Author: Laura Chan

No doubt you’ve all seen a classic advance fee scam. A stranger emails you asking for assistance in transferring a large amount of wealth that they say they own but can’t access, offering you a cut of it in return. Most of the time, these scams are sent en masse and not targeted to the recipient.

However, a bunch of UVic employees recently received a more targeted variant of this scam where the writer poses as someone wanting to come to UVic:

Those who reply will receive a lengthy letter back. For brevity’s sake I won’t post the whole thing, but here’s the part that makes it clear that this is just another advance fee scam. Note: you can right-click on the image and choose to open it in a new tab or window to view it at full size if the font is too small for your liking.

For more information about work from home scams, see this news article: https://toronto.ctvnews.ca/better-business-bureau-warning-about-these-work-at-home-scams-1.5000409

Note how this spear phish spoofed a UVic email address. While it might look like it came from UVic, it actually came from an external third-party. The link is not a uvic.ca site either, so don’t click on it. If you did, contact your department’s IT support staff immediately.

This spear phishing email pretends to be a notification for the legitimate webmail.uvic.ca service, but hovering over that link reveals that it does not go to a UVic site. Do not go to that site–if you did click on the link, please contact your department’s IT support staff immediately.

An employee of a local vendor had their email address compromised and used to send phishing emails. Notice the part that looks like a file attachment–it actually is a link to a malicious file on OneDrive.

If you receive emails that appear to come from someone you know but don’t quite look right, don’t reply and don’t click on the links. Instead, contact them via a phone number that you already have and know is safe. Also inform your department’s IT support staff and report the phish to the Information Security Office so that we can follow up as necessary.

This is not a legitimate UVic email; it is yet another phish that spoofs a UVic email address. Replies actually go to a Hotmail address.

Reminder: legitimate UVic communications will never ask you to send your login information via email.

This email was not sent by UVic; do not click on the link. The sender addresses of Outlook.Team@uvic.ca, Outlook-Web-App.Team@uvic.ca and Outlook.Web.App@uvic.ca have all been spoofed by the phisher to make the email look legitimate.

This is a spear phishing email pretending to be a notification related to UVic OWA. Subject lines are variable but all of them mention account migration. If you clicked on the link or entered your credentials, contact your department’s IT staff or the Computer Help Desk immediately.

Note the fake trusted sender banner that the phisher added.

This phish tries to imitate the appearance of a Microsoft Teams notification and uses a randomly-generated spoofed UVic sender address. But if you hover over the links for “uvic.ca Teams”, “docs.uvic.ca” and “View | Approve Document”, you will find that those links go to suspicious URLs that are not associated with UVic’s Microsoft Teams service.

This phish tries to get the recipient to send their credentials by email rather than using a link to a phishing website.

Remember: legitimate UVic communications will never ask you to email your password. Passwords should never be sent via email since it is not a secure method of communicating or storing them.

Sometimes an email will look like it came from a legitimate sender, but in reality the sender email was faked. This is called email spoofing, and the phish below gives a good example of that. Here, the phisher spoofed distributions@grants.gov, but a close look at the mail headers revealed that it did not come from grants.gov and replies to the message would actually be sent to a different, very suspicious-looking address.

This carefully-crafted spear phish for the most part looks like it could have been written by Jamie Cassels–but of course it wasn’t. One of my colleagues found that the phisher actually copied much of the wording from an April 22 open letter from the president of McMaster University.

If you recall opening the attached PDF, please contact your departmental support staff or the Computer Help Desk as soon as possible.

The CRA has a reference page on how to recognize scams here: https://www.canada.ca/en/revenue-agency/corporate/security/protect-yourself-against-fraud.html