Chemistry student Athena Hughes didn’t think much of it when she forwarded an email advertising a student employment opportunity to her friend looking for a job. “I get so many emails and just kind of [was] like, okay, whatever, yeah. So I just forwarded it to them.” A day later, Hughes noticed that she was repeatedly logged out of her student email. A few days after that, she stopped receiving emails altogether. 

“I was expecting an email from one of the courses that I’m doing for the lecture slides. So I was like, ‘Huh, that hasn’t come through’ […] So I logged out to try and log back in, and then I couldn’t get back in. And I was like, ‘Okay, this is weird.’ ”

Then, a classmate reached out to Hughes to ask if the email attached to a phishing email sent that evening was hers. “That’s when I realized, okay, something’s actually wrong. It’s not just my email being funny.”

The email, sent on a Saturday evening, had the subject line “Exciting Remote Work Opportunities for the U of T Community” and was flagged as “High Importance.” The job offer promised a weekly pay of $650, “plus a $50 bonus for each successfully completed task or project.” 

This was the same sort of phishing email Hughes had forwarded to a friend a few days earlier — one that, at first glance, appears to be a legitimate job opportunity. Sent from an official U of T email, it lacked the typos or inconsistent font formatting often associated with phishing scams. 

At this point, Hughes went to the Robarts Help Desk. She recalls the staff member assisting her saying, “ ‘I just got off the phone with someone else who had the same issue.’ He [added], ‘I’ve been dealing with this for the last couple of weeks.’ ” With the staff member’s help, Hughes regained access to her account and was instructed to change her UTORid password and her email password. 

Once her access was restored, she discovered that a user under the name “John” had used the “rules” section of Outlook to take control over her account. Hughes also found that all of the incoming emails she hadn’t been receiving, as well as all the phishing emails sent out from her account, had been deleted by “John,” and she had to recover important course-related emails. According to Hughes, the staff member told her that he had recently handled calls from multiple students each day who had been hacked.

The university declined to comment on why it has been unsuccessful in preventing these hackers from consistently compromising U of T systems, but said that it “is constantly adapting to the rapidly evolving threat landscape, utilizing strong controls and protections that prevent the vast majority of phishing and scam attacks from entering our digital ecosystem.” The university also noted that “increasingly sophisticated email scam and fraud attacks that use social engineering to prey on human emotions are on the rise across all sectors of society.” 

As an exchange student from Imperial College London, Hughes said she’s not used to the phishing emails regularly sent. “At my home uni, this issue just doesn’t happen […] I don’t think I’ve ever heard of a spam situation or a hacking.”

If you have had your student email hacked, The Varsity wants to hear from you! Send your story to [email protected].