Author: Laura Chan

In this targeted phish, the phishers use the appeal of a salary increase to get you to open the PDF and click on the link inside it. Red flags to watch out for:

• The email did not come from a UVic email address.
• The greeting is impersonal.
• There are errors in spelling, punctuation and grammar. If you are very sharp-eyed, you might also notice that lowercase a’s have been replaced with lowercase Greek letter alpha.
• Official university emails would not use difficult-to-read light green text.

If you opened the attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

---

From: University of Victoria <*******@*******n.edu>
Subject: Salary Adjustment Acknowledgement
Attachment: [PDF icon] UVIC-protected.pdf [59 KB]

You don’t often get email from ********@*******n.edu. Learn why this is important.

Deαr Emplοyees,

I αm hαppy to let you knοw that yοur salary increase has been apprοved. We appreciate yοur hαrd wοrk and dedicαtion to The University of Victoria, and this αdjustment reflects yοur cοntributions appropriately.

Stαrting from 26 July 2024, your sαlαry will be increαsed by 16⋅82 percent.
This αdjustment αcknοwledges yοur effοrts and αligns with our cοmmitment to recοgnizing αnd rewαrding our vαluαble emplοyees.

NΟTE: Your Αccess is needed to go thrοugh the sαlαry increment letter, Initial Αccess is Salary

We lοk fοrward to yοur cοntinued successful input at The University of Victoria

Pαyrοll & Emplοyee Relαtiοns

Job scams impersonating UNESCO and other UN agencies are something we see on a regular basis. By offering a generous salary for only a few hours a week of simple remote work tasks, these unscrupulous scammers prey on students looking for extra money to cover the cost of tuition, rent and other necessities. The red flags in the email message are the usual ones:

• The email did not come from a UNESCO or UN email address, nor did it come from a UVic sender.
• The salary is too good to be true for part-time remote work.
• The email contains grammatical errors and awkward wording.
• You are told to send replies to an Outlook.com email address. If a job offer asks you to contact an address from a free email provider, there is a very high chance that the offer is a scam.
• You are asked to reply from your personal email address. Scammers do this to shift the conversation away from UVic’s email security controls and avoid detection.

If you contacted the scammer, reach out to the Computer Help Desk or your department’s IT support person immediately for assistance. If you opened the attachment, update your computer’s antivirus and perform a full scan as a precaution.

If there is no job interview before you’re accepted into the position, or you never get to meet your supposed employer (either in person or by video call) before you start working, that is a very strong sign of a job scam. If any of the following occur, do not proceed!

• You are told to share your UVic or other login credentials–never share those with anyone!
• You are asked to purchase gift cards, then send photographs of them with the PIN revealed. Don’t do this even if you were given a cheque beforehand–that cheque will probably bounce and you’ll lose the money used to purchase the cards.
• You are given a cheque to deposit in your account and told to send part of the amount to someone else. This may be a cheque overpayment scam (the cheque you received would eventually bounce, meaning the money you sent would come from your own funds), or the scammer may be trying to use you as an unwitting money mule to launder money.

---

From: N****** <[redacted]@quadro.net>
Subject: Part-Time job.
Attachment: [Word document icon] UNESCO JOB (1).docx

You don’t often get email from [redacted]@quadro.net. Learn why this is important.

—
Job opportunity information to anyone who might be interested in a paid UNESCO Part-Time job with a weekly pay of $750.00. If interested, kindly contact Cargill on his email address. ([redacted]@outlook.com) with your alternate non-educational email address I.e., Gmail, yahoo, Hotmail etc.) for further details of employment.

N.B, this job is strictly a work from home position.

If you get an unsolicited email that offers to give away something valuable for free and it’s not from someone you know, it’s probably too good to be true. This is very likely to be the case when someone says they are giving away a late family member’s grand piano–emails of that sort are a common scam. Some versions may even attach photos of the supposed piano, but they’re probably stock images or ripped off of somebody else’s listing. If you are told to reply from personal email or a different communication method, that is a red flag as well; scammers do this to move the conversation away from UVic email to avoid detection.

If you reply to indicate you’d like the piano, you’ll be told to contact and pay a “moving company” to ship the piano from out of town, but the moving company will turn out to be fake and you’ll never receive a piano after you’ve paid up. In general, it’s extremely risky to pay a random person or moving company for a piano (or other item of value) sight unseen; the item may not actually exist or not be what you were expecting.

Watch out for versions of the scam that impersonate real people at UVic. If the email was not sent from a UVic email address, or you’re instructed to contact an email address that is not from UVic, you can be certain the email is a scam. If in doubt, don’t reply to the email–to determine the email’s legitimacy, contact the person through another method that you know is safe (e.g.: using the contact information on their directory entry or by asking in person). Sometimes, one name will correspond to a real person at UVic but the other one will not, which is another sign of a scam.

---

From: Paulina Hagerman <s*********8@gmail.com>
Subject: Yamaha baby grand 05/13/2024

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello,

I’m offering my late husband’s Yamaha Piano to any music enthusiast who may appreciate it. If you or someone you know might be interested in receiving this instrument for free, please feel free to reach out to me.

Warm regards,
Paulina

From: [impersonated UVic employee] <[redacted]@gmail.com>
Subject: Yamaha Piano donation

Attachments: [Three thumbnail images showing a Yamaha baby grand piano from different angles]

Dear Student /Staff/Faculty,
One of our staff, Mr.Stephen Whitehead. is looking to give away his late dad’s piano to a loving new home. The Piano is a 2014 Yamaha Baby Grand size used but still new. Kindly write to him to indicate your interest on his private email( [redacted]@mail.com) to arrange an inspection and delivery with a moving company. Kindly write Mr. Stephen Whitehead via your private email for a swift response.

[impersonated UVic employee]
Assistant to the Dean
https://www.uvic.ca

This phish specifically targets UVic and contains many of the classic red flags:

• The email was sent from someone outside of UVic
• The greeting is impersonal
• The message creates a sense of urgency and threatens you with an adverse impact
• The message contains many grammatical errors
• The signature is generic and doesn’t mention UVic

Hovering over the link without clicking on it (or holding down your finger on it on a mobile device) will reveal that the link goes to a page from a free online form builder. A legitimate UVic login page would not be hosted on an online form builder.

If you entered credentials on the phishing page, change your password immediately and contact the Computer Help Desk or your department’s IT support person.

---

From: [redacted]@h******.se
Subject: University of Victoria_Update

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello user,

This is the last and final notice or our administrator will disable your access to your email.

Please click here to upgrade your University Of Victoria_Update your account security by completing the required details to avoid the deactivation of your University of Victoria edu account.

A cordial greeting wu,
IT Service Desk (c)2024

Who wouldn’t like a salary increase, especially when the cost of living continues to be so high? But that’s precisely the feeling that phishers are trying to take advantage of when they create these kinds of phishing emails. Here are some signs that the email is not legitimate:

• Although the message claims to be from payroll@uvic.ca, the sender information shows the email was actually sent from a non-UVic address.
• The message greets you with your email address instead of your name.
• The capitalization of UVic is wrong, there’s a spelling error in the sender name, and the wording of the message is awkward.
• The email creates a sense of urgency to get you to act hastily.
• Hovering over the link shows that it does not go to uvic.ca.

From: HR Deparment | uvic.ca e-Sign <yonet926@********.ne.jp>
Subject: Uvic Employee Salary Increase Approval 2024/25

This message was sent with high importance.

Hi ********@uvic.ca,

HR Department (payroll@uvic.ca) shared a new pdf file “Uvic Employee Salary Increase Approval Letter.pdf”  with you securely for your urgent attention.

VIEW DOCUMENT [phishing link]
1 item, 54.5 KB in total · Expires on 29 March, 2024

Report to uvic
© 2024

Job scammers are continuing to try to take advantage of students looking for extra cash to help pay for tuition, housing and other essentials in these times when the cost of living is so high. Below is yet another job scam that impersonates a real UVic professor.

For more information on job scams and how to spot them, see also these guides from CBC News and TD Bank.

Red flags to watch out for

• The email came from a Gmail address. A real UVic job opportunity should be announced from a UVic email address. Ones that come from a free email provider like Gmail or Outlook are probably scams.
• The pay is too good to be true for a part-time student job that requires no prior experience and is open to anyone.
• The offer implies that there will be no job interview before you get assigned a work schedule. A legitimate job should give you a chance to meet the employer in person or on a video call before you accept an offer. If you are accepted without an interview, the job is very likely to be a scam.
• The email asks you for an alternate email address and cell phone number. Scammers often do this to shift the conversation away from UVic email and evade monitoring.
• The subject line contains punctuation errors.

Common methods that the scammers use to steal money from people who reply

• They ask you to purchase gift cards from a local store and send photos of the cards with the PINs revealed. That gives the scammer the information needed to use the funds on the cards. The scammer either will not reimburse you at all or give you a cheque that will ultimately bounce a few days later.
• They give you a cheque to deposit and tell you to transfer some of the funds to another person and keep the remaining funds (cheque overpayment scam). A few days later, the cheque will bounce, meaning the amount you transferred is gone from your own funds.

If you replied to the scammer, reach out to the Computer Help Desk immediately for assistance.

From: Dr. [redacted] PhD.
Subject: #Your Invitation to participate..

You don’t often get email from dg3******@gmail.com. Learn why this is important.

Hello,

If you may be interested in working as a temporary research aide collecting data remotely and earning $300 weekly, indicate interest by providing the required information below and I will send you a follow-up email detailing your work schedule.

This is an adaptable job that requires no prior experience irrespective of your major discipline.

Full Name:
Cell #:
Alternate email:

Regards,

Dr. [redacted] PhD.
Professor,
Health Information Science
HSD Building, A***
Victoria BC   Canada

Always be wary of unexpected or unsolicited emails that contain attachments as they may contain malware. The vagueness and generic nature of this message should be a red flag and may be a ploy to get you to click on the attachment. Since the message does not address the recipient by name and provides no information about the supposed payment, it’s likely that it was a mass mailout and therefore not a legitimate invoice.

If you’re inclined to think that the attachment should be harmless because SVG is an image format, think again! SVG files can actually contain embedded scripts, meaning they can be laced with malware, which is definitely the case for this sample. If you clicked on this attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

From: allen.lopez@o******.com
Subject: Payment Confirmation

Attachment: [Generic file icon] RTVBAS05GDBA09.svg (2 KB)

Payment Received, attached is your invoice.

These job scam emails appear to have come from compromised accounts at another Canadian university. Always evaluate whether the content of the email looks legitimate, even if it came from what would normally be a reputable source (even if it came from within UVic!).

This email has many of the typical signs of a job scam:

• The email directs you to reply to an AOL email address from your personal email. If you are asked to apply to a job by contacting an address from a free email provider, in all likelihood it’s a scam. The request to shift to personal email is a tactic to shift the conversation to a place that UVic can’t monitor.
• The salary is too good to be true.
• There are no details about what the job involves.
• There are grammatical errors including mistakes in capitalization.
• The email claims to offer a job with the World Food Programme, but they did not send the message and the name of the contact person doesn’t match the name of the sender of the email.

If you replied to the scammer, contact the Computer Help Desk immediately for assistance.

From: [redacted]@**********.ca
Subject: Hello!

I am sharing job opportunity information to anyone who might be interested in a World food programme Part-Time job with a weekly pay of $600.00. If interested, kindly contact Dr. Mattias on his email address. b******b@aol.com for details of employment.

You can contact him from your private E-mail address only.

These job scam emails are very similar to previous ones we’ve written about. Scammers are continuing to try to take advantage of students’ financial need by offering a relatively generous amount of pay for a small amount of remote work.

Other red flags:

• The email came from a Gmail address. A real UVic job offer would come from a UVic email address. Job offers sent from addresses from free email providers are typically scams.
• The name of the sender doesn’t match the name of the professor supposedly offering the job. Inconsistencies like this can be a sign of a scam.
• The scammer wants to shift the conversation to Google Chat. This is a common tactic to move the conversation away from UVic email to evade monitoring.

As always, if you replied to this email, contact the Computer Help Desk immediately for assistance.

From: Nwabueze Ekene Precious <[redacted]@gmail.com>
Subject: Work-Study Opportunity

The service of a student is urgently required to work part-time as a student assistant and get paid $250 weekly. Tasks will be done remotely and work time is 8 hours/week. To apply, kindly submit your resume and a Google chat email address to the Department of Geography via this email address to proceed.

Sincerely
D***********
Professor
Department of Geography
Office: [redacted]

Just because a message appears to come from within UVic doesn’t necessarily mean it actually did. This example actually came from an external source but spoofs a UVic sender address.

Always be wary of unsolicited or unexpected emails that contain attachments since the attached file may contain malware, as is the case with this email’s ZIP attachment. The brief, vague message body that gives no indication of what the supposed documents are about is an additional red flag. If you clicked on the attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

From: *******@uvic.ca
Subject: Please find the attached

Attachment: [ZIP file] Docs.zip (3 KB)

Please find the attached documents.

Thanks.
Khelmer

This targeted phishing email takes the unusual step of asking you to send a text message to a phone number. Trying to quickly shift to a different communication method is often a red flag; phishers (and scammers) do this to move the conversation to a place that UVic can’t monitor. Real UVic communications will never ask you to send a text message to upgrade/keep/secure your account, and the fact that the phisher is using a phone number with a New York City area code is a further sign that the email is not legitimate.

Other red flags include:

• The email was sent from a Gmail account. Note how the email system has added a warning that you don’t often get email from this address; this can be a sign that the sender is not someone you know already and may not be trustworthy.
• The greeting is impersonal.
• The email threatens you with an adverse impact to try and get you to act hastily.
• There are a few grammatical errors and awkward wording choices.

If you texted the phone number in the email, disregard any instructions in any replies you receive and block the phisher’s phone number. You will also need to keep an eye out for future attempts to phish or scam you via SMS or phone calls as your phone number would now be in the hands of someone malicious.

From: ke*****1280@gmail.com on behalf of University of Victoria <g1*****+UniversityofVictoria@gmail.com>
Subject: You have got an urgent message from The University of Victoria

[You don’t often get email from g1*****+universityofvictoria@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification]

Dear User,
This is to let you know that our web-mail server will be upgraded and maintained soon.

If you don’t want your e-mail account to be terminated during the upgrade,

Send your “UV-UPGRADE” to (646) ***-****

You will receive instructions on how to upgrade your account via text message.

If you do not comply with the above, your email access will be disabled.
Please accept our apologies for any inconvenience this may cause.

Regards
System Administrator
University of Victoria

Always be extremely wary if you get an unsolicited email with a ZIP attachment, especially if the sender address isn’t one that you recognize. There’s a good chance the attachment contains malware, and that holds true for this example. The vagueness of the message and poor grammar are also red flags.

Do not click on the attachment–if you did, contact the Computer Help Desk or your department’s IT support person immediately! Also, do not forward these sorts of emails, even if your intent is to warn others, because forwarding the message inline will leave the attachment exposed where someone else can mistakenly click on it (it’s safer to send a screenshot instead).

From: ga******@******group.com
Subject: Please confirm receipt..

Attachment: [ZIP file] 87645345.zip (4 KB)

Hello,

Please acknowledge upon receipt of my today payment.
via (e-transfer)

Thanks

Irene Cordero.

While it’s true that we are requiring everyone to enrol in UVic MFA, this email is not legitimate and is a case of quishing (QR code phishing). Here are the signs that this email is fraudulent and the QR code is not safe to scan:

• Although the sender name mentions UVic, the email actually came from an external email address.
• UVic is capitalized incorrectly and there are some wording errors in the message.
• The email instills a sense of urgency by threatening expiry within a very short period of time, which is an attempt to trick you into acting hastily. Genuine emails of this nature will usually give you multiple notices well in advance of the deadline.
• The email contains a QR code. Legitimate QR codes for MFA setup will never be sent by email. If a QR code is in an email, it’s usually because the scammer is using it to disguise a malicious link.

---

From: Noreply_Uvic <greatfoob@grumpy******.ca>
Subject: Uvic Mandatory Multi-factor Authenticator
This message was sent with high importance.

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Microsoft Authenticator icon]

Microsoft 365 sign-in for multi-factor authentication

• The multi-factor authentication for is set to expire within 24 hours.
• Scan the barcode below to reauthenticate your multi-factor authentication within 24 hours and stay connected to Microsoft 365 apps and services.

[Malicious QR code]

Contact Microsoft help desk if you have any questions.

This email was sent from an unmonitored mailbox.
You are receiving this email because you have subscribed to Microsoft Office 365.
Privacy Statement
Microsoft Corporation, One Microsoft Way, WA 98052 USA
Microsoft

STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of

In these days when the cost of living is so high, the prospect of getting generous pay for part-time work would be appealing, but scammers are well aware of that and trying to take advantage. The following job scam claims to offer an opportunity with the UN World Food Programme, but in reality the email was sent from a compromised account at another Canadian university.

A major red flag is that the email asks you to reply to a Gmail address. A real UN job offer would not ask you to contact an email address from a free email provider like Gmail, Hotmail/Outlook or Yahoo. Also, the fact that the email contains grammatical errors is another sign that the offer is not legitimate.

Remember, if you receive a job offer out of the blue and it offers a generous salary for a minimal amount of casual part-time work, in all likelihood it is a scam. In general, if an offer sounds too good to be true, it probably is. If you replied to this email, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

From: [redacted]
Subject: Don’t sleep on this!

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

I am sharing job opportunity information to anyone who might be interested in a World food programme Part-Time job with a weekly pay of $600.00. If interested, kindly contact Dr. Mattias on his email address.

(k*****02@gmail.com) for details of employment.

N.B, this is strictly a work from home position.

Job scams that pretend to be from the Red Cross seem to becoming more common. As with many other job scams that we’ve seen before, the scammer tempts people with a generous salary for a minimal amount of work. If a job offer arrives unsolicited and the compensation is too good to be true, you can be sure it’s a scam.

Other red flags that indicate that the offer is fake:

• The email was sent from an address that does not belong to the Red Cross. A legitimate email from the Canadian Red Cross would come from a redcross.ca email address.
• The message contains multiple grammatical errors.
• You are asked to reply from your personal email–this is a trick to move the conversation off UVic email to evade detection.
• Replies are to be sent to a different address from a Red Cross lookalike domain.
• The confidentiality notice is not from the Red Cross.

If you replied to this email, cease contact with the scammer and reach out to the Computer Help Desk immediately for assistance.

---

Subject: Remote Flexible Job
From: [redacted] <********@iconpln.co.id>

Distribution Assistant is vacant at the National Red Cross with a weekly pay of $500. 3 hrs. per day, 3 times a week is required for purchasing of online items and delivering them to foster/disable homes in your local community. To apply, send cv/application to Mammen at jobs@arc-******.com with your personal email.

NRC

---

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus ( ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.