Several emails designed to appear as though they are from prominent members of the McGill community have targeted recipients both within and outside of the McGill community in recent weeks. These emails may request or provide information, including requests to send money. They have been identified as social engineering attacks.
What is social engineering?
Social engineering occurs when an attacker pretends to be a person or an organization you know and trust. By gaining your trust, the attacker attempts to compromise your computer or steal information.
Note that social engineering emails may not contain any fraudulent links: The aim of this type of attack is to initiate direct communication with potential victims - so attackers may simply ask that you reply to them, so that they can obtain more information from you.
If a message seems odd, suspicious, or too good to be true, it may be a social engineering attack.
How to detect social engineering
Make sure the sender is who it appears to be.
If an email seems to come from a member of the McGill community:
- Look at the address in the From field: Is it a McGill email address (ending in mcgill.ca)?
- To verify, click Reply All, but DO NOT send the reply.
- Now, do you see a McGill email address in the To: field?
If the sender’s email appears at first to be a McGill address, but upon closer inspection proves not to be, it is likely a social engineering attack. Do not reply to this message, or click on any links in the message body.
If the sender appears to be from someone you know, phone or ask them in person to verify they sent you this email.
Resources to learn more about social engineering:
- View the “Social Engineering” module of the SANS Video Library
(If this is your first time accessing the library, you may need to register for the McGill IT Security Awareness Training program through myCourses)
- Social Engineering and Phishing: Targeting your workplace
(From Get Cyber Safe, Canada's official government cyber safety site.)
Avoiding Social Engineering and Phishing Attacks
(From US- CERT, a US government site dedicated to promoting cybersecurity)
- How to report suspicious emails to the IT Service Desk