Emergency Warning: Mailbox Quota Exceeded

Fresh phish received today afternoon. Many people have reported it. Kudos to you all!!

This phish has the tactics of scaring you into logging in on the phishers webpage.

Telltale signs:

  1. Sender name and the email signature doesn’t match.
  2. External sender address, why would helpdesk use external email?
  3. False sense of urgency, ‘a restriction has been placed on your account’.
  4. Generic salutation and fake helpdesk signature.
  5. External link, check by hovering over the link, UVic will never ask to validate or reactivate account using external hosted webpages.

Always think if it were to be a true scenario what would the legit email look like, if you have the answer then you can easily spot the phishing signs. Whenever in doubt always confirm with helpdesk rather than clicking on links.

IMPORTANT NOTICE

How many “important notices” did we have so far?  Hopefully UVic users can identify this phish easily. Below is a screenshot of the message. The sender is some compromised account in another university. The usual urgency tactic (otherwise your account is going to be deleted). To make it more authentic, they even mention phish!
If a scammer mentions “scam” that doesn’t make them legit, does it?

Again – do not be curious, do not click on these links. They might contain malicious software to infect your computer instantly.

Urgent Reply

Phish with this subject was received on Friday evening. This is a straightforward phish with no context whatsoever. An external sender asking if you want to claim this unbelievably large sum of money. It has nothing in it that would give you even a slightest impression of being legit. There is hardly any content in the email, just one sentence that too lacks formatting and have punctuation errors. The approach by this phisher is simple, lure you in with too good to be true offer.

Never reply to such emails. The large sum of money is always to attract potential victims.

ADMINISTRATIVE INSTRUCTION

This phish looks quite convincing. The sender is external and the body of the message is a bit vague in order to provoke the reader’s curiosity to open the pdf file.
——————————————————————————

The pdf itself contains the following text. It promises $400 for 3 hours of work (too good to be true especially when sent to an unknown recipient)
At the end they ask you to provide personal information.

————————————————————————————

Dear Students,

This phish came in slowly over the period of around 3 hrs. Although the subject is to target students but staff also got it. It is very simple and to-the-point phish, creates a sense of urgency, your account will be deactivated if you don’t sign in using the link given. The sender address and the link given are both external. You will never be asked to sign into an external link to authenticate your UVic account.

Never be in a hurry to click on links just because the content of the email says so. Always look for warning signs.

NEW FAX MESSAGE

This phish has variations, but the common thing is to click to get a document, a voicemail, etc. The one circulating today pretends you received a fax (somewhere?!) and it is one click away. What happens actually when you click is that a browser window opens and a .jar file downloads automatically.  Jar files are Java programs, and this one is a malicious one. Once downloaded, there is a chance you click on it, the program executes and your computer gets infected.
Please report such phish, do not be curious and do not click on the buttons.

RE: GN109643HT [Another UN-themed job scam]

Once again, a compromised account from a UN organization has been abused to send job scam emails claiming to be from UNESCO. Be wary of unsolicited job offer emails, especially if they come from an organization that you don’t recognize or don’t have prior dealings with. Such emails are very likely to be scams, especially if the offer seems too good to be true. Do not open attachments from such emails in case they contain malware.

A key sign that this email is not legitimate is the fact that it is instructing you to contact an email address on un-escojob[.]com (don’t try going to that site!). This is a fraudulent domain that has been crafted to look like a UNESCO email address. Other red flags include various proofreading errors and the impersonal signature line.

For more information:

You have missed a NetCall from 01-348 9288. or You *@uvic.ca receive a share document

Yesterday evening we received medium volume phish with the given two subjects. The reason these two types of phishes are combined in one post is that phish links are the same in these, presumably same threat actor.

Both these phishes are social engineered to invoke your curiosity as to what the voice message or shared document would be. This curiosity leads to clicking of the links. These are claiming to be Netcall service and Sharepoint but if you check the sender’s email domain its neither of those. The links also doesn’t relate to any of these services. Other giveaways are grammatical errors, salutation is your email account, urgency in the NetCall phish ‘automatically deleted after 48 hours’.  The easiest way to recognize these types of phishes is asking yourself were you expecting such an email.

Never be curious and eagerly click on links, you can always check the link by hovering over it. If in doubt, report the email using ‘Report Phishing’ button or reach out to DSS or helpdesk.

 

 

You have 3 important messages that have not reached you

This targeted phish claims to come from UVic, but the sender address is external, which is a warning sign. Depending on what mail app you use and how you’ve configured it, you might see the UVic wordmark at the top of the message. Phishers often copy the branding of the organization they are trying to impersonate to make the phishing email look like it’s legitimate.

There are also other red flags in the message text:

  • It instills a false sense of urgency by claiming there are important messages that have not reached you
  • There are a couple of errors or typos, most notably the spelling error in “Usser”
  • If you hover over the link, you will see it does not go to www.uvic.ca

Always evaluate whether the message could be phish before clicking the link. The factors described above indicate this link is not safe. Clicking on the link to determine whether it is legitimate is a bad idea; the link could lead to malware, or it could go to a phish site that closely imitates the real login page. The latter is the case for this phish–the link leads to a replica of the real UVic login page.

Re: UNICEF – Work from Home

Apparently, phishers don’t take the weekend off. We received this high-volume phish over the weekend. It is similar to the other paid part-time job offer phishes we have been receiving.

Phishing signs:

  1. ‘Re:’ in the subject line is to confuse the recipient that it is a reply to a previous email, which is not the case.
  2. Pretending to be some sort of career academy, ‘Academy Career’ but doesn’t have any name for this academy so just put these two words together.
  3. This one has a salutation but salutation is just your account name, not your name.
  4. Too good to be true offer, and the text has grammar and spelling mistakes.
  5. Asking to use your personal email to respond, the reason is to avoid UVic monitoring.

Please be aware of such too good to be true offers. Always pay attention to the little details that can give away it is a phishing scam.

Dear Staff/Student

As we were looking forward to the weekend, phishers were looking forward to phishing. This phishing email has the usual telltale signs:

  1. External sender, why would an external sender be involved in updating UVic’s privacy policy.
  2. The UVic mark in the email is just to trick the recipient’s into believing that it is coming internally from UVic.
  3. Threatening in a polite way, if you do not update you would face login interruptions.
  4. No salutation or signature.

Don’t be in a hurry to click on links or taking actions suggested by the phisher. Always take a moment to think and look for phishing signs. If in doubt, you can always confirm with help desk or your DSS support.

Security Warning

We received this phish today morning. If looked closely, you can find the phishing signs easily. Here are the signs:

  1. Sender posing to be ‘Help Desk’, but email address is external.
  2. Generic salutation.
  3. The link is external, find out by hovering over the link, hidden behind ‘uvic.ca’ but it is actually an external link. The domain name is created to confuse the recipients as it is ‘uvicca3’ (not uvic.ca). Always pay close attention to the domain name.
  4. Vague signature. Not legit helpdesk signature.

Always think and look for phishing signs as those mostly are easy to spot. Do not be hasty in taking the actions recommended in the phish email.

 

Dear User, or Dear staff/student

This phish was received by many recipients in our organization last evening.

It has usual phishing email signs:

  1. Subject line doesn’t make sense, salutation is the subject line.
  2. External Sender (see sender email address) but posing to be ‘uvic.ca’.
  3. Generic salutation.
  4. Sense of urgency, reset password was requested but click to keep your current password. Although, the language used is more confusing than urgency but still can lead to hasty actions on recipient’s part.
  5. External link, UVic will never ask you to fill your credentials on external webpage.

If in doubt, better to contact helpdesk or your DSS than clicking on links yourself.

 

Paid UNIDO Part-Time Job

Once again, there is a job scam email circulating that is impersonating a UN organization, specifically the United Nations Industrial Development Organization (UNIDO). It is quite similar to a fake UNESCO job offer email that we saw a few weeks ago. Note that the sender is not someone from unido.org; this is a sign that the email is fraudulent.

Always be wary of job offers that come out of the blue from a person or organization that you don’t know; they are very likely to be a scam. The numerous capitalization and grammar errors in the email are also a bad sign. Do not open any attachments from such emails in case they contain malware.

If you’re wondering why the scammer is asking you to reply from your alternative email address, it’s because they want to shift the conversation off UVic email to evade our monitoring and detection systems.

For more tips on how to spot job scams, see this CBC article.