Phishing scam: NRCan simulation could deter donations, United Way says


One of Ottawa’s largest charities is raising concerns about a government agency using its logo in an email posing as a phishing scam, saying it could possibly impact future donations.


The United Way, which raises money for many charities across the region, is seeing an all-time high in demand. One of its major fundraisers is the Government of Canada Workplace Charitable Campaign.


But last week, Natural Resources Canada raised eyebrows with an email disguised as a request for charitable donations. The fake email, designed to train staff on spotting phishing scams, used the United Way logo.


“Unfortunately, they use the government of Canada charitable workplace campaign as the email template,” said Mark Taylor, vice-president of resource development with United Way East Ontario. “The effect is that is if you got this, you thought you were getting this from the charitable campaign that supports the United Way.”


“We’ve seen Natural Resources employees take to the blogs on the Internet and say ‘You know, that probably just means that I’m not going to click on anything that’s coming from the charitable workplace campaign,'” Taylor added. “And that’s a shame.”


In a statement, Natural Resources Canada said it runs internal phishing simulations to strength employees’ awareness about the dangers of phishing scams.


“Realistic emails are sent with an embedded link,” the statement said. “If the employee reports the message without clicking on the link, then they receive an email congratulating them for their vigilance.


“Should they click on the link they will be directed to an internal website reminding them of the risks that phishing emails pose and asking them to be cyber aware.”


NRCan said phishing attacks are getting more sophisticated and use real-life scenarios to trick employees.


“To be successful in raising phishing awareness NRCan uses scenarios that are relatable to their everday work.”


The December phishing simulation use the GCWCC as a background scenario and was only sent to NRC employees, the statement said. This year’s GCWCC ended on Nov. 30.


Taylor says the United Way and NRCan have had conversations and he’s confident they want to help the charity recover and continue to build on the longstanding important partnership.


“Fundamentally, it was probably just a misguided effort,” he said. “They are good partners and we’re counting on them to step up and help us to do what we can to help us recover, all for the benefit of folks in our community who now more than ever need that help.”


Taylor said the demand for the United Way’s resources this year has reached an all-time high. This year alone, the GCWCC has raised more than $2.5 million. NRCan employees donated more than $540,000 across Canada.


“It’s a really challenging economic climate we’re in,” Taylor said. “Folks who perhaps weren’t vulnerable before our vulnerable now, and so the need has never been greater. It’s outpaced social agencies’ ability to respond and so that’s why we count on people to step up and help.”


Learning to spot phishing scams


Carmi Levy, a technology analyst based in London Ont., says phishing scams, in which criminals attempt to gain information or money through embedded links in emails, can spike during the holiday season as more charities ask for donations, but the problem is widespread throughout the year. 


“It’s considered a best practice for businesses to send out test messages to their employees to test their responses to what could otherwise be a real phishing attack,” Levy said. “Even if they do click on the wrong link, it doesn’t lead to a ransomware attack against the organization. This is what organizations need to do to train their employees better, and this is one of the key methods to do exactly that.”


Levy offers some tips to potentially avoid a phishing scam. The first: avoid opening links in touch-screen devices. 


“Wait until you get to your laptop or desktop computer when you can use your mouse to hover over the links,” he says. “The actual addresses will pop up and you can check to see if they look legitimate. In many cases, the addresses are just a little bit off. That is usually is your tell that it’s not coming from a legitimate source.”


Levy says phishing scams can also come over text messaging through social media. If there is any doubt, don’t answer the email. 


“If there’s an organization that you hear from and you are interested in, perhaps making a donation when in doubt, contact them directly separate and distinct from the message you were receiving that can go along way to ensure that you don’t get stung.”

Leave a Comment