Don’t take the bait: Phishing scams are getting smarter

Article written by Andriana Vanezi, Information Security Services (ISS)

Phishing remains the top way attackers get into university accounts. These scams are increasing in volume and sophistication, often exploiting urgency, trust, or familiarity to trick users into giving up access.

They’re Not Always Faking the Sender

Not all phishing emails come from impersonators. In a Business Email Compromise (BEC), the attacker gains access to a real @uwaterloo.ca account and sends emails from it,  often to colleagues or contacts of the compromised user.

That’s why even familiar senders need a second glance, especially if the tone, urgency, or request feels off. These kinds of breaches are why we rely on more than just passwords to secure accounts.

Waterloo uses Duo two-factor authentication (2FA) for key systems to help prevent unauthorized access, but no system is perfect, especially if users are tricked into approving login requests.

A New Twist: Multi-Factor Authentication (MFA) Fatigue

Even with Duo 2FA in place, attackers have found a way in. If they steal your password, they may bombard you with login prompts until you accidentally approve one. This is called MFA fatigue, and it’s a growing threat across campus. If you didn’t initiate the Duo prompt, deny and report it immediately.

If You Clicked, Don’t Try to Fix It Alone

Clicking or approving a suspicious action doesn’t mean you’ve failed, but waiting to report it makes it worse. We’re here to help, not judge. Your fast report can stop an attack from spreading.