Sierra Silva scrolls through her Western email account. As usual, the fourth-year media, information and technoculture student's inbox is flooded; emails telling her to apply for this internship and attend that lifechanging conference and sign up for intramurals because the deadline is fast approaching.
But one email catches her eye. It's a poorly worded email, only two sentences in length, and written with the grammatical elegance of a fourth-grader:
"I have a blessed proposal for you. I am a Sgt of the United state Army."
Immediately, two things strike Silva as odd. First, wouldn't a member of the United States military know that there's more than one state? And second, why was she, a Canadian student, offered this proposal?
Now if Silva was searching for a "blessed" proposal — an enticing proposition if there ever was one — she might have taken them up on their offer. But alas, it's O-Week, and there is fun to be had and classes to prepare for. It can wait.
Most Western University students have experienced something very similar to the bizarre email Silva received. In fact, many students received that exact same email.
While the email's purpose remains largely unknown, it's most likely the work of a grammatically-challenged scam artist hell-bent on stealing sensitive personal information through a cybercrime known as phishing. Often called spam mail, phishing is one of the newest forms in the ancient art of scamming. Its targets are tricked into revealing information by individuals posing as legitimate sources. And despite its cute name, it's far less enjoyable than an afternoon catching trout on Lake Huron.
Perhaps the best way to think about phishing is as a performance. The scammers are trying to trick you into giving away sensitive information by acting out roles which don't truly belong to them. They'll act as system administrators, contractors, doctors — or even sergeants — just to gain your trust. These phishing attempts are carried out by a variety of nefarious groups, ranging from middle-schoolers in their basements to spies and international agents working for interfering governments. Whether it's on the small scale of a student's email account or the grandiose scale of international espionage, phishing is a sinister, and profoundly simple, enterprise.
“At the heart of all phishing is the idea of developing a trust relationship for some purpose, whether it’s stealing your identity or something more nefarious,” says Jeff Gardiner, Western University’s central information security officer.
In 2016, Western began an investigation into a phishing scam that saw the release of some first-year students' personal information from 2014–15.
Outside of the Western community, phishing incidents are well-documented — and occasionally wreak international havoc. In 2016, Hillary Clinton's campaign chairman, John Podesta, was phished by an email telling him someone in Ukraine was attempting to log into his Gmail account. When he clicked the link and entered his username and password, his account was captured. His emails, along with Democratic National Committee's emails, were stolen, creating chaos in the run-up to the 2016 U.S. election.
While many phishing attempts are easy to ignore, some are more sophisticated than others. To appear more authentic, many of the phishing emails found in students' inboxes have begun to disguise themselves as official Western emails, using both Western-specific terms and @uwo.ca email addresses.
“One of the reasons they use a UWO email address is because you’re more likely to believe an email that appears to have come from Western,” says Gardiner.
UWO email addresses can be obtained by cybercriminals by spoofing the sending account or using a compromised one.
Most commonly, the sending account is spoofed. Like a traditional letter, the sending address can be easily changed; thus, nothing is stopping the scammer from disguising their sending address as a legitimate Western account.
Less often, the emails are sent from compromised accounts, which are stolen from students once they fall victim to other phishing attempts.
These emails urge recipients to visit external links, which direct to fraudulent login pages. Once someone enters their information into the account and password fields, those behind the scam have access to their unencrypted passwords. For Western students, this often means the links land them on imitation Student Centre, OWL and Microsoft Outlook pages.
The sophistication among phishing attempts varies greatly, with some standing out immediately and others more difficult to detect.
“They almost always try to appeal to urgency,” says Gardiner. “If the mail appears to come from an authority or is appealing to a sense of urgency, you should be skeptical of it.”
Another clue is if the email is not addressed to the user specifically.
“If your friend contacts you, they might say ‘Hey, Joe!’ or whatever. These [phishing emails] are often anonymous,” says Gardiner.
As is common, the email above includes a link that redirects the user to a site titled "universityofwesterncanada" in an effort to secure their Western login. While not the most clever disguise, a quick glance at this URL may be enough for some students to trust it. If the URL seems legitimate, the legalese at the bottom of the page can sometimes reveal the ploy.
The email is also littered with grammatical errors, a common giveaway.
The sender above has also tried to make their email appear like an internal Western email by including the title “Help-Desk Administrator” and creating a fake copyright footer.
Most phishing attempts adhere to this, or a similar, format.
Again, this scammer is stressing urgency, attempting to lure the victim onto a fake login page by posing as a legitimate Western staff member. This email also contains grammatical errors.
Both emails were sent from an @uwo.ca email address.
Approximately 65 per cent of the traffic that Western’s email system receives is spam or phishing and, according to Gardiner, most are blocked outright by filters.
“It is an ever-going battle,” stresses Gardiner. “The [Western Technology Service] is currently looking at greater strategies for denying spam or phishing messages [with] the ability to get directly into your inbox, but at the end of the day, it is an arms race.”
Recently, the administration has seen "spear phishing" attacks — a more deceptive and targeted version of phishing. Spear phishing targets a much smaller group of victims and usually disguises itself as a member of the said group.
Phishing emails which appear to have been sent by Amit Chakma, president of Western, have been reported. Such messages only go to a very specific number of staff and even use his signature block to increase authenticity.
If a student believes they have fallen victim to phishing, it's important they take immediate action. Gardiner recommends immediately changing your password online. However, if a student finds themselves locked out of their account, they should turn to their department IT group or the Western Technology Services Helpdesk.
All students have access to Spam Trap, a tool provided by the university to better refine email spam filters. Through Spam Trap, students can review messages flagged as spam, adjust filter preferences and even block mail from specific geographic regions.
Students who receive suspicious emails are encouraged to follow up with the sender either on the phone or in person to verify its authenticity.
“We definitely see the method in which they try to phish us evolving,” says Gardiner. “The more protections we put in place, the more the attackers evolve their approach. It’s a never-ending effort.”
“The consequences of falling victim to this are not just as trivial as losing your identity", he adds. "We have seen digital harassment and all kinds of serious things that come from this.”
Every time you open up your inbox, be vigilant. There are swarms of malicious cybercriminals vying to gain access to your student account. So next time you read an email claiming that you've supposedly exceeded your storage limit and need to login to confirm your storage upgrade, think twice about it.
The old adage rings true: don’t believe everything you see on the internet — especially in your inbox.