Welcome to Cybersecurity Awareness Month! In our connected campus life, we click, scan, and plug in without a second thought. Technology makes our academic and professional lives easier, but with every convenience comes a potential risk. This October, we’re dedicated to empowering you—our students and faculty—with the knowledge to navigate the digital world safely and confidently
Today's digital landscape requires constant vigilance. A sophisticated phishing scam can perfectly mimic an official email from the registrar, while a dropped USB drive can contain a baited trap designed to install malware. Even seemingly harmless QR codes on posters can be gateways to malicious sites built to steal your credentials. Your digital habits are your first line of defense; keeping your personal and school accounts separate is a critical security practice. As technology evolves, we must also confront the emerging dangers of Artificial Intelligence, from convincing deepfakes to AI-powered scams.
Phishing is a fraudulent attempt to obtain sensitive information such as usernames, passwords, and financial details by disguising as a trustworthy entity in an electronic communication. Here’s what to look for and how to protect yourself.
Creates a Sense of Urgency or Fear: Look for subject lines and messages that demand "immediate action" or threaten consequences, such as "Your Account Will Be Suspended" or "Unusual Login Detected." Scammers want you to act before you think.
Generic or Incorrect Greetings: Be wary of emails that use vague greetings like "Dear Valued Member" or "Hello Student." Legitimate communications from the institution will typically use your name.Suspicious Sender Address: Always check the sender's full email address, not just the display name. Hover your mouse over the sender's name to reveal the true address. Look for misspellings or unofficial domains (e.g., student-services@0ldscollege.info instead of @oldscollege.ca).
Unexpected Links and Attachments: Do not click on links or download files from an unexpected email. Hover your mouse over any link to preview the actual web address it leads to. If the destination URL looks suspicious or doesn't match the context of the email, don't click it.
Requests for Sensitive Information: Legitimate organizations, including our IT Services, will NEVER ask for your password, social insurance number, or banking details via email. Any email asking you to "verify your account" by entering your credentials on a linked page is a major red flag.
Poor Spelling and Grammar: While scammers are improving, many phishing emails still contain unprofessional spelling, grammar, or formatting errors.
Stop and Think Before You Click: If an email feels off, it probably is. Take a moment to analyze it for the red flags above. A few seconds of critical thinking can prevent a major security breach.
Verify Independently: If you receive a suspicious request from what appears to be a legitimate source (e.g., your bank, a professor, or IT), do not reply or use the contact information in the email. Instead, contact the person or organization through their official website or a known, trusted phone number to confirm the request's legitimacy.
Report It: Use the "Report PButton" button in your email client or the Field Effect SEAS tool linked into the sidebar of your Olds College email inbox.
IF IN DOUBT - don't click a link, don't take the suggested action - contact the Service Desk
If you clicked a link, opened a malicious attachment, or submitted your credentials, act quickly to minimize the damage.
Change Your Password(s) Immediately: From a different, trusted device, change the password for the compromised account. If you reuse that password anywhere else, change it on those accounts as well. Every critical account should have its own unique, strong password.
Report the Incident to the Service Desk: Contact the Service Desk Provide them with as much detail as possible. Reporting helps us protect others from the same attack.
Disconnect and Scan: Immediately disconnect your device from the network (unplug the ethernet cable or turn off Wi-Fi). Run a full antivirus and anti-malware scan.
Place a Fraud Alert and Monitor Accounts: If you entered financial information, contact your bank or credit card company immediately to report a potential breach. Consider placing a fraud alert on your credit file with agencies like Equifax and TransUnion.
Finding a USB stick in a lecture hall, the library, or a common area might seem like a lucky break or a mystery to solve, but it is a common and effective tactic used by attackers. These "rogue" or "bait" drives are often intentionally dropped, pre-loaded with malicious software that can compromise your data and the institution's network.
What to Do if You Find a USB Drive
Your curiosity is the weapon an attacker is counting on. Resisting the urge to plug it in is the single most important step you can take.
DO NOT PLUG IT IN. Period. Never connect a found or unknown USB drive to any computer, whether it's your personal laptop or a campus workstation. The moment it's plugged in, it can automatically execute malicious code.
Understand the Risks: A rogue USB drive can silently install a wide range of malware, including:
Ransomware: Encrypts all your files and demands payment for their release.
Keystroke Loggers: Records everything you type, including usernames, passwords, and banking information.
Spyware: Steals your personal files and monitors your activity.
Network Worms: Infects your computer and then spreads across the entire campus network.
Do Not Try to Find the Owner Yourself: While your intentions may be good, accessing the files to identify the owner exposes you to the same risks.
Bring it to the Service Desk: The only safe action is to turn the device over to our IT professionals. Our team has secure, isolated environments (known as sandboxes) where they can safely analyze the drive's contents without any risk to our network or your data. Inform them where and when you found it.
QR (Quick Response) codes are everywhere on campus—from posters for events to links for class resources. While incredibly convenient, they can also be a security risk. Attackers can tamper with legitimate QR codes or create their own to trick you into visiting malicious websites, a tactic known as "Qishing" (QR code phishing).
A Sticker Over the Original Code: This is a primary physical threat. Attackers often place a sticker with their malicious QR code directly on top of a legitimate one on posters, menus, or flyers. Feel the QR code to check for a raised sticker.
Suspicious Context or Location: Be wary of a QR code that appears out of place or lacks context. A random code on a wall with a vague message like "Scan for a Free Prize!" is almost always a trap.
Creates Urgency or Seems Too Good to Be True: Just like with email phishing, if a QR code promises an offer that seems unbelievable or pressures you to act quickly, treat it with extreme suspicion.
Preview the Link Before Opening: This is your most important defense. Most modern smartphone cameras will show you a preview of the destination URL. Always read this URL carefully before you tap to open it.
Look for shortened links (like bit.ly or tinyurl) from untrusted sources, as they hide the true destination.
Check for misspellings in familiar URLs (e.g., 0ldscoIIege.ca instead of oldscollege.ca).
Ensure the link starts with https, but remember this only means the connection is encrypted, not that the site itself is safe.
Never Enter Credentials After Scanning: Be extremely cautious about entering a username and password after navigating to a site from a QR code. It's always safer to navigate to sensitive websites by typing the address directly into your browser.
Don’t Download Apps from QR Codes: Attackers can link QR codes to fake app downloads that contain malware. Only install applications from official sources like the Apple App Store or Google Play Store.
Be Wary of QR Code Actions: Modern QR codes can do more than just open a website. They can compose an email, create a calendar event, or even connect you to a Wi-Fi network. Only allow these actions if you trust the source of the QR code completely. Connecting to a malicious network could expose your data.
It's easy to let your accounts overlap in a digital world. You might use your school email to sign up for a personal service or save personal files to your institutional Google Drive. However, maintaining a strict separation between your institutional account and your personal life is a critical security and privacy practice.
The Institution Owns Your Account: It's crucial to understand that your institutional account (@oldscollege.ca) and all the data stored within it (emails, files, chats) are the property of the institution. This means the account can be audited, accessed for administrative or legal reasons, and is not a private space for personal information.
Security Containment: If your personal email account is compromised, attackers could potentially gain access to linked school resources. Conversely, if your school account is targeted, keeping your personal life separate protects your private data, photos, and financial information from being exposed.
Your Account Has a Lifespan: Your institutional account is tied directly to your relationship with the college.
For Students: Your account and all associated data will be disabled one year after you complete your program. Any personal files, photos, or contacts stored exclusively in your school account will become inaccessible. In addition, any subscriptions linked to your account may no longer be managed.
For Faculty & Staff: Your account access is terminated immediately upon your departure from the institution. It's your responsibility to ensure all personal data is removed from the account before you leave.
In addition, as members of Olds College of Agriculture & Technology you are bound under the acceptable use standard regarding the use of your Olds College account and technology. For more information we recommend you review our acceptable use standard.
The easiest way to enforce this separation is by using different browser profiles in Google Chrome, Microsoft Edge, or Mozilla Firefox.
What is a Profile? A browser profile acts like a separate, self-contained browser. Each profile has its own unique set of bookmarks, history, passwords, and saved logins.
How to Use It:
Create a "School" profile and log into all your institutional accounts (email, Moodle, Google Workspace, etc.) within it.
Create a "Personal" profile and use it for everything else (social media, online banking, shopping).
The Benefit: This simple step prevents your personal and school credentials from getting mixed up, reduces the risk of logging into the wrong service, and makes it easy to manage your two digital identities securely.
When you use a public AI model, your inputs can be used to train the system, meaning your data may not be private. Treat AI chats like a public forum.
Never Enter Personal or Confidential Information: Do not input any personally identifiable information (PII) like your student ID number, address, or financial details. The same goes for confidential institutional data, unpublished research, or sensitive information about others.
Respect Intellectual Property: Avoid pasting entire copyrighted articles, large blocks of code you don't own, or proprietary documents into an AI. This can violate copyright law and institutional policy.
AI models are designed to be convincing, not necessarily correct. They can confidently generate plausible-sounding information that is biased, outdated, or completely false.
Beware of Bias: AI learns from vast amounts of internet data, which contains human biases. Be aware that AI-generated content can reflect and even amplify stereotypes or skewed perspectives. Always question the neutrality of the information presented.
Spotting Fake News and Deepfakes: AI makes it easy to create highly realistic but entirely fake content.
Deepfakes: AI-generated videos or audio clips can realistically mimic anyone, making it seem like a person said or did something they never did.
AI-Generated Content: Look for tells like unnatural phrasing, perfect but generic-sounding text, or strange visual errors in images (e.g., people with six fingers, distorted backgrounds).
The Golden Rule: Verify, Verify, Verify: The most important skill when using AI is critical verification. AI should be a starting point, not a final source. You must cross-reference any information it provides with your own knowledge, course materials, or other trusted academic and primary sources before using it.
For college-related work, we recommend you use Google Gemini.
As Olds College is a Google school, your use of Gemini is managed within our Google Workspace for Education environment. This means your conversations and the data you input are protected under our institutional privacy and security agreements. Unlike most publicly available AI tools, your data is not used for public model training or shared outside of our secure environment.