How to practice cybersecurity in a sea of phishers

‘It’s better to take a moment to than to deal with the consequences of being hacked’

Image by: Natalie Viebrock
Cyberattacks target human behaviour and system vulnerabilities.

When in doubt, don’t click the link.

Cyberattacks are no longer just a threat to governments or large corporations. They have become a persistent issue in universities, targeting students, staff, and institutional systems. According to Paul Muir, the information security officer with Queen’s IT Services, these threats, while technical in nature, often exploit human behaviour.

Muir identified phishing as the most common type of cyberattack targeting students and staff.

“Phishing emails are very prevalent. They’re an attacker’s first attempt to gain access to our systems,” Muir said in an interview with The Journal.

Muir explained phishing uses social engineering to play on human psychology by creating a sense of urgency or fear. This technique is designed to catch individuals off guard, prompting them to click links or share credentials without thinking.

Social engineering is a manipulation tactic used by cyber attackers to trick individuals into revealing sensitive information by performing actions, instead of exploiting technical vulnerabilities.

While Queen’s employs robust cybersecurity measures such as firewalls, no system is foolproof. Muir says phishing controls aren’t 100 per cent effective, meaning the University relies on community vigilance to address the remaining gap.

“It’s a constant back and forth. Attackers adapt to by our filters, and we adapt to block them,” Muir said.

“The tactics haven’t changed drastically over the years, but they’ve become more sophisticated in how they play on what matters to people most. For example, attackers often create a sense of urgency, such as claiming your is compromised, to push you into acting without thinking. A phishing email might mimic Queen’s official branding or appear to come from a trusted colleague or classmate,” Muir said.

Edidiong Essienton , HealthSci ’28, experienced a phishing attack firsthand. She received an e-mail from a familiar Queen’s address, with a subject line referencing “remittance advice.”

Assuming it was related to her extracurriculars, she clicked on the link, which led to a counterfeit Outlook page.

“At first, everything looked official, so I entered my Queen’s details, minutes later, someone from my club reached out saying they’d received a strange email from me. That’s when I realized something was wrong. I went in my sent folder and, I saw my email had been used to send similar phishing emails to my s,” Essienton said in an interview with The Journal.

Queen’s IT Services quickly flagged her for suspicious activity and locked her out to prevent further damage.

“It made me realize how easily these things can happen. It was scary to think about what else they could access. Thankfully, Queen’s IT Services helped me regain control of my within a few hours,” Essienton said.

Essienton itted the experience was unnerving, especially knowing how much of her academic life was tied to her Queen’s email.

Muir emphasizes incidents such as Essienton’s highlight the importance of cybersecurity awareness. Queen’s requires all students, staff, and faculty to complete annual cybersecurity training, designed to help the community recognize threats and respond appropriately.

“These programs help bring cybersecurity to the forefront of everyone’s minds, they interrupt that instinctive response to urgency, which is exactly what attackers count on,” Muir said.

Queen’s also has technical safeguards like multifactor authentication (MFA), which adds an extra layer of security to s. According to Muir, MFA is a critical tool in the University’s cybersecurity arsenal.

“MFA provides a safety net. Even if your is compromised, it acts as a second line of defense. It’s been a game-changer,” Muir said.

According to Essienton, the experience of having her email hacked has changed her digital habits. She now takes extra precautions, such as ing the sender’s identity and being cautious with links, even when they appear to come from trusted sources.

“It’s harder to avoid scams when they seem to come from people you know. Now, I call or message the person directly to confirm before clicking anything,” Essienton said.

The challenge of protecting Queen’s goes beyond phishing emails, said Muir. As an academic institution, Queen’s operates with a culture of openness and collaboration, which makes implementing strict cybersecurity controls more complex in comparison to corporations or government organizations that typically have more rigid processes.

“There’s so much diversity of activities at a research-intensive university like Queen’s, and this adds another layer of complexity to protecting our systems,” Muir said.

“Use strong, unique s, keep your devices updated, and enable MFA. Small actions like these can make a big difference in protecting yourself from cyber threats. Cybersecurity is not just a technical issue, it’s a community effort,” Muir added.

Essienton urges fellow students to be proactive.

“If something feels off, don’t click the link, it’s better to take a moment to than to deal with the consequences of being hacked,” Essienton said.

Essienton recommended students take advantage of the cybersecurity resources offered by Queen’s, including the mandatory training program.

“The training helps you spot potential threats and understand how to handle them. It’s worth doing,” Essienton said.

Queen’s IT Services urge the Queen’s community to visit the cybersecurity website for free tools and valuable resources. Queen’s students can also them virtually or in-person at Mackintosh-Corry Hall, room B205 for all Queen’s system related needs.

Tags

phishing

All final editorial decisions are made by the Editor(s) in Chief and/or the Managing Editor. Authors should not be ed, targeted, or harassed under any circumstances. If you have any grievances with this article, please direct your comments to [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *