC credentials. If you receive an email asking you to log in to Workday or any other system at UBC, please note the following:
- Never approve multi-factor authentication prompts you did not initiate.
- Emails received from senders outside UBC will usually have a yellow banner stating [CAUTION: Non-UBC Email] at the top. If you receive an email requesting you to log in to a UBC system, and that email has a yellow banner, it means it is not from UBC and you should report the email to UBC Cybersecurity immediately at security@ubc.ca
- The correct UBC Workday URL is hxxps://myworkday.ubc.ca which will take you to the official CWL login URL for Workday starting with hxxps://authentication.ubc.ca
- If you receive an uninitiated MFA prompt, or you have accidentally provided your credentials, please report this immediately to UBC Cybersecurity at security@ubc.ca
For more information, please review our resources on phishing emails here: hxxps://privacymatters.ubc.ca/phishing-emails
Please note: For added security, we have changed the above links to include an hxxps:// prefix. Simply copy and paste the URL into a web browser and replace hxxps:// with https://. Together we can keep our information secure.
Thank you for your continued attention to cybersecurity and for helping to protect the UBC community.
Jennifer Burns
Associate Vice-President, Information Technology
Chief Information Officer
Larry Carson
Acting Chief Information Security Officer
This message was sent to faculty, staff and students in Vancouver and the Okanagan.
UBC Broadcast is used to communicate time sensitive, organization-wide information to faculty, staff and students. Learn more