Fake OWA Page

This payroll scam email resembles many we’ve seen the past. Note the non-UVic sender.

The link goes to a Fake OWA page that does not resemble any of our UVic services.

This has nothing to do with UVic. You’ll notice the godaddysite domain in the address bar.

Ignore and delete this email.

Another fake OWA page

The phish tries to persuade the victim that their email was blocked and they need to click the button in order to “restore access”.

After clicking a fake OWA page opens with the intent to steal the victim’s UVic password.  The fake OWA (Outlook Web App) page is in fact hosted on a Russian server (see the address bar).

Do not click on the “restore access” in that email!

A letter from the president

Today a number of UVic recipients received an impersonation email supposedly from the president Jamie Cassels.
The email looked like this:
This is a typical start of a gift card scam. We wrote about those back in November:

and later on the topic was covered with more detail by our Chief Information Security Officer:

Please do not respond to impersonating emails (even for fun) and report them by using the “phish” button.

Financial statement

This phish pretends to be sending financial statements for 2020 (misspelled in the subject as “satement”). The email body looks like this:
The actual attachment is a html file which redirects the victim to a UVic like OWA page:
with the intention to steal your credentials. That page is clearly external – look at the address bar in the screenshot.

Invoice Payment Redirection

An email account at one of UVic’s suppliers was compromised.  The attacker accessed the email account at the supplier and attempted to have staff at UVic send payment to a bank account owned by the attacker via wire transfer.

While the staff person in this particular department did not immediately suspect a fraud attempt, they eventually called the supplier contact and confirmed with the supplier that they did not send those emails.  No payment was sent.

Below are redacted screenshots of emails sent by the attacker.  If you receive similar emails, contact your supplier using a phone number you already have on file, inform UVic Accounting, and contact the Information Security Office.

This is the initial contact from the attacker:

The attacker starts to get demanding here:

And finally, the attacker forgets that improper spelling and grammar is a strong indicator that something is wrong: