This phish was particularly tricky because it was sent from a compromised UVic account. For this reason, do not automatically assume that internal emails are always legitimate! The main red flag is the fact that it instills a false sense of urgency. Phish emails often claim something is urgent or that there is a problem that you must fix to trick you into acting hastily and without thinking. Even if something claims to be urgent, it’s a good idea to take a deep breath and pause for a moment to confirm whether it really is that urgent and make sure there isn’t anything that looks or feels wrong.
There are some other subtle signs that this email is not legitimate:
- The email says that your official student record is available, and yet some parts of the email seem oddly generic, like the greeting and the transcript number. Generic or impersonal content on something that should be a personalized notification is often a sign of a mass-mailed phish.
- Official transcripts are only sent if you ordered one, and having to verify transcript information by clicking on an email attachment is not a normal process.
- If you are really sharp-eyed, you might notice some of the letters look different across different parts of the email, especially lowercase a’s. This is because the phisher replaced some of them with similar-looking characters from other languages’ alphabets to evade mail filters. This trick can be hard to spot, but if you happen to notice it then you can be sure the email is phish!
If you need to check your administrative transcript, the safest way to do so is to go directly to https://www.uvic.ca/ to login, preferably using a bookmark that you already have, and then navigate to the transcript portal using the links on the Online Tools page or with the help of the top search bar.
The aforementioned red flags all indicate that the PDF attachment is not legitimate and is not safe to open. UVic InfoSec used some specialized tools to safely examine the phishy PDF’s contents (important: do not try this yourself). The document contained UVic branding, a link to view the “protected” file, and detailed instructions on how to generate MFA bypass codes, which is something that the phishing site specifically asks for.
- If a document says the content is secure, protected or encrypted, and you have to click on another link or button to view the content, do not proceed as that is a sure sign of a phish.
- If an email or document tells you to generate MFA bypass codes that you’re then supposed to provide on a form along with your password, do not proceed. The phisher is trying to trick you into giving them enough information to login to your account without alerting you with a MFA push.
- Beware of login forms that tell you to expect and approve a MFA push later in the day or further out than that. If you saw something like that after you entered your password, change it immediately and contact the Computer Helpdesk or your department’s IT support staff. Never approve MFA pushes that come when you are not logging in, and do not approve pushes that are coming from an unexpected location even if you just entered your password on something that looks like a login form.
Email transcript
Attachment: [PDF icon] University of Victoria_protect… (289 KB)
[UVic logo]
Office of the Registrar | University of Victoria
Date: Monday, March 2, 2026
Transcript #: Transcript 2026Dear Students, Alumni, Faculty, and Staff,
We are pleased to inform you that your official student record is nοw available for review. This document contains your academic accomplishments, and we encourage you to verify its accuracy at your earliest convenience.
Accessing Your Transcript:
Missing Details in your Transcript Report
* Full legαl nαme (misspelling or outdated)
* Student ID number
* Date of birthImportant Note:
To αccess your transcript, you will need your University credentiαls. The initial αccess point is labeled: Transcript2026
Office of the Registrar
Office Hours: Monday-Friday, 8:00 AM – 5:00 PM
Sincerely,
Office of the Registrar
PDF screenshot and transcript
[UVic logo]
This Document is Protected
To view shared file Via PDF File, Click the button below:
View Files [phishing link]
How to Generate Duo Bypass Codes (Self-Service) at UVic
[Watermarked UVic logo]
Before you begin You need:
- Your UVic Netlink ID (username) and password
- Your current Duo second factor (Duo Mobile app push, app-generated passcode, SMS, call, hardware token, etc.)
Step 1 – Log in to your NetLink profile
- Go to the UVic NetLink portal or directly to the MFA management page: https://www.uvic.ca/netlink/manage/mfa/manageDuo (Or start from https://www.uvic.ca/systems/netlink/2fa/index.php and click “Manage duo multi-factor authentication”.)
- Log in with your NetLink ID (username) and password.
- Authenticate with your current Duo method (e.g., approve push on Duo Mobile app or enter app passcode).
Step 2 – Navigate to bypass codes
- Once logged in, go to Your profile > Manage Duo multi-factor authentication > Manage bypass code(s) (or similar section labeled “Manage bypass codes”).
Step 3 – Generate codes
- Choose to generate:
- 10 single-use codes (no expiration date, each works once), or
- One 24-hour code (temporary full access).
- Click Generate (or equivalent button).
- The codes will display on screen
