The University of Ottawa was targeted by a sophisticated phishing attack, the Business executive scam. A fraudulent email account using the name of a uOttawa executive was used to send a legitimate-looking email to an employee. The employee who is authorized to access University’s financial systems was requested to process an urgent payment on an invoice before the end of the day. The attack was identified and prevented immediately; University systems were not compromised.
Given the seriousness of the situation, and the potential damage a phishing attack like this can cause, we are reminding everyone to be diligent when dealing with all electronic communications, links, and attachments. A reminder that a phishing message is an attempt to gain access to your personal and university accounts, and private information. If you receive such message or similar phishing attempts, DO NOT click on any of the links in the email or reply to the message, and permanently delete (SHIFT + delete) the message immediately.
It is important to remember that the University has controls and policies in place to help prevent fraudulent activities. Directors and Managers have a fiduciary responsibility to know and practice our policies. Practicing sound financial stewardship is key. Remember that prior to making any payments, we should ensure University policies have been followed. Payments over $5000.00 should always have a contract in place in accordance with Policy 36. If a request for payment seems questionable, ask questions. Credible vendors/sources will never require payment immediately.
Actions to take now:
- If you clicked on an embedded link, provided your credentials, or responded to a phishing attempt, immediately contact the Service Desk at extension 6555 and change your password.
- If you have not yet completed Digital Self-Defence training, we encourage you to do so as soon as possible. The training is available to full-time, non-teaching staff and will help you with strategies to identify and protect yourself and others against attacks. Employees are our first line of attack against cyber-attacks.
- If you would like to learn more about identifying email/cyber-attacks, consult resources on the IT security website, such as our Spotlight on email, spam & phishing.