Cybersecurity Blog

Tricky multi-stage phishing attack hits campus

05/11/2026

 

The campus has been hit by our first reported multi-stage targeted phishing attack. While these attacks often include multiple means of communication, this one sticks to email.
Here is how the attack works:
  1. Attacker makes an innocent inquiry about one of our services through email.
  2. Once you respond to the inquiry, the attacker replies with an email that includes a complaint with a malicious link disguised as a photo.
Here is the residence example. However, be aware that anyone of us can be targeted with a variation on this theme.
What makes these malicious emails so hard to spot:
  • The email has the right context
  • The email is part of a legitimate email thread
  • The email includes a plausible, compelling reason to click the link such as a complaint about service
  • The email comes from a perspective customer therefore the sender’s name and email address cannot be used to determine legitimacy

Only by hovering over the link can you determine that the email is malicious.

As we are now being hit with these, we are all going to have to slow down and pay even more attention to our emails.  Treat your inbox as a minefield, be aware any email may contain a malicious payload. Go slow, check carefully and hover over those links!

That banner telling you to backup your files to another Google account … ignore it.

05/05/2026

Every once in a while, Google releases a new security feature. Usually, the new features are very helpful and do help protect your data. However, the feature released this week doesn’t follow that trend. It appears as a banner at the top of your Gmail window.

For your personal Google account, this isn’t the worst advice. Backing up your Google account to another Google account will protect your data should an attacker compromise one of the accounts.  In fact you should have three copies of anything you work on; the working copy, one backup and another backup in a different location.  Using another Google account fulfills the backup-in-a-different-location requirement.

However for your MRU Google Workspace account, transfering content to another Google account is a big no no. It may violate our Privacy Policy, Information Security Policy and our Acceptable Use of Computing and Communication Resources Policy. As well, your personal Google account lacks some of the safe guards that we have placed on your MRU account making the data vulnerable.

In addition to possible policy violations, there really is no need for you to manually backup your account. We manage our own instance of Google Workspace and backups are done automatically.

We are currently working on turning this feature off. Until then, just ignore the banner should it pop up.

How to prevent attackers from scheduling appointments in your calendar

03/30/2026

Most organizations have robust email filtering systems which prevent the majority of malicious emails from arriving in inboxes. As a result attackers are always looking for new ways to trick these email filters. The lastest technique is to include a notification of a subscription renewal within a Google meet invite. These emails come from a legitimate email address and contain no links just a phone number. With no malicious flags to detect, the emails are considered legitimate by the email filters.

To add to the annoyance, if you don’t have your calender setup correctly, the event is scheduled into your calendar automatically without any interaction on your part.  When the meeting reminder is sent out, you are shown the fake subscription renewal again, increasing the chances you will respond.

While there is nothing you can do to prevent the invite from arriving in your inbox, you can prevent the meeting from being scheduled into your Google calendar. Open your calendar, choose Settings>Event settings and in the Add invitations to my calendar drop down select When I respond to the invitation in email.

This ensures only calendar invites that you respond to will get scheduled in your calendar.  Attackers will no longer be able to schedule meetings quietly in the background without your knowledge.  It is one small thing that you can do to make the attacker’s life a little more difficult and yours a bit easier.

 

How having unique account passwords makes your life easier

01/29/2026

Passwords are the bane of our existence. We are required to have one for every account that we create. Whether it is a grocery store loyalty card, the CRA or our bank, all require a password. Once upon a time we could get away with using passwords like Rover1, Evenflo, StarWars or password123. Those days are long gone. Attackers are getting better and better at password cracking requiring us to have 16 character passphrases that look more like machine code than a password.

With the requirements for all this complexity, it can be extremely challenging to create a password that will stump the attackers but we can still remember. Therefore, it is very understandable that once you create the perfect password, you want to use it again and again. While this may save you some grief in the short term, it sets you up for a whole lot of drama in the future.

Account providers do try to secure their servers and keep attackers from stealing your login credentials. However, if Equifax, Yahoo and Adobe can be hacked, anyone can. It is just a matter of time. Once attackers steal login credentials, they don’t just use them to login to the account they were stolen from. They have programs that use those credentials to attempt to login to every account provider they can think of. It is done automatically and quickly, within a matter of minutes. This technique is called credential stuffing. It has been used to gain access to CRA accounts, web cams, social media accounts and a host of other services.

If you use the same password for multiple accounts, when one gets compromised, they all become vulnerable. Instead of having to change the password on just one account, you now have to change it on all your accounts. That shortcut you took months ago has now cost you hours of your time.  To make matters worse, while you are toiling away trying to change passwords, the attacker is working ahead of you trying to gain access to your accounts. Safe yourself stress and grief, use a unique password for every account. You may have to take some extra time when you create the account, but it will save you so much time later on.

Creating all those passwords and then trying to remember them is challenging.  However, avoid the temptation to use the same basic password and then just add a number or letter to make it unique. The attackers are aware of this tactic and their password cracking progams take this into account. Instead, use a password manager. It will generate the passwords for you and store them. The best part, it will even log you in so you never have to type another password again.

Not only are password managers convenient, but they are also secure. Your passwords are stored in encrypted form so if they do get stolen, the only thing the attackers will have is a garbled mess. Password managers have minimal set up time. Just login to your accounts as usual, if you type in a new or updated password, you will be asked if you want to store or update your login credentials. Best of all, password managers sync your passwords across all your devices so you can login from anywhere.

Be aware that not everything that stores passwords is a password manager. For a tool to be a password manager, it has to be protected by its own separate password. If you don’t need to login in to it to use it, it’s not a password manager, it is auto-fill. Auto-fill is dangerous especially if you login to your browser on public computers. If you forget to logout of the browser when you are done using the computer, the next person who logs into that browser will not only have access to your bookmarks, but also to anything that is stored in auto-fill, including passwords, personal information and credit card data.

Turn off auto-fill and stick with purpose built password managers like Bitwarden. Bitwarden has a free version that is packed with features. It syncs across your devices, is easy to use and doesn’t cost a dime. End your password reuse days forever. Download a password manager today and start securing your accounts. Your future self will thank you.

How one MRU employee was tricked by a phishing email

11/13/2025

Bob (not his real name) started his day like any other, going through his inbox on his phone while he had his morning cup of coffee. He was swamped with a project that had a looming deadline. Between that and his other tasks, he was juggling several balls. Bob desparately hoped that he wouldn’t drop one as he scanned through his emails, looking for anthing that seemed urgent.

One email in particular jumped out at him. It was from Caroline. He knew his boss had met with her. It had Strategic Plan Draft in the subject line,  “This might be important”, he thought. He opened the email, it looked something like this.

 

He had been accepting a ton of document shares lately as part of his project work. So much so that his brain had developed a short hand for identifying them. As a result,  when he looked at this email that mimicked a legitimate Goolge drive share email, he focused on the key elements the attacker had included and determined that it was from Caroline. Even though the sending email address was wrong and it was not Caroline’s email address that was sharing the document, Bob’s brain used its short hand to deem the email legitimate.

Because he was using his phone to check the email, he didn’t see the sender’s email address either (this screen shot is from a computer), which would have tipped him off. All of this was exasperated by his urgency to get through his emails so he could get back to working on his project. It was the perfect storm. He clicked the link.

Fortunately for Bob, this was a phishing training email. He quickly realized the email was not what he thought it was and he reported it by clicking on the three dots in the upper right corner of the email window and selecting Report phishing from the drop down menu.

Had this been a real phishing email, his quick actions would have saved the University and his colleagues a lot of pain. As it was just a phishing training email, he was rewarded for his reporting efforts. Bob could have been embarrased and ashamed that he had made an error that could have caused immense damage. Especially as he had completed all his cybersecurity awareness training and he knew what to look for. Instead he chose to share what he learned in the hopes that others would not make the same mistake he did.

Here is Bob’s advice:

  1. When you are reading your emails, slow down. Read every one carefully and thoughtfully.
  2. Check the sender’s email address everytime. If you are going to use your phone to do so, make sure you know how. Otherwise, wait until you get to your computer to respond.
  3. The right email at the right time can trick anyone. Make sure you report your error right away.

You don’t have to make the same mistake Bob did. Follow his advice, avoid the regrettable click and report every malicious email you find. Your colleagues and the University will thank you.

Your work/school and personal life don’t mix well

11/12/20258

When you become a student or employee at MRU you receive several benefits, one of which is a Google Workspace account. This thing of marvel provides you with an inbox, a word processor, a spreadsheet application, cloud storage and several other useful cloud based applications.

In addition to having this work/student account, many of us also have personal accounts that provide some of the same benefits. This is where things can become complicated. Having the two accounts makes it very easy to save work/school files on your personal Google Drive and personal files on your work/school drive. It can also result in sending a work/school email with your personal email address and vice versa.

This can pose problems in several ways. First, if you have saved work files using your personal account, you may be required to turn over access to it and your device so an access to information request can be fulfilled. Second, emails sent using your personal email address can be perceived as phishing and ignored. Lastly, when you leave the University, you may lose access to your work/student account and everything that is stored there.

For your privacy and safety, it is important that you keep your two worlds separate. The easiest way to do this, is to have separate devices for work/school and personal use. However, this isn’t an option for most of us. Fortunately, there is a solution. On your laptop use Google Chrome as your browser for work/school and then use a different one for your personal life. This separates the two accounts and helps prevent the accidental use of the wrong email or storage of data on the wrong drive.

On your phone, it is best if you don’t upload work emails. However, with some roles this isn’t possible. Therefore, when you have to have work/school emails on your personal phone, use a different email application for each one. Again, this helps ensure emails are sent from the correct email address and prevents confusion.

Remember, Mount Royal owns the Google Workspace accounts that you are given access to.  If you leave MRU, you may lose access to that account – including personal data, photos, etc. stored there. Additionally, all MRU assets (including Google Workspace accounts) are subject to Access to Information Requests.  If you have personal data stored in your work account, it may be subject to such requests.  While MRU does make every effort to ensure personal data is not included, it may still occur.  Protect yourself and your data – keep work/school and personal data separate.

 

Reporting to Google helps our defenses but confuses the training platform

09/02/2025

 

Last week the email notifications went out announcing the release of this year’s annual training course, “Beau’s Day”. This notfication is generic in nature and is also used to notify those who have clicked on two training emails in one year, that they have been assigned the training course “Professor Phish Explains: Phishing”. Unfortuately, the email wasn’t written very well and it caused confusion.

Confusion was compounded when employees followed the instructions in the email and clicked on the Phishing tab in their training dashboard to see the list of phishing training emails they have been sent. Those who have been diligently reporting emails to Google were met with a list of emails with grayed out subject lines labeled “ignored” .

The training platform is completely independent of Google and has no way of knowing you reported an email. You still receive your rewards for reporting because I download all the reports from Google and then manually upload the associated reward. As a result, the training platform just thinks you have ignored the email.

To see which emails you have been rewarded for reporting, click the Incidentsn & Rewards tab instead. Selecting a “Reporting a Phish (Simulated)” reward will give you the subject of the email that you were rewarded for reporting. Because I manually upload the rewards there is a two week delay between your report and the awarding of rewards. If you haven’t received a reward three weeks after you reported, please send an email to me at securityawareness@mtroyal.ca and I will update your dashboard.

We appreciate your patience as we implement this new training platform. As with all new initiatives, there will be hiccups and this was one of them. The confusing email has since been edited to provide more clarity. I hope that things will be more clear going forward. Please feel free to reach out with suggestions, comments or concerns through our feedback form should anything else need to be addressed.

Report and be rewarded

07/17/2025

In March, we launched the new training platfrom from CIRA. This has allowed us to move our focus from training completion to maintaining a risk score of 650 or less.  While you can reduce your risk score by choosing additional training from the course gallery, it can also be lowered by reporting phishing training emails.

Currently, we don’t use the phishing reporting tool that comes with the training platform. We report to Google instead by opening the email and clicking on the three dots in the upper right hand corner and choosing Report phishing from the drop down menu. However, sometimes that option isn’t available to you. When that occurs, you can forward the email to reportphish@mtroyal.ca.

As we don’t use the platform reporting button, we have to download reports from Google and upload them manually into the training platform. This ensures you are rewarded for your reports. However, there may be a delay between the time that you report the email and when you receive your reward. In addition, we are only able to reward phishing training email reports at this time as the process is rather laborious. To see if you have been rewarded, select the Incidents & Rewards tab on your training dashboard and click the reward type. It will display the details of the reward including the subject line of the reported email.

Please note that if you forward a phishing training email to any other email address (cybersecurity@mtroyal.ca, securityawareness@mtroyal.ca etc.),  the system will read that report as a link click. If that happens, email securityawareness@mtroyal.ca and let me know. I can’t remove the click status from the Phishing tab, but I can remove the incident, unassign the phishing survey and reward you for reporting. This will undo any damage to your risk score.

The campus is doing an incredible job of reporting malicous emails. So much so that we have more phishing reports than we can respond to. Your report is still triaged and adds to our defenses, however we can no longer get back to you if the email is legitimate. Please rely on your training to determine what is malicious. If you are uncertain, report the email. All emails reported to Google can be found in your Spam folder and retrieved at any time.

We thank you for all your reporting efforts. With each report, you add to our defenses and reduce the number of phishing emails that arrive in your inbox. What you do matters. Keep up the great work!

Don’t wait until it’s too late: The importance of backing up your data

03/25/2025

 

Imagine this: You’ve just spent weeks working on a research paper or compiling critical data for your thesis, only to wake up one morning to find your laptop won’t turn on. Or perhaps you’re in the final stretch of submitting an important assignment when a sudden hard drive failure wipes out all your work. These scenarios might sound like nightmares, but they are very real threats to students and faculty alike.

March 31 is World Backup Day, a global reminder that protecting your data is just as important as creating it. Whether you’re a student, researcher, or faculty member, understanding the importance of backing up your files can save you from devastating data loss.

Why Backing Up Matters

University life revolves around data—lecture notes, research files, coursework, projects, and administrative documents. If you lose access to these materials due to hardware failure, accidental deletion, or even cyber threats like ransomware, the consequences can be severe. Regular backups ensure that your work is protected and can be restored quickly, minimizing disruptions.

University Work: Where to Save Your Files

At the University, ITS regularly backups up data stored on network drives or the Google drive. You can rest easy knowing if anything happens to your data, it can be recovered.  That is unless you store your data on your C: drive or desktop. Data stored there is not backed up and may be lost if your device encounters issues.

The 3-2-1 Backup Rule for Home Use

For personal data at home, the 3-2-1 backup strategy is widely recommended:

  1. Keep at least three copies of your data: your original file plus two backups.
  2. Use two different storage types: for example, an external hard drive and a cloud service.
  3. Store one copy offsite: such as in a secure cloud storage solution to protect against local disasters like theft or fire.

Additionally, you should enable automatic backups at home to ensure your data is consistently protected without requiring manual effort. Windows and OS both offer options to schedule automatic backups, reducing the risk of forgetting to back up important files.

How to Get Started

  • Use Cloud Storage: Services like OneDrive, Google Drive, or Dropbox provide automatic syncing and offsite backups.
  • External Hard Drives: Regularly back up your data to an external hard drive or SSD to have a local copy.
  • Automate Your Backups: Many operating systems allow you to schedule automatic backups, reducing the risk of human error.
  • Test Your Backups: A backup is only useful if it works when needed. Periodically check your backups to ensure your files are retrievable.

Make Every Day a Backup Day

World Backup Day serves as a valuable reminder, but protecting your data should be a year-round practice. Taking just a few minutes to set up a reliable backup system today can save you hours—or even years—of work in the future. Don’t be the person who learns the hard way. Back up your data now!

 

Want to save time logging in? Use a password manager.

 

02/19/2025

How long does it take to enter your username and password? Ten seconds, 30 seconds or a whole minute? It depends on how long your password is. I timed how long it takes to enter mine, it’s 13 seconds. If I mulitply that by the number of times I long in to an account in a day, about 24, I am losing 5 minutes a day to logging in. If you take that and multiply it by the average number of working days in a year, 252, that is 21 hours a year that are wasted. I can think of a lot of other things I would like to do with that 21 hours instead of logging in. How about you?

I have good news. There is a way to save time and get some of those hours back. Use a password manager. A password manager is a handy piece of software that is known for storing passwords. However, it has a couple of other killer features that some people don’t know about. It will login you in in less than two clicks and it will generate unbreakable passwords for you.

Most password managers also have other features such as storing credit card numbers or other bits of sensitive information that you need to access often. However, why would you want to take the risk of having the password manager hacked? After all, everything is getting hacked these days, why would a password manager be any more secure? Do you really want to have your most sensitive information and the keys to every account you use sitting in the cloud?

Of course not. That is why under normal circumstances, I would never under any conditions suggest storing this information online. However password managers are very different. First of all, reputable password managers have no mechanism for resetting your password manager password. If you forget it or lose it, there is no way to get back into your account. This keeps theives from impersonating you and gaining access. Also, the data stored in the password manager is encrypted so if it is stolen it is unreadable without the password manager password. Lastly, companies who create password managers are insanely obsessed with cybersecurity. It is literally their entire business. This makes the risks minimal.

What is a much greater risk is getting hacked from reusing passwords. Every day millions of people have their accounts accessed by threat actors using credentials that were stolen from another account provider. Password managers practically eliminate this type of attack. They generate long, complex and unique passwords for every account, store them for you and then login you in so you don’t have to remember them. Not only do they save you time, they also save your data.

Why not get started with a password manager today? It will save you time and peace of mind. Check out Bitwarden. It is free to download, easy to use and full of features. If you aren’t sure how to start, contact  the IT Security Training analyst at securityawareness@mtroyal.ca. They will be happy to help.