Cybersecurity Awareness month tips

It was the middle of the night when The Goose’s phone buzzed. 

Duo Push Request… Duo Push request… Duo Push request. 

At first, The Goose denied them. By the tenth request, The Goose was groggy and frustrated. Wanting the notifications to stop, they tapped Approve. 

What The Goose didn’t realize was that this attack could only happen because their password had already been compromised. Attackers entered it into the login page, which triggered the 2FA requests. Without that first line of defense falling, the attackers would have had no way in. 

Accepting the push request gave attackers access to The Goose’s Waterloo email account. By morning, messages were blasting across campus and beyond: ‘Work at Waterloo! Easy job, high pay, no experience needed.’ Each included a malicious link.  

The scam didn’t just hit campus. It also reached The Goose’s personal contacts — and one friend, thrilled at the idea of working at Waterloo alongside The Goose, clicked the link without thinking, which installed malware on their device. Goose felt awful, realizing their slip had pulled someone else into the mess. 

But that wasn’t the only damage. With the same access, attackers also signed in to The Goose’s Workday account. There, they quietly changed Goose’s direct deposit information to their own account. When payday came, The Goose’s pay cheque went straight to the attackers instead. The Goose was devastated — not only had their account been used to phish the entire campus, but there was the added stress of working with Human Resources to recover their missing pay. 

King Warrior spots The Goose and shakes his head. “You really are a silly Goose — accepting Duo push notifications you didn’t initiate. That’s how the attackers got in.” 

The Goose looks down, embarrassed. “I thought I was safe — I’ve got a strong passphrase, I use a password manager, and I even had 2FA. But I just wanted the buzzing to stop so I could sleep…” 

Cobalt the Dinosaur overhears and adjusts their goggles. “Let me explain the science, Two-Factor Authentication (2FA), sometimes called Multi-Factor Authentication (MFA) — means you need more than just a password to log in. It adds a second check, like something on your phone or a device you carry with you." 

The Goose asks: “So here at Waterloo, what should I be using?” 

Cobalt nods. “Most University systems use Single Sign-On (SSO) with Duo 2FA — that’s your foundation. Some systems outside SSO still offer 2FA in other ways. But a few don’t support 2FA at all, and those need extra care. If you run into one, contact your local IT team or Information Security Services, so the risks can be assessed and safeguards put in place.” 

Warrior steps in again, pointing at The Goose. “And don’t forget — your personal accounts matter, too. Protect them with 2FA, where possible. Duo works with many other apps, and you can also secure your logins with sign-in partners like Google, Apple, or Microsoft. Just make sure you’ve turned 2FA on everywhere.” 

The Goose believed they were safe with an 8-character password they thought was very complex — numbers, letters, even a symbol. But attackers cracked it in just three hours. 

Because The Goose reused that same password everywhere — email, banking, shopping, and social media — the fallout came fast. 

Before The Goose knew what was happening, their inbox flooded with hundreds of spam emails. Annoyed, The Goose just deleted them. Then came the embarrassment, a friend messaged, “Why are you spamming me with Bitcoin scams on Instagram?” And finally, the heartbreak — The Goose’s grandma wired money to an attacker, after receiving a desperate plea from The Goose’s hacked Facebook account. 

Starting to panic, The Goose went back to those “spam” messages for another look. Buried in the pile was an Amazon confirmation, proof of a purchase worth thousands of dollars. The rest of the emails weren’t random at all, they were junk deliberately sent by attackers to bury the real alerts, hoping The Goose would ignore the evidence of fraud. 

Realizing this was more than just annoying spam, The Goose finally remembered what they’d been told: if you think your account has been compromised, contact the Security Operations Centre (SOC). 

Luckily, SOC confirmed that The Goose’s WatIAM account was safe; Duo 2FA had stopped attackers from breaking in. Still, SOC instructed The Goose to change their password immediately and began an investigation to see whether the compromised password had been used on any other University services which were not protected by Duo. 

And then came the final blow. As SOC investigated the suspicious activity tied to Goose’s locked account, they uncovered signs that the same compromised credentials had been used in a research application. And because the system had been set up without a formal risk assessment, 2FA hadn’t been enabled. 

The consequences were severe. The project’s funding sponsor and the Privacy Commissioner had to be notified. Ethics violations and fines were on the table. The university’s ability to continue working with the sponsor could be jeopardized — not to mention the reputational damage to researchers and the institution. 

The Tool gleamed, “Attackers will hammer away at your password — so make sure it’s as solid as me. Attackers can snap weak ones in seconds, but a long passphrase — real words forged together — stands firm. Try something like ILovePastaWith7KindsOfCheese! It’s simple for you, brutal for them.” 

Big Banana warned, “Reuse is good for the planet and sustainable, but not for passwords.” 

The Tool Bearers piped in, “The Tool was kidnapped once, by the folks at the University of Toronto. Now we the Bearers protect the Tool at all times. That’s what a password manager can do for you — it safeguards every password, keeps them organized, and ensures no one can take them from you.” 

“Skipping an Information Risk Assessment is like dumping waste into a river,” The Big Banana added. Even research systems need a proper review so security protections like 2FA don’t get left out. Otherwise, the whole campus ecosystem gets polluted.” 

• Check Yourself: Use haveibeenpwned.com or your password manager’s alerts to see if your passwords have been exposed. Change them immediately if they have. 
• Curious how strong your password really is? Try Bitwarden’s trusted password strength checker and see how long it would take to crack. (Spoiler: short ones don’t last long.) 
• Security Questions: Treat them like extra passwords. Don’t use real answers. Save made-up ones in your manager.  Example: What is your father’s name? → DarthVader2025! 

The Goose was juggling too much: budget cuts at work, a looming term paper, texts from home, and doom-scrolling the news. Distracted and stressed, they moved too fast, and mistakes piled up.

It began the night before. The Goose was venting online in a heated moment and posted a harmful comment about a classmate in a public forum. To cool off, they took a few “fun” online quizzes. The quizzes asked for personal information like a first pet’s name, which seemed harmless at the time.

The next morning, The Goose started going through their Waterloo inbox. A message from their Associate Dean had arrived notifying them of a Policy 71 charge for disruptive or aggressive behaviour by electronic means. The late-night post had been reported. The Goose felt the sharp sting of regret for last night’s online venting.

Shaken, The Goose skimmed past another message, a shared document from a classmate. Distracted, they clicked the link. The page asked for a login even though The Goose was already signed in. The Goose knew this was a red flag, but their brain took a shortcut. Twice they entered their Waterloo credentials before giving up. The attacker now had The Goose’s WatIAM password.

And the attackers were not done. Those “fun” quizzes had given away perfect answers to security questions on The Goose’s Canada Revenue Agency (CRA) account. Combined with the stolen Waterloo credentials that The Goose foolishly reused for CRA, this was enough to reset recovery settings and begin filing fraudulent tax returns, setting the stage for identity theft.