Author: Laura Chan

These job scam emails appear to have come from compromised accounts at another Canadian university. Always evaluate whether the content of the email looks legitimate, even if it came from what would normally be a reputable source (even if it came from within UVic!).

This email has many of the typical signs of a job scam:

• The email directs you to reply to an AOL email address from your personal email. If you are asked to apply to a job by contacting an address from a free email provider, in all likelihood it’s a scam. The request to shift to personal email is a tactic to shift the conversation to a place that UVic can’t monitor.
• The salary is too good to be true.
• There are no details about what the job involves.
• There are grammatical errors including mistakes in capitalization.
• The email claims to offer a job with the World Food Programme, but they did not send the message and the name of the contact person doesn’t match the name of the sender of the email.

If you replied to the scammer, contact the Computer Help Desk immediately for assistance.

From: [redacted]@**********.ca
Subject: Hello!

I am sharing job opportunity information to anyone who might be interested in a World food programme Part-Time job with a weekly pay of $600.00. If interested, kindly contact Dr. Mattias on his email address. b******b@aol.com for details of employment.

You can contact him from your private E-mail address only.

These job scam emails are very similar to previous ones we’ve written about. Scammers are continuing to try to take advantage of students’ financial need by offering a relatively generous amount of pay for a small amount of remote work.

Other red flags:

• The email came from a Gmail address. A real UVic job offer would come from a UVic email address. Job offers sent from addresses from free email providers are typically scams.
• The name of the sender doesn’t match the name of the professor supposedly offering the job. Inconsistencies like this can be a sign of a scam.
• The scammer wants to shift the conversation to Google Chat. This is a common tactic to move the conversation away from UVic email to evade monitoring.

As always, if you replied to this email, contact the Computer Help Desk immediately for assistance.

From: Nwabueze Ekene Precious <[redacted]@gmail.com>
Subject: Work-Study Opportunity

The service of a student is urgently required to work part-time as a student assistant and get paid $250 weekly. Tasks will be done remotely and work time is 8 hours/week. To apply, kindly submit your resume and a Google chat email address to the Department of Geography via this email address to proceed.

Sincerely
D***********
Professor
Department of Geography
Office: [redacted]

Just because a message appears to come from within UVic doesn’t necessarily mean it actually did. This example actually came from an external source but spoofs a UVic sender address.

Always be wary of unsolicited or unexpected emails that contain attachments since the attached file may contain malware, as is the case with this email’s ZIP attachment. The brief, vague message body that gives no indication of what the supposed documents are about is an additional red flag. If you clicked on the attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

From: *******@uvic.ca
Subject: Please find the attached

Attachment: [ZIP file] Docs.zip (3 KB)

Please find the attached documents.

Thanks.
Khelmer

This targeted phishing email takes the unusual step of asking you to send a text message to a phone number. Trying to quickly shift to a different communication method is often a red flag; phishers (and scammers) do this to move the conversation to a place that UVic can’t monitor. Real UVic communications will never ask you to send a text message to upgrade/keep/secure your account, and the fact that the phisher is using a phone number with a New York City area code is a further sign that the email is not legitimate.

Other red flags include:

• The email was sent from a Gmail account. Note how the email system has added a warning that you don’t often get email from this address; this can be a sign that the sender is not someone you know already and may not be trustworthy.
• The greeting is impersonal.
• The email threatens you with an adverse impact to try and get you to act hastily.
• There are a few grammatical errors and awkward wording choices.

If you texted the phone number in the email, disregard any instructions in any replies you receive and block the phisher’s phone number. You will also need to keep an eye out for future attempts to phish or scam you via SMS or phone calls as your phone number would now be in the hands of someone malicious.

From: ke*****1280@gmail.com on behalf of University of Victoria <g1*****+UniversityofVictoria@gmail.com>
Subject: You have got an urgent message from The University of Victoria

[You don’t often get email from g1*****+universityofvictoria@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification]

Dear User,
This is to let you know that our web-mail server will be upgraded and maintained soon.

If you don’t want your e-mail account to be terminated during the upgrade,

Send your “UV-UPGRADE” to (646) ***-****

You will receive instructions on how to upgrade your account via text message.

If you do not comply with the above, your email access will be disabled.
Please accept our apologies for any inconvenience this may cause.

Regards
System Administrator
University of Victoria

Always be extremely wary if you get an unsolicited email with a ZIP attachment, especially if the sender address isn’t one that you recognize. There’s a good chance the attachment contains malware, and that holds true for this example. The vagueness of the message and poor grammar are also red flags.

Do not click on the attachment–if you did, contact the Computer Help Desk or your department’s IT support person immediately! Also, do not forward these sorts of emails, even if your intent is to warn others, because forwarding the message inline will leave the attachment exposed where someone else can mistakenly click on it (it’s safer to send a screenshot instead).

From: ga******@******group.com
Subject: Please confirm receipt..

Attachment: [ZIP file] 87645345.zip (4 KB)

Hello,

Please acknowledge upon receipt of my today payment.
via (e-transfer)

Thanks

Irene Cordero.

While it’s true that we are requiring everyone to enrol in UVic MFA, this email is not legitimate and is a case of quishing (QR code phishing). Here are the signs that this email is fraudulent and the QR code is not safe to scan:

• Although the sender name mentions UVic, the email actually came from an external email address.
• UVic is capitalized incorrectly and there are some wording errors in the message.
• The email instills a sense of urgency by threatening expiry within a very short period of time, which is an attempt to trick you into acting hastily. Genuine emails of this nature will usually give you multiple notices well in advance of the deadline.
• The email contains a QR code. Legitimate QR codes for MFA setup will never be sent by email. If a QR code is in an email, it’s usually because the scammer is using it to disguise a malicious link.

---

From: Noreply_Uvic <greatfoob@grumpy******.ca>
Subject: Uvic Mandatory Multi-factor Authenticator
This message was sent with high importance.

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Microsoft Authenticator icon]

Microsoft 365 sign-in for multi-factor authentication

• The multi-factor authentication for is set to expire within 24 hours.
• Scan the barcode below to reauthenticate your multi-factor authentication within 24 hours and stay connected to Microsoft 365 apps and services.

[Malicious QR code]

Contact Microsoft help desk if you have any questions.

This email was sent from an unmonitored mailbox.
You are receiving this email because you have subscribed to Microsoft Office 365.
Privacy Statement
Microsoft Corporation, One Microsoft Way, WA 98052 USA
Microsoft

STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of

In these days when the cost of living is so high, the prospect of getting generous pay for part-time work would be appealing, but scammers are well aware of that and trying to take advantage. The following job scam claims to offer an opportunity with the UN World Food Programme, but in reality the email was sent from a compromised account at another Canadian university.

A major red flag is that the email asks you to reply to a Gmail address. A real UN job offer would not ask you to contact an email address from a free email provider like Gmail, Hotmail/Outlook or Yahoo. Also, the fact that the email contains grammatical errors is another sign that the offer is not legitimate.

Remember, if you receive a job offer out of the blue and it offers a generous salary for a minimal amount of casual part-time work, in all likelihood it is a scam. In general, if an offer sounds too good to be true, it probably is. If you replied to this email, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

From: [redacted]
Subject: Don’t sleep on this!

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

I am sharing job opportunity information to anyone who might be interested in a World food programme Part-Time job with a weekly pay of $600.00. If interested, kindly contact Dr. Mattias on his email address.

(k*****02@gmail.com) for details of employment.

N.B, this is strictly a work from home position.

Job scams that pretend to be from the Red Cross seem to becoming more common. As with many other job scams that we’ve seen before, the scammer tempts people with a generous salary for a minimal amount of work. If a job offer arrives unsolicited and the compensation is too good to be true, you can be sure it’s a scam.

Other red flags that indicate that the offer is fake:

• The email was sent from an address that does not belong to the Red Cross. A legitimate email from the Canadian Red Cross would come from a redcross.ca email address.
• The message contains multiple grammatical errors.
• You are asked to reply from your personal email–this is a trick to move the conversation off UVic email to evade detection.
• Replies are to be sent to a different address from a Red Cross lookalike domain.
• The confidentiality notice is not from the Red Cross.

If you replied to this email, cease contact with the scammer and reach out to the Computer Help Desk immediately for assistance.

---

Subject: Remote Flexible Job
From: [redacted] <********@iconpln.co.id>

Distribution Assistant is vacant at the National Red Cross with a weekly pay of $500. 3 hrs. per day, 3 times a week is required for purchasing of online items and delivering them to foster/disable homes in your local community. To apply, send cv/application to Mammen at jobs@arc-******.com with your personal email.

NRC

---

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus ( ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

HR or payroll-themed lures are commonly used for phishing emails. While this email claims to be from a UVic system, notice how the capitalization of UVic in the sender name is incorrect and the actual sender address is from outside of UVic. Both are red flags that indicate that this a phishing email; a genuine UVic Payroll or HR email should be coming from a UVic email address. Another bad sign is the fact that there is nothing in the message body except for a disclaimer and confidentiality notice that mentions some other external organization but not UVic.

This email also contains a .htm attachment. Do not open unsolicited or unexpected attachments whose names end in .htm or .html. These files are webpages, meaning that they could contain code that downloads malicious content or that redirects you to a malicious site. UVic InfoSec used a special secure environment to examine this file’s contents and found that it contains code to redirect you to a malicious site after a few seconds’ delay. If you opened the attachment, reach out to the Computer Help Desk or your department’s IT support staff for assistance.

Subject: REMINDER: Benefits Open Enrollment 2024. Review & Sign
From: Uvic e-Service System <okita@****okita.com>
This message was sent with high importance.
Attachment: [webpage file] Open Enrollment 2024.htm (1018 bytes)

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Disclaimer: Confidentiality Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the originator of the message. Any views expressed in this message are those of the individual sender, except where the sender specifies and, with authority, states them to be the views of A********x

Job scammers are once again trying to take advantage of students who are in need of money to pay for tuition and necessities in these tough economic times. As in previous batches that we have seen and written about, the scammers impersonate a real UVic professor to make the job offer look legitimate. The red flags are the same as before:

• The email comes from a Gmail address. Emails about real UVic job offers should come from a UVic email address.
• The name in the sender information does not match the name of the professor supposedly offering the job. Inconsistencies like this can be a sign of an impersonation scam.
• The salary offered is too good to be true. $50/hour is more than triple the minimum wage in BC and a part-time student job is not realistically going to offer pay that high.
• The email requests your Google Chat email. Scammers often request alternative contact information to move the conversation away from UVic’s defences and monitoring.

Therefore, do not reply to the email with your information. If you did, cease contact with the scammer and reach out to the Computer Help Desk for assistance.

Subject: Remote Job Opening
From: Emily Rauscher <*****emilyap5@gmail.com>

The service of a student/graduate student  is urgently required to work part-time as a research assistant and get paid $450 weekly. Tasks will be carried out remotely from home and work time is 9 hours/week.

If interested, submit a copy of your updated resume and functional google chat email address to our Department of Psychology via this email to proceed.

Sincerely
[name redacted]
Assistant Teaching Professor
Psychology
Office: COR A***

If someone you know (or at least had previously written to) had their mailbox compromised, the malicious actor who compromised it may try to target you by taking an old legitimate email thread and sending a new reply with either a malicious link or attachment. This trick is called thread hijacking and attackers use it to make their phishing attempt look more legitimate.

Thread hijacking cases often link to malware, so be extra careful around links or attachments until you’re able to confirm they’re safe. Be wary of unexpected replies to email threads that are very old or replies whose contents don’t seem to match the context of the original email. If the reply seems off to you in any way, don’t click on any links or attachments until you can check with the person through a different contact channel that you know is safe (e.g.: phone, video call or asking in person).

It can also be helpful to check the sender address for the reply. If it is unfamiliar or doesn’t match an email address that you already have for the person you had written to, the email is almost certainly a thread hijacking case.

Subject: [EXT] [****-ugrad-dept-****] FW: *UPDATED FORM* [faculty redacted] Undergraduate Achievement Bursaries: Application forms 2021-2022
From: [redacted] Administrative Officer / UVic <EEmard@irorica*****.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hi there,

Please review some latest documents for your department project:

https://outlet******.cl/met/?76539721

If you’ll have any questions, Please contact me.

From: [faculty redacted] Deans Assistant
Sent: September 28, 2021 10:33 AM
To: [redacted]
Cc: [redacted]
Subject: *UPDATED FORM* [faculty redacted] Undergraduate Achievement Bursaries: Application forms 2021-2022

This year, 13 bursaries of $1,500 each will be awarded to exceptional students in the Faculty of [redacted]. Students should be advised to return completed forms to the Office of the Dean by November 1, 2021.

TERMS OF REFERENCE:

Achievement Bursaries recognize undergraduate students who have demonstrated outstanding commitment to the pursuit of excellence in their endeavors. [Redacted] and other areas where individual expression becomes public are recognised through these bursaries. Recipients must have demonstrated financial need and a minimum 3.5 sessional grade point average for students continuing at UVic, or a 70% admission average for students commencing post-secondary studies for the first time.

University officers will distribute application forms to prospective students, who will complete and return them to the Office of the Dean, Faculty of [redacted] by the deadline.

Even if a document sharing email came from a legitimate service like Google Docs or Microsoft 365, you should still look at it carefully to make sure it’s legitimate. In this case, the phisher abused a compromised account from another  university’s Google tenant to send a Google Docs phish. The phisher even used a UVic professor’s name to make the email look more legitimate.

Phishes like these can be trickier to spot, but as a start, be wary of document sharing emails that you weren’t expecting, especially if they don’t come from someone you know. If you spot a mismatch between who sent the file and who the email says the file is supposed to be from, that can often be a sign that it’s not legitimate. Similarly, if the file is supposed to be from within UVic but it was sent by someone outside of UVic, the email is very likely to be a phish.

From: K***** (via Google Docs) <drive-shares-dm-noreply@google.com>
Subject: Document shared with you: “FALL FACULTY AGENDA 29 SEPTEMBER 2023.docx”

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

K***** shared a document

Unknown profile photo

K***** has invited you to edit the following document:

Dr. L****** shared a file with you.

FALL FACULTY AGENDA 29 SEPTEMBER 2023.docx

Open [link]

If you don’t want to receive files from this person, block the sender from Drive.

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this email because [redacted] shared a document with you from Google Docs. [Google logo]

Even if an email came from within UVic, you should still examine it to evaluate whether it’s actually legitimate before you click on any links or attachments. In this case, a job scammer used a compromised UVic account to send out the fraudulent job offer below.

The email includes the following indicators that the offer is not legitimate:

• Errors in grammar and capitalization
• A generic signature that does not mention UVic, or give a specific contact person at either UVic or UNICEF
• Instructions to contact somebody else using your “alternative email address” (i.e.: your non-UVic email address) – the scammer does this to move the conversation away from UVic email to evade detection
• The weekly salary offered is quite generous and probably too good to be true, especially if it’s for a small number of hours per week doing simple tasks

Other red flags that are signs of a job scam:

• You are told to reply to an email address from a free email provider like Gmail, Outlook, Hotmail or Yahoo
• No interview is required to get the job
• You do not get to meet your employer/supervisor virtually or in person before getting the job

Do not open the attachment or send a reply. If you did, reach out to the Computer Help Desk for assistance.

Subject: 09/04/2023

Attachment: [Word document] UNICEF – Work from Home Ca.docx

To whom it may concern,

I am sharing a Job Information to students who might be interested in a Paid UNICEF Part-Time Job to make up to $500 CAD Weekly

Attached is further information about the employment schedule, if interested kindly contact Dr Nicholas Hoffman with your alternative email address for urgent details of employment

NOTE: THIS IS STRICTLY A WORK FROM HOME POSITION.

Regards,
Academy Career Opportunity

Job scammers are once again impersonating real UVic professors when they offer fake research job positions. The red flags that indicate this offer is not legitimate are the usual ones:

• The emails come from Gmail addresses. A legitimate UVic job offer should be announced from a UVic email address.
• The salary offered is too good to be true given the very small number of hours per week to be worked.
• The email contains errors in punctuation, spacing and capitalization.
• In some cases, the name of the sender may differ from the professor mentioned in the email. Inconsistencies like this can be a sign that something is not right about the email.

Do not reply to these emails with your information. If you did, cease contact with the scammer and reach out to the Computer Help Desk for assistance.

Subject: Research Assistants Needed
From: [professor name] <*******@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

University Of Victoria , Department of Psychology requires the services of Graduate and Undergraduate students to assist with research projects on campus. The successful candidates will work closely with our research team to support ongoing data collection, and analysis . They are to work remotely and get paid $400 weekly.

Responsibilities:

Assist with the design and implementation of research projects on campus
Conduct literature reviews and summarize key findings
Collect and analyze data using appropriate statistical methods
Prepare and present findings to the research team
Perform administrative duties such as scheduling, data entry, and record keeping
Assist with writing research reports and manuscripts for publication
Recruit participants and conduct research studies
Qualifications:

Excellent organizational and time management skills
Strong attention to detail
Availability to work on campus or remotely
Proficient in Microsoft Office (Word, Excel, PowerPoint)
This is a part-time position with a flexible schedule, and the successful candidate will work approximately 7 hours per week. The position offers valuable research experience, and the opportunity to work with a dynamic and collaborative research team on campus.

To proceed with the application process and other eligibility descriptions, submit your resume for review.

Best regards,

[Redacted]

Position
Professor
Psychology
Contact
Office: COR ****

Fake invoices are a common theme for PDF phishing. Be wary if you receive an invoice email that you weren’t expecting, especially if it comes from a company that you don’t have any dealings with. This fake invoice email is relatively well-written, but there are a couple of signs that the attachment isn’t legitimate:

• The email contains no personalized greeting; this can be a sign of a mass email sent to many recipients, when legitimate invoices are something that are supposed to be individualized.
• The email is unusually vague and doesn’t give any information about the supposed invoice; it just tells you to look at the attachment. Usually a legitimate invoice or receipt email will mention some basic information about the transaction, such as the total amount or perhaps the billing/order date.

The red flags above are a sign that you shouldn’t open the attachment. InfoSec examined the contents using a secure tool and found that it contains a blurred out picture of an invoice, overlaid with a box that says, “View Protected Document”. If a PDF tells you to click to view protected content, that is a sure sign the PDF is malicious. If you did open the PDF, reach out to your department’s IT support contact immediately for assistance, especially if you clicked on “View Protected Document”.

From: Ultramar <support@cobills.com>
Subject: Your Ultramar invoice is now available to view/Votre facture Ultramar est maintenant disponible à la consultation

Attachment: Invoice3421.pdf

Thank you for choosing Ultramar as your product and service provider. We appreciate your business! We would like to remind you that e-Bill is our environmentally friendly billing option.
Please do not reply to this email.
If you have any questions, please see the attached statement for Ultramar contact information.

Merci d’avoir choisi Ultramar comme fournisseur de produits et services. Nous apprécions votre entreprise ! Nous vous rappelons que l’e-Bill est notre option de facturation écologique.
Veuillez ne pas répondre à cet e-mail.
Si vous avez des question, veuillez consulter la déclaration ci-jointe pour les coordonnées d’Ultramar.