Phishing at Royal Roads


So, how’s the phishing at Royal Roads? From what I’ve seen it’s not very good and that’s actually a good thing. Why? Let me explain…

“Phishing”, as opposed to “fishing”, is the name for a technique the cyber bad guys use to try to “reel you in” to one of their schemes. In a phishing attack, the criminals send you an email that looks like it came from somewhere completely legitimate with the hope that you’ll open it and trigger the installation of some malicious software (“malware”) or click on a link to an infected website or – the granddaddy of them all – provide them with some of your personal information.

We’ve all seen these emails – the one from the bank you don’t even deal with asking you to log in and re-set your account, the notification from the courier company about a package that’s ready for pickup or the advisory from the IT Help Desk that your mailbox is over its limit. Some of them look pretty amateurish while others are very well done. When the bad guys take the time to research their target audience and craft the message specifically for a small, exclusive audience it’s called a “spear phishing” attack. These messages can be very difficult to separate from the real thing and that’s why this kind of attack can be successful.

The question then is, how do we keep from getting “hooked”? Here are a few suggestions:

  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique used by criminals to rush people into making a mistake.
  • Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is a company you do business with they will know your name.
  • Watch for bad grammar or spelling mistakes. Companies generally proofread their correspondence before sending it out.
  • Don’t click on links. Instead, copy the link and paste it into your browser.
  • Hover your mouse over the link / button. This will show you the true destination where you would go if you actually clicked on it. If the true destination of the link is different than what is shown in the email, this may be an indication of fraud.
  • Be suspicious of attachments and only open those you are expecting. Also, just because the email “says” it came from a friend it doesn’t mean it did – the bad guys can fake that as well. If you have any doubt, delete the email without opening the attachment.

Now it’s time for a little fun. The following link will take you to a website sponsored by McAfee (a security software company). They’ve set up a little test of 10 messages…some are phishing emails, some are not. You review each email, try some of the techniques mentioned above, and see if you can sort the true emails from the phishing ones. Here’s the link:

So to answer my original question, the phishing at Royal Roads isn’t very good because our staff are pretty vigilant when it comes to opening their email. And that’s a good thing – let’s keep it that way! When it comes to your email be suspicious, be wary and you won’t get hooked.

Don Devenney is a member of the Server, Networks and Telecom Infrastructures team at Royal Roads University and is a GIAC Certified Windows Security Administrator.