Go phish: Ryerson sends fake emails to show the real consequences of cyber scams

Artwork by MaryAnn Icaro.

Have you had any vaguely worrying emails pop into your Ryerson account lately, perhaps from a certain “emailTeam@ryerson.ca?” If so, don’t click on them—they’re part of a cybersecurity test set up by Ryerson’s IT department to educate the Ryerson community on the dangers of online hacking.

Don’t let your mind run wild with fears of identity theft at the prospect of stumbling onto one of these emails. If you do click, you just reveal your cyber ignorance to the Computing and Communications Services (CCS). It’s all part of an awareness campaign they kicked off in October for cybersecurity awareness month.

Brian Lesser, CCS’s chief information officer, says that a common problem organizations have is “reaching people in a way to help change their behaviour so they protect themselves. If we just send emails saying ‘watch out for phishing,’ people skim it and that’s it.

“Cybersecurity awareness is a big problem, and one of the best techniques anyone’s thought of to teach people about phishing is to actually phish them, except in a harmless way, of course,” says Lesser.

CCS is trying to dupe the Ryerson community by sending their own harmless versions of scams that cyber-criminals use, where they pose as a legitimate organization that wants you to hand over your personal information in a hurry. Upon clicking one of these emails, a blunt message throws the harsh reality of your security mistake back in your face: “Oops! You clicked the link in a fake phishing email,” followed by tips on how to spot phishing.

“During October you’ll get six or seven of these emails, and we hope to see the click rate go down after each one. Now that the first wave has gone out, about 17 per cent of people have clicked on it,” Lesser says.

Fourth-year arts and contemporary studies student Nick Patterson has never had any security breaches and says that CCS’s fake phishing “has definitely made [him] more aware about the possible risks and hacking that happen across the internet.”

On the other hand, if you’re one of those who clicked on the email, try not to think about the fact that you’re in the bottom 17 per cent.

Instead, worry about what could happen if it was a real hacker. Lesser says they “see people’s accounts hijacked who had given their password away. We’ve had cases where hackers went into RAMSS and dropped someone’s courses.”  

Depending on your course load, this may sound either scary or liberating. In these cases, since  hackers could also presumably add courses, it’s probably terrifying.

Lesser says this new interactive push by CCS “was controversial when it started, but now everyone’s sort of gotten over it and realized it’s the university sending it. And we’re not doing it to humiliate you, it’s just one of the few things that works so you’re better prepared.”

But what other steps can you take to better protect your account? Setting up two-factor authentication is a step CCS has rolled out for all Ryerson students this year, which means receiving a code on your phone that you type into your computer when you log into your Ryerson account.   
If the fear of losing everything you have isn’t enough to get you diving into cybersecurity, maybe contests and prizes will.

“We have a couple prizes, including an iPad we’re giving away for students who take the steps we recommend [like two-factor authentication],” says Lesser.