June 7, 2018
On June 4th, a large department at the university was impacted by a sophisticated email phishing attack. This attack was an example of effective social engineering (the use of deception and manipulation to gain information).
In this incident, the scammer impersonated the chair of the department and asked targets to buy and scan the pre-scratched iTunes gift cards and, unfortunately, the targets complied. This attack didn’t have any of the common warning signs of a phishing attempt: it didn’t contain spelling errors, the text was not vague or generalized, and the user was not prompted to click on a link or download an attachment. The phishing attack’s content was crafted in such a way that it seemed informal enough to resemble a real communication from the chair.
This attack is currently under investigation by the information security response team. These days, phishing attempts are becoming more and more sophisticated. Be wary of unusual messages, even from known contacts. If you are uncertain, confirm the truth of suspicious messages with colleagues over the phone or, better yet, in person. If you think you have received a phishing email contact firstname.lastname@example.org. To learn more about social engineering and phishing attacks, visit securitymatters.utoronto.ca.