Toronto Metropolitan University (TMU) faculty and staff received a strange DocuSignature email titled, “Please Complete with DocuSignature,” last week from their supervisor’s email address that caused serious confusion.
The email was sent from a dummy email that was meant to mimic the email addresses of very real managers, deans, directors or supervisors (without the sender’s knowledge) asking their employee to sign a document.
Supervisors’ inboxes filled up with concerned emails from staff, “I received many direct inquiries in the middle of the day on Thursday,” said Journalism School chair and associate professor Ravindra Mohabeer.
7,866 employees received the email on Oct.12 according to TMU’s Chief Information Officer, Brian Lesser.
A day later an email was sent out to faculty, apologizing for the confusion and inconvenience it caused.
“The DocuSignature email was designed to assist employees in recognizing deceptive phishing emails,” wrote Lesser in the emailed apology.
The phishing email stunt was a part of TMU’s Cybersecurity Awareness Month Campaign, with the goal “to simulate attacks so people would be less susceptible to them in the future,” said Lesser in an interview.
In the last two years TMU has seen an increase in targeted phishing attacks attempting to fool people into thinking it came from deans and managers, explained Lesser, which he said “can lead to identity theft and data breaches.”
Lesser argues, the best way for people to combat these attacks is to simulate them,“people need to know how to defend themselves.”
Phishing attacks on educational institutions has seen a significant rise since 2021. According to a report from Zscaler Blog, education was the most targeted industry in 2022, with attacks increasing by 576 per cent.
Although, the emails did cause frustration among staff, Lesser argues “it is important to be vigilant,” in regards to detecting phishing schemes.
Some frustrated staff told Lesser not use their name again for training emails where as others “pointed out it was a great simulation,” said Lesser.
In past OTR reporting, students said they felt stressed by the phishing initiative and even asked to be removed from the email list.
TMU will continue to send phishing emails as part of their cybersecurity awareness program, however it will now be required that faculty approve their names for cybersecurity simulations.