Beware of phishing after Canvas-hack

Hackers are threatening to leak the data of 275 million students and lecturers on Tuesday 6 May. Seven Dutch universities and at least two universities of applied sciences have also been affected. What is the danger?

Students and staff have now been informed about the hack at Canvas, an online platform used by many educational institutions. As far as is known, hackers have stolen names, email addresses and student numbers, as well as messages sent within Canvas.

The hackers’ business model is simple: they demand ransom money for the information. If they do not receive payment, they publish the information on the dark web, allowing scammers to do whatever they want with it.

‘Click here…’

Students may therefore start receiving dangerous emails that make use of their student number and email address. This can make phishing emails sound more convincing. For example: your enrolment has not yet been completed, click here to add your details. Or: you have missed a tuition fee payment, click here to transfer it now. If you click, you end up on a dangerous website.

There are various websites explaining how phishing works. Vrije Universiteit Amsterdam (one of the affected institutions) has listed a number of warning signs on its own website.

‘Do it now’

Always pay attention to the sender, is one of the tips. The sender may call themselves ‘Administration Department’, while the email address is not from your own educational institution. Suspicious links can be checked on the website checkjelinkje.nl.

Phishing emails also often create a sense of urgency: do it now, beware of fines, your account will be closed, last chance… Do not fall for it. The opposite can also happen: good news, click here for free items, view all the information on this OneDrive… You are then asked to log in or transfer money.

The Dutch government also has a website about safe internet use. It includes a warning about domains that replace, for example, the letter o with the number 0 or the letter l with the number 1. You may then see names such as h0gesch00l or Ti1burg University.

‘Do you like…?’

Scammers can work even more selectively by combining information from social media with leaked data. If you play korfball, for example, you may receive an email about a student korfball tournament. Thanks to AI, scammers can personalise spam messages.

In any case, stay alert. To help others, you can report fake emails to the IT department of your educational institution.