Phish Bowl

Job scams that pretend to be from the Red Cross seem to becoming more common. As with many other job scams that we’ve seen before, the scammer tempts people with a generous salary for a minimal amount of work. If a job offer arrives unsolicited and the compensation is too good to be true, you can be sure it’s a scam.

Other red flags that indicate that the offer is fake:

• The email was sent from an address that does not belong to the Red Cross. A legitimate email from the Canadian Red Cross would come from a redcross.ca email address.
• The message contains multiple grammatical errors.
• You are asked to reply from your personal email–this is a trick to move the conversation off UVic email to evade detection.
• Replies are to be sent to a different address from a Red Cross lookalike domain.
• The confidentiality notice is not from the Red Cross.

If you replied to this email, cease contact with the scammer and reach out to the Computer Help Desk immediately for assistance.

---

Subject: Remote Flexible Job
From: [redacted] <********@iconpln.co.id>

Distribution Assistant is vacant at the National Red Cross with a weekly pay of $500. 3 hrs. per day, 3 times a week is required for purchasing of online items and delivering them to foster/disable homes in your local community. To apply, send cv/application to Mammen at jobs@arc-******.com with your personal email.

NRC

---

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus ( ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

This phish uses scary tactic to get the user to take action to click on the link. The sender email address is external to UVic, the subject of the email is very generic, mention of “College Email account”: mistakes like these indicate the same phish could have been used for other institutes, it has formatting errors, and signature are also very generic. All these are phishing signs.

Always think and look for red flags in an email before taking an action. Whenever in doubt contact helpdesk.

Subject: UPDATE
Sender: JARUNEE KONGSAWAT <****psu.ac.th>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear Student,

Your College Email account will be Deactivated shortly.
To stop Deactivation, CLICK HERE[Phishing link] and log in

Thank you,
IT Helpdesk

If you received an email for a job position offering too good to be true salary, then either report or delete it as it is a job scam. Other signs indicating that it is a phish:

1. Asking to reply on a different email address than the sender email address.
2.  Asking recipient’s reply from their personal email address, it is to evade UVic detection.
3. Sender name is different than the signature name.
4. The text of the email is in an image.
5. Formatting and grammatical errors.

Subject: WFH
Sender: Tesfaye Moges Teklehaymanot <****@ethiotelecom.et>

I am offering a work from home position as my Personal Assistant in which you can Earn $500 Weekly. For details and Job description kindly contact me only via my personal email (****@outlook.com) with below information

Name:

Age:

Personal Email:

Important Note: This is a non reply email so kindly send your interest to me only via (****@outlook.com) also endeavour to reply to this email via your Personal email(Gmail,Hotmail,yahoo) etc and not your Edu email). This Position demands you to be 100 attentive to details so failure to adhere to this important note will lead to automatic disqualification of your interest in this Job.

I look to hear from you if you are interested.

Thanks
Michael Brunetti

IMPORTANT. This e-mail message and any attachments are strictly confidential and may be protected by law. This message is intended only for the named recipient(s) above. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. Any unauthorized view, usage or disclosure of this message is prohibited. Since e-mail messages may not be reliable, ethio telecom shall not be liable for any message if modified, changed or falsified. Additionally the recipient should ensure they are actually virus free.

We received a report of an interaction with a scammer from an employee who was aware of the scam from the outset. We strongly advise against engaging with scammers, even ‘for fun’. Such interactions can inadvertently reveal valuable information, such as the active status of your email account, your work schedule, and more. We’ve redacted the name used by the scammer in this instance, as they were impersonating a real university professor.
The thread begins with a succinct email body, the subject line merely containing the name of the impersonated professor, typically someone in an executive position such as a department chair, dean, or director.

The employee responded as follows:
At this juncture, many individuals might feel a twinge of guilt for overlooking the initial email. This is precisely the reaction the scammer is banking on, despite the fact that there was no previous email. The scammer swiftly replied, revealing their true intent:
There’s always a reason why they can’t purchase the cards themselves. It could be a technical issue, illness, an ongoing meeting, or any number of pretexts.
The employee responded:
A scammer, realizing their ruse has been seen through, might typically abandon their efforts at this point. However, this scammer persisted, sticking to their script as shown below:
Perhaps they believe persistence pays off statistically? That they might eventually convince a potential victim? Unfortunately, we do occasionally encounter victims who purchase gift cards and send photos of the scratched-off numbers to the scammer. This is another telltale sign. Since the scammer can’t physically collect the cards, they request photos of the ID numbers. It’s a good idea to discuss this scenario with your supervisor and confirm that they would never ask you to purchase gift cards.

Remember: It’s always best to avoid giving scammers any information, no matter how insignificant it may seem.

HR or payroll-themed lures are commonly used for phishing emails. While this email claims to be from a UVic system, notice how the capitalization of UVic in the sender name is incorrect and the actual sender address is from outside of UVic. Both are red flags that indicate that this a phishing email; a genuine UVic Payroll or HR email should be coming from a UVic email address. Another bad sign is the fact that there is nothing in the message body except for a disclaimer and confidentiality notice that mentions some other external organization but not UVic.

This email also contains a .htm attachment. Do not open unsolicited or unexpected attachments whose names end in .htm or .html. These files are webpages, meaning that they could contain code that downloads malicious content or that redirects you to a malicious site. UVic InfoSec used a special secure environment to examine this file’s contents and found that it contains code to redirect you to a malicious site after a few seconds’ delay. If you opened the attachment, reach out to the Computer Help Desk or your department’s IT support staff for assistance.

Subject: REMINDER: Benefits Open Enrollment 2024. Review & Sign
From: Uvic e-Service System <okita@****okita.com>
This message was sent with high importance.
Attachment: [webpage file] Open Enrollment 2024.htm (1018 bytes)

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Disclaimer: Confidentiality Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the originator of the message. Any views expressed in this message are those of the individual sender, except where the sender specifies and, with authority, states them to be the views of A********x

If you received a UVic job posting from a UVic professor offering flexible work schedule with very high pay, and you are wondering what’s the harm in applying. Think again, because scammers are at play here. The scammers impersonate a real UVic professor to make the job offer look legitimate.

Here are some of the red flags you need to watch out before taking any action given in such scams:

• The email comes from a Gmail address. Emails about real UVic job offers should come from a UVic email address.
• The salary offered is too good to be true, that too for a part-time job.
• Grammatical and formatting errors.

Therefore, do not reply to the email with your information. If you did, please reach out to the Computer Help Desk for assistance.

Subject: Part-Time Assistants Needed
Sender: [impersonated professor name]<****@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

University of Victoria, Department of Computer Science is currently seeking the services of Research Assistants to work remotely or in person with our research team to support ongoing data collection, and analysis.
Department Required Skills;
– Highly motivated, with strong organizational and communication skills.
-Excellent problem-solving skills
-Team player who is able to work in a fast paced environment with a multidisciplinary team.
Preferred Years Experience, Skills, Training, Education;Experience primarily using Windows operating systems
-Ability to adequately use Microsoft Excel.
This is a part-time position with a flexible schedule, and the successful candidate will work approximately 6- 7 hours for $350 weekly. The position offers valuable research experience, and the opportunity to work with a dynamic and collaborative research team on campus.
To proceed with the application process and other eligibility descriptions, submit your resume for review .

Best regards,

c/o

[impersonated professor name]
Professor
Computer Science
Office: ****

This phish uses a lot of vague language to describe the purpose, like “partnership in a business project”, no information about what the proposal is and what kind of business project. Nevertheless, if you are not expecting an email, it is probably a phish. The subject of the email uses “RE:” to appear as ongoing email thread, and the subject doesn’t match the context in the email body. Signature does not give any information about the sender except for the name. All these signs indicate that this email is a phish along with formatting mistakes.

Hence, always look for warning signs in an email before taking any action and, think whether you were expecting such email. Never reply back to the scammers asking for more information as they intentionally give vague or no information. Whenever in doubt, contact helpdesk or your departmental IT contact.

Subject: RE: YOUR OFFICIAL CONSENT LETTER! PLEASE READ!!
Sender: Tulub Serhiy <****@ctb.ne.jp>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Date: Friday 27, October 2023

Compliment of the day, and I hope my Email finds you in good health.

I got your reference in my search for someone who suits my proposed
business relationship.

I am contacting you to seek your partnership in a business project,
I have all the modalities fashioned out to give this business an
excellent outcome.

I am confident that you will give your consideration to this proposal
and respond positively within a short period of time.

As soon as you give your positive response to this proposal, I will not
hesitate in sending you the details information of this great investment
partnership opportunity.

Regards.

I wait for your quick reply for more details.

Yours Truly
Dr. Serhiy Tulub

If you received an email claiming to give away piano for free, it is a scam. Keep in mind, if it is too good to be true offer, it probably is. The scammer is impersonating UVic members to make the offer look legit, nevertheless, it is a scam. The email address of the sender is external to UVic and also asking the users to reply to another external address with your personal email, this tactic is to evade UVic network detection.

Please be wary of such scams of unsolicited offers and do not reply to such emails not even to confirm if the offer is legit or not. If you’re not sure about the legitimacy of the email, verify it by contacting the supposed sender through a different mode of contact than given in the email.

 

Subject: Opportunity to own a Grand Baby Piano
Sender: [Redacted sender name] <****@fioptics.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear Faculty/Staff,

One of our Staff Mrs. [redacted name] is giving out a piano to a loving home for free. You can write to her to indicate your interest on her private email (****@outlook.com).

Please write Mrs. [redacted name] via your personal email for a swift response.

Thanks,
[redacted name]
Professor
University of Victoria

 

An obvious phish indicating lack of effort from the phisher. These types of phishes are sent in high volume where it mostly become numbers game, hoping to get at least 1 (if not more) victim out of thousands.

This phish tries to lure users with too good to be true offer of a grant. But there is no context, whatsoever, of what this grant is, which organization is providing it, and why is it being provided. The email subject has no meaningful connection with the text in email body. The name of the sender doesn’t match the name given in email signature. Grammatical mistake is also a factor indicating it is a phish.

Never reply to addresses given in phishes, not even to request unsubscribe from mailing list. Always take a moment to look for phishing signs. Whenever in doubt contact helpdesk or your departmental IT support.

Subject: Dear Email User
Sender: Perry Collin <*****sd73.bc.ca>

You have qualify to receive this month grant pay out check. ( $2800) To process claim,send the following details:
Name –
Address-
Tel-
To the grant co-ordinator
Name- Perry Collin
Contact email – *****@hotmail.com
We await to hear from you.
Salace Anderson
Grant Mat sector.

Job scammers are once again trying to take advantage of students who are in need of money to pay for tuition and necessities in these tough economic times. As in previous batches that we have seen and written about, the scammers impersonate a real UVic professor to make the job offer look legitimate. The red flags are the same as before:

• The email comes from a Gmail address. Emails about real UVic job offers should come from a UVic email address.
• The name in the sender information does not match the name of the professor supposedly offering the job. Inconsistencies like this can be a sign of an impersonation scam.
• The salary offered is too good to be true. $50/hour is more than triple the minimum wage in BC and a part-time student job is not realistically going to offer pay that high.
• The email requests your Google Chat email. Scammers often request alternative contact information to move the conversation away from UVic’s defences and monitoring.

Therefore, do not reply to the email with your information. If you did, cease contact with the scammer and reach out to the Computer Help Desk for assistance.

Subject: Remote Job Opening
From: Emily Rauscher <*****emilyap5@gmail.com>

The service of a student/graduate student  is urgently required to work part-time as a research assistant and get paid $450 weekly. Tasks will be carried out remotely from home and work time is 9 hours/week.

If interested, submit a copy of your updated resume and functional google chat email address to our Department of Psychology via this email to proceed.

Sincerely
[name redacted]
Assistant Teaching Professor
Psychology
Office: COR A***

If someone you know (or at least had previously written to) had their mailbox compromised, the malicious actor who compromised it may try to target you by taking an old legitimate email thread and sending a new reply with either a malicious link or attachment. This trick is called thread hijacking and attackers use it to make their phishing attempt look more legitimate.

Thread hijacking cases often link to malware, so be extra careful around links or attachments until you’re able to confirm they’re safe. Be wary of unexpected replies to email threads that are very old or replies whose contents don’t seem to match the context of the original email. If the reply seems off to you in any way, don’t click on any links or attachments until you can check with the person through a different contact channel that you know is safe (e.g.: phone, video call or asking in person).

It can also be helpful to check the sender address for the reply. If it is unfamiliar or doesn’t match an email address that you already have for the person you had written to, the email is almost certainly a thread hijacking case.

Subject: [EXT] [****-ugrad-dept-****] FW: *UPDATED FORM* [faculty redacted] Undergraduate Achievement Bursaries: Application forms 2021-2022
From: [redacted] Administrative Officer / UVic <EEmard@irorica*****.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hi there,

Please review some latest documents for your department project:

https://outlet******.cl/met/?76539721

If you’ll have any questions, Please contact me.

From: [faculty redacted] Deans Assistant
Sent: September 28, 2021 10:33 AM
To: [redacted]
Cc: [redacted]
Subject: *UPDATED FORM* [faculty redacted] Undergraduate Achievement Bursaries: Application forms 2021-2022

This year, 13 bursaries of $1,500 each will be awarded to exceptional students in the Faculty of [redacted]. Students should be advised to return completed forms to the Office of the Dean by November 1, 2021.

TERMS OF REFERENCE:

Achievement Bursaries recognize undergraduate students who have demonstrated outstanding commitment to the pursuit of excellence in their endeavors. [Redacted] and other areas where individual expression becomes public are recognised through these bursaries. Recipients must have demonstrated financial need and a minimum 3.5 sessional grade point average for students continuing at UVic, or a 70% admission average for students commencing post-secondary studies for the first time.

University officers will distribute application forms to prospective students, who will complete and return them to the Office of the Dean, Faculty of [redacted] by the deadline.

This phish is for the curious mind, there is no context as to why it is sent as the email body is empty. Subject of the email has no meaning on its own just a vague combination of words. There is no reason for anyone to open the attachment, except if you are curious. When we couple curiosity with ignorance, it can lead to negative results, as would be in this case.

Hence, always look for warning signs in an email before taking any action and, think whether you were expecting such email. Never reply back to the scammers asking for more information as they intentionally give vague or no information. Never open attachments in an email, unless you are sure it is not a phish, as it can lead to malware on your device.

Subject: Student Letter
Sender: Irene Vila Ardiaca <*****.udl.cat>
Attachment: 2023 Student Grant Approval.txt

Today we received another variant of the Red Cross job scam phish. It uses the tactic of too good to be true offer to lure users. The sender email address is not official Red Cross email, signature used is vague and does not represent an official authority, asks users to reply from their personal email which is to evade UVic network detection, and the address to reply back is yet another email address external to Red Cross.

Never send your personal information to such scammers, always take the time to look for warning signs in an email. If you have already replied, and/or sent your resume to this email please reach out to helpdesk.

Subject: Flexible Part-Time Job
Sender: Noval Bawoel <****@iconpln.co.id>

The American Red Cross is hiring a Distribution Assistant for a part-time, home-based role with flexible hours and a weekly salary of $700. You’ll buy items online and deliver them to those in need in your local community, requiring 3 hours per day, three times a week. To apply, send your resume/application to Mathew Mammen at ****careers.com using your frequently used personal email.

Thank you for your interest.

Sincerely,

Mass Care Team
American Red Cross

_______________________________________________________________________
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus ( ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

Even if a document sharing email came from a legitimate service like Google Docs or Microsoft 365, you should still look at it carefully to make sure it’s legitimate. In this case, the phisher abused a compromised account from another  university’s Google tenant to send a Google Docs phish. The phisher even used a UVic professor’s name to make the email look more legitimate.

Phishes like these can be trickier to spot, but as a start, be wary of document sharing emails that you weren’t expecting, especially if they don’t come from someone you know. If you spot a mismatch between who sent the file and who the email says the file is supposed to be from, that can often be a sign that it’s not legitimate. Similarly, if the file is supposed to be from within UVic but it was sent by someone outside of UVic, the email is very likely to be a phish.

From: K***** (via Google Docs) <drive-shares-dm-noreply@google.com>
Subject: Document shared with you: “FALL FACULTY AGENDA 29 SEPTEMBER 2023.docx”

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

K***** shared a document

Unknown profile photo

K***** has invited you to edit the following document:

Dr. L****** shared a file with you.

FALL FACULTY AGENDA 29 SEPTEMBER 2023.docx

Open [link]

If you don’t want to receive files from this person, block the sender from Drive.

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this email because [redacted] shared a document with you from Google Docs. [Google logo]

High volume phish from a compromised account of another Canadian univeristy encountered, which tries to lure the user with too good to be true offer of salary increase. Phishing signs:

1. Sender email address external to UVic, which wouldn’t be the case if it was an official UVic notice.
2. Too good to be true offer, way too high an increase in salary.
3.  Generic salutation and signature.
4. Grammatical and capitalization errors, and unnecessary use of accents in the text.

Always look for warning signs in an email, and never open attachments in a phish not even for curiosity as it can lead to infecting your device. Always think if you were expecting such an email, if still in doubt contact your departmental IT support or helpdesk.

Subject: 16.89 % Salary Increase Letter 29 September 2023
Sender: [redacted sender email address]
Attachment: UVIC SALARY_protected.pdf

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear All,

Sequel to last wéék notification, find encloséd héré-undér the létter summarizing your 16.89 percent salary increase starting 29 September 2023

Αll documénts are enclosed héré-undér:

NOTE: Your Αccess is needed to go through the salary increment letter, Initial Αccess is Salary

Payroll & Employee Relations