Reporting on the recent phishing incident that encouraged students to send $850 to scammers
Yasmine Modaresi (she/her) // News Editor
Jasmin Linton // Illustrator
Back in February, Capilano University was targeted in a significant cybersecurity incident that encouraged students to send $850 in “outstanding tuition fees” to a scammer’s email. This type of scam is called phishing, which is a technique where the cyber attacker/scammer impersonates a legitimate entity—in this case, CapU—to deceive victims into providing sensitive information, personal data or in this case, finances. In the cyber attack of February 12, 2025, a phishing email was sent out to hundreds of student emails with the subject line, “Final Reminder: Tuitions Fees Outstanding Payment Notice,” going on to deceptively claim in the body of the email that students receiving the message had delayed payment issues for this semester’s tuition fees, and that they needed to make a payment of $850, sent via e-transfer to an attached email address. In hindsight, it may seem obvious to readers what happened next, but if something similar happens in the future, what can you do to detect a scammer and protect yourself?
Immediately after realizing that a cyber attack had occurred at CapU, the university’s Information Technology (IT) department promptly shut down student email accounts to launch a thorough investigation, and announced that the emails would be inaccessible while it purged the spam messages from inboxes, stating: “students may still be experiencing issues accessing their CapU email. IT is working on resolving the issue. Further updates will be provided.” During this time, the IT representative, Melvin Lee, ensured efficient communication with faculty to keep them updated on the situation and noted that the phishing emails had been mass-purged from inboxes.
The main question at hand is how cyber attackers managed to gain access to such a huge amount of CapU student emails. While there is currently minimal public information about the strategies used by the attackers, understanding the basics of phishing attacks can provide students with some insights. Phishing attacks are characterized by strategically identifying and then exploiting vulnerabilities within an institution’s storage or data systems where personal information can be collected. Once personal information has been attained, attackers can utilize a common and relatively accessible method of phishing called email spoofing, where all they need to do is manipulate email headers and create the illusion that their victims are receiving messages from a trusted source.
In the case of CapU, attackers were able to gather students’ personal university emails by taking advantage of a currently unknown security vulnerability that IT is investigating, and then mass email unsuspecting students. While the repercussions of such attacks are not typically experienced directly by students due to a solid IT team, the reality is that educational institutions like CapU are often the targets of such attacks, because attackers are aware of the huge amounts of users and the vulnerable status of students. Hopefully, this experience at CapU will present an opportunity for students to learn how to be more proactive in protecting themselves online, as well as an opportunity for IT to identify and make safeguards for current vulnerabilities in CapU’s virtual operations.
Unfortunately, due to the anonymous and location-independent nature of cyber attacks, it isn’t always feasible or realistic for local IT teams at small academic institutions to identify and pursue legal action against the perpetrators of phishing attacks. However, the meta-data available in archives of previous attacks around the globe combined with reflections on local incidents can culminate as resources for understanding flaws in current cybersecurity systems that provide windows of insight for future preventative action. According to the Wall Street Journal, some popular measures that can help prevent phishing attacks in the future are:
- Regular phishing simulations: whereby IT teams systemically conduct regular attacks to assess an institution’s vulnerabilities.
- Enhancing email security protocols: a step that has already been publicly taken by CapU’s IT team is setting multi-step verifications for all student and faculty login, which reduces the likelihood of spoofed messages even reaching users in the first place.
- Incident response planning: Currently, cybersecurity proposals at CapU are not available to the student body in detail. However, for reference, establishing and regularly updating protocols for responding to cybersecurity threats and/ or attacks ensures that issues will be resolved swiftly with minimal costs to targeted demographics (e.g. students).