This email tricks the user into clicking the link in the attached PDF. The link opens a Google form and requests the user to enter their username, password and Duo code. In this case the attacker is impersonating UVic payroll.
This one has the usual red flags:
- Take note of the sender email address, it is not from a UVic account.
- The salary increase, if it’s too good to be true, it usually is. 16.89% is far more than a typical yearly increase.
- The password to open the PDF was in the same email.
- There are spelling and grammar mistakes, “here-under” being a glaring one.
- The use of homoglyphs, for example the word “NOTE”, have a look at the O in the example below and see if you can spot it.
If you clicked on the link reach out to the computer helpdesk or your support.
Subject: 16.89% Salary Increase Letter 2024-11-19
From: University of Victoria <[redacted] @***e.edu
Attachment: PDF with file name UVIC Salary- Audit NovYou don’t often get email from [redacted]@***e.edu. Learn why this is important
Dear Αll,
Sequel to lαst week notificαtion, find enclosed here-under the letter summαrizing your 16.89 percent sαlαry increαse starting 2024-11-19
Αll documents are enclosed here-under:
NΟTE: Your Αccess is needed to go through the sαlαry increment letter, Initiαl Αccess is Salary
Pαyroll & Employee Relαtions