The safety and well-being of our community is always a top priority. Last month, we committed to review our response to the November 19 report of an armed person on the Fort Garry campus. While the report was unsubstantiated, we recognize concerns with aspects of our response and are committed to continuous improvement. Such reviews take place after any serious incident as outlined in UM’s Emergency Response Plan.

The Emergency Response Team and UM leadership have now completed that review and created a plan to strengthen our response in three key areas: communication, education and infrastructure.

Areas for Improvement:

Communications:

1. • Ensure information is shared in a timely manner on a range of channels.
   • Increase adoption of the UM Safe App among students, staff, and faculty. This includes promoting the App in acceptance letters, onboarding and performance reviews.
   • Explore ways to expedite communication during emergencies, so that UM Safe App messages and emails reach our community as soon as they are sent.
   • Ensure coordination with Winnipeg Police Service when they are communicating about our campus.

Education:

1. • Expand training on the Emergency Response Plan and safety protocols, offering annual sessions to the entire UM community and tailored sessions for leaders, faculties and units.
   • Offer training sessions in partnership with the Winnipeg Police Service (WPS) about how to support safety in the event of an active threat on campus.

Infrastructure:

1. • Continue to update the closed-circuit televisions (CCTVs) across campuses, including hiring a security consultant to provide additional feedback to enhance the campus CCTVs.
   • Upgrade the loudspeaker system on the Fort Garry campus to ensure clearer communication.
   • Continue installation of additional Code Blue emergency poles for enhanced access to security services at both the Fort Garry and Bannatyne campuses.

Looking Ahead

We have already begun implementing these, and other, improvements, with more planned for 2025. While no environment can be entirely risk-free, we remain committed to fostering a safe and secure campus for everyone. I encourage you to familiarize yourself with the safety measures and programs offered by UM Security Services, including downloading the UM Safe App for real-time safety updates.

Thank you for your continued trust and engagement as we work to strengthen our safety protocols.

 
Sincerely,
Michael Benarroch
President and Vice-Chancellor

It is important for us all to learn about these scams and take steps to protect our personal information and stop fraudsters in their tracks. Two of the most common types of fraud that affect university communities are business email fraud and phishing.

Business email fraud

Business email fraud, also known as CEO fraud, is a type of scam in which fraudsters impersonate a high-level administrator, such as a dean or president and send emails to employees requesting sensitive information or money. 

To protect yourself from business email fraud, never respond to unsolicited emails that ask for personal information or money. If you receive an email that appears to be from a supervisor or a faculty, unit or department lead, verify the sender’s identity by calling them or using a known email address before responding.

Phishing scams

Phishing scams typically take the form of emails or text messages that appear to come from a trusted source, such as a bank or a government agency. The scammer then asks for personal information to be sent to them, which they can use to steal your identity or money. 

To protect yourself from phishing scams, never respond to unsolicited emails or text messages, always be cautious of emails that contain attachments and never send money or personal information to someone you do not know.

March phishing simulation

The university will run our annual Fraud Prevention Month phishing simulation in March. The email will likely be a notice about your tax information. Watch out for these three indicators of a possible scam:

1. Urgency or fear – the message will try to reel you in by triggering a fear response.
2. Suspicious links –  typos in domain names are a common trick, e.g. “umaniloba.ca.” 
3. Fictional department or unit – for example, the university does not have a “Tax Department.”

If you notice any of these warning signs, forward the message to spam [at] umanitoba [dot] ca immediately.

What else you can do

You can take several other steps to protect your personal information and stop bad actors. These include using strong passwords, regularly checking your credit report and being cautious when sharing personal information online. Additionally, stay informed about the latest frauds and scams, pay attention to university information security alerts and report any suspicious messages to spam [at] umanitoba [dot] ca.

Remember: Information Security Starts with You!

Students are now required to change their email password and re-accept the account user agreement annually. A strong password is an important step in blocking attempts to access your data. That’s why the university’s new password policy requires everyone to have a password that’s a minimum of 10 characters long, with at least one uppercase character, one lowercase character and one number.

If you haven’t changed your password yet, here is your chance to do so and be rewarded with a free snack before you receive your expiry notification.

Watch this quick animation for more about email and password security.

The Mobile Service Desk will be available at both campuses on the following days and times:

Fort Garry
University Centre
Tuesday, October 23 and Wednesday, October 24
9:00 am – 12:00 pm

Bannatyne
Brodie Centre Atrium
Wednesday, October 24
1:00 pm – 4:00 pm

Also during Cyber Security Month: Don’t forget to view the Phishing module in UM Learn for your chance to win a new iPad and enter our Cyber Security Poster contest.

The area along Ralph Campbell Road has reopened. Regular activities can resume in the area.

According to the Canada Business Network website, “There are many social engineering tactics, but the basic idea is the same for all: a hacker will pretend to be someone they are not, and will try to trick or bully someone into giving away sensitive information that the hacker needs to carry out their attack.”

Technology makes manipulation through phishing easy. Setting up and operating a phishing attack is fast, inexpensive and low risk: any cybercriminal with an email address can launch one.

According to Verizon’s 2017 Data Breach Investigations Report, the education sector saw a rise in social engineering–based attacks. Students, staff, and faculty all lose when personal data and research are disclosed to unauthorized parties.

Phishing played a part in more than 40 per cent of these breaches. Knowing what you’re up against can help you be more secure in your online life. 

Here are the six signs of a suspicious email:

1. Stranger danger: A sender address that does not match the sender name
2. No John Hancock: A signature that is overly generic
3. Hover to discover: Mouse over links in email to reveal their true URL. If the name and the URL do not match, delete the email.
4. Do not open unexpected attachments: They are a cybercriminal’s #1 choice for spreading malicious software.
5. Trust your instincts: Does that email feel ‘off’ in some way? It probably is. Forward it to spam[at]umanitoba[dot]ca to confirm the message.
6. Is it urgent? Slow down. An “IMPORTANT MESSAGE” may be a phishing attempt. Cybercriminals want you to do what you’re told, when you’re told. Think before you click.

If an email you’ve received contains two or more of the indicators listed above, delete it or forward the message to spam[at]umanitoba[dot]ca.

For more information about phishing attacks, visit the Information Security and Compliance web page at http://umanitoba.ca/computing/ist/security/phishing.html.

Compared to last year’s simulation at U of M, a similar simulated phishing email, this simulation saw a decrease in the number of people who clicked the link and an increase in the number of people who reported the email as suspicious.

Here is a summary of the simulation results:

• 376 or 6.8 per cent of users clicked on the link, a decrease from 10 per cent last year
• 366 users reported the email to spam [at] umanitoba [dot] ca (compared to 208 total reports last year)
• 151 users reported the email to the Service Desk
• Everyone who clicked on the link was redirected to an infographic on how to recognize phishing emails

While fewer employees clicked on the link this year, 376 clicks  is still a large number of individuals who thought it was a legitimate email.

To avoid falling for a tax-phishing scam, use these tips:

• Check if the URL is correct. Don’t be misled by sites claiming to be a government agency or tax-software company, but have a slightly different URL.
• Verify the sender. Don’t assume an email is legitimate by looking at the header– it’s easy to fake a From: or Reply-to: Call the sender to confirm the request is legitimate.
• Don’t open it. Most tax-related government agencies do not initiate contact by email, text message or social media. If the email mentions tax forms, it is likely a scam.
• Bookmark tax software websites. Navigate only to trusted sites by using bookmarks.
• Educate yourself. Take the Competition Bureau’s Fraud Quiz to test your ability to recognize a scam.

About email simulations

Simulated email messages provide a realistic experience in a safe and controlled environment. They are designed to help us recognize and resist tactics used in real phishing attacks.

Periodic simulations will continue as a part of the university’s Cyber Security Awareness Campaign.

Remember, information security starts with you!

For more information about phishing attacks, visit the Information Security and Compliance web page at http://umanitoba.ca/computing/ist/security/phishing.html.