Canada Revenue Agency is that really you emailing me?

If you’ve ever been mortified after clicking on a phishing email you are not alone. According to Statistics Canada, four in ten Canadians experienced at least one type of cybersecurity incident since January 2020. With the world spending more time online due to the pandemic, cyberattackers have taken note and ramped up their efforts as well–the same Statistics Canada report indicted that 14% of survey respondents had received COVID-specific phishing emails (i.e. pretending to relate to COVID test results or the Canada Emergency Response Benefit). University Systems’ new simulated phishing training aims to help us steer clear of these dreaded phishing emails.

Simulated phishing training is a recognized industry approach to help build cybersecurity resilience amongst employees. Beginning this month, UVic email accounts will receive three or four simulated phishing emails each month. If you ignore the message by either deleting it or using the “report phishing” button in MS Outlook, the training feature will not be triggered. If you engage with the email by clicking on links or opening an attachment, the training feature will pop up with tips on how to spot elements of the message that make it suspicious.

What makes an email suspicious? Cyberattackers are constantly honing and changing their techniques, so for insights on the latest scams, check Systems’ Phish Bowl blog.

The blog deconstructs actual phishing emails the university has received, highlighting all the things that are “phishy” about them. There are several tell-tale signs of a phishing scam: requests to click on a link and log in to a site (typically using your UVic credentials), spelling and grammar errors in the message, unfamiliar email addresses or senders, and attachments from unknown senders.

Our goal is to help faculty and staff keep their accounts secure. The simulated phishing training offers just-in-time help to spot a potential future cyberattack. The skills can be applied to all areas of your digital life–work, home, volunteer, community–to help keep you safe online.
—Nav Bassi, director and chief information security officer

Although training is anonymous (the system does not retain who engages with the simulated phishing emails), the aim is that, over time, faculty and staff will engage with fewer of the simulated email messages as we become better at spotting those dreaded phish.

For more details on simulated phishing training and to see a sample message, visit UVic Systems' notice page.

More information: Canadian Centre for Cyber Security