Author: Laura Chan

HR or payroll-themed lures are commonly used for phishing emails. While this email claims to be from a UVic system, notice how the capitalization of UVic in the sender name is incorrect and the actual sender address is from outside of UVic. Both are red flags that indicate that this a phishing email; a genuine UVic Payroll or HR email should be coming from a UVic email address. Another bad sign is the fact that there is nothing in the message body except for a disclaimer and confidentiality notice that mentions some other external organization but not UVic.

This email also contains a .htm attachment. Do not open unsolicited or unexpected attachments whose names end in .htm or .html. These files are webpages, meaning that they could contain code that downloads malicious content or that redirects you to a malicious site. UVic InfoSec used a special secure environment to examine this file’s contents and found that it contains code to redirect you to a malicious site after a few seconds’ delay. If you opened the attachment, reach out to the Computer Help Desk or your department’s IT support staff for assistance.

Subject: REMINDER: Benefits Open Enrollment 2024. Review & Sign
From: Uvic e-Service System <okita@****okita.com>
This message was sent with high importance.
Attachment: [webpage file] Open Enrollment 2024.htm (1018 bytes)

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Disclaimer: Confidentiality Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the originator of the message. Any views expressed in this message are those of the individual sender, except where the sender specifies and, with authority, states them to be the views of A********x

Job scammers are once again trying to take advantage of students who are in need of money to pay for tuition and necessities in these tough economic times. As in previous batches that we have seen and written about, the scammers impersonate a real UVic professor to make the job offer look legitimate. The red flags are the same as before:

• The email comes from a Gmail address. Emails about real UVic job offers should come from a UVic email address.
• The name in the sender information does not match the name of the professor supposedly offering the job. Inconsistencies like this can be a sign of an impersonation scam.
• The salary offered is too good to be true. $50/hour is more than triple the minimum wage in BC and a part-time student job is not realistically going to offer pay that high.
• The email requests your Google Chat email. Scammers often request alternative contact information to move the conversation away from UVic’s defences and monitoring.

Therefore, do not reply to the email with your information. If you did, cease contact with the scammer and reach out to the Computer Help Desk for assistance.

Subject: Remote Job Opening
From: Emily Rauscher <*****emilyap5@gmail.com>

The service of a student/graduate student  is urgently required to work part-time as a research assistant and get paid $450 weekly. Tasks will be carried out remotely from home and work time is 9 hours/week.

If interested, submit a copy of your updated resume and functional google chat email address to our Department of Psychology via this email to proceed.

Sincerely
[name redacted]
Assistant Teaching Professor
Psychology
Office: COR A***

If someone you know (or at least had previously written to) had their mailbox compromised, the malicious actor who compromised it may try to target you by taking an old legitimate email thread and sending a new reply with either a malicious link or attachment. This trick is called thread hijacking and attackers use it to make their phishing attempt look more legitimate.

Thread hijacking cases often link to malware, so be extra careful around links or attachments until you’re able to confirm they’re safe. Be wary of unexpected replies to email threads that are very old or replies whose contents don’t seem to match the context of the original email. If the reply seems off to you in any way, don’t click on any links or attachments until you can check with the person through a different contact channel that you know is safe (e.g.: phone, video call or asking in person).

It can also be helpful to check the sender address for the reply. If it is unfamiliar or doesn’t match an email address that you already have for the person you had written to, the email is almost certainly a thread hijacking case.

Subject: [EXT] [****-ugrad-dept-****] FW: *UPDATED FORM* [faculty redacted] Undergraduate Achievement Bursaries: Application forms 2021-2022
From: [redacted] Administrative Officer / UVic <EEmard@irorica*****.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hi there,

Please review some latest documents for your department project:

https://outlet******.cl/met/?76539721

If you’ll have any questions, Please contact me.

From: [faculty redacted] Deans Assistant
Sent: September 28, 2021 10:33 AM
To: [redacted]
Cc: [redacted]
Subject: *UPDATED FORM* [faculty redacted] Undergraduate Achievement Bursaries: Application forms 2021-2022

This year, 13 bursaries of $1,500 each will be awarded to exceptional students in the Faculty of [redacted]. Students should be advised to return completed forms to the Office of the Dean by November 1, 2021.

TERMS OF REFERENCE:

Achievement Bursaries recognize undergraduate students who have demonstrated outstanding commitment to the pursuit of excellence in their endeavors. [Redacted] and other areas where individual expression becomes public are recognised through these bursaries. Recipients must have demonstrated financial need and a minimum 3.5 sessional grade point average for students continuing at UVic, or a 70% admission average for students commencing post-secondary studies for the first time.

University officers will distribute application forms to prospective students, who will complete and return them to the Office of the Dean, Faculty of [redacted] by the deadline.

Even if a document sharing email came from a legitimate service like Google Docs or Microsoft 365, you should still look at it carefully to make sure it’s legitimate. In this case, the phisher abused a compromised account from another  university’s Google tenant to send a Google Docs phish. The phisher even used a UVic professor’s name to make the email look more legitimate.

Phishes like these can be trickier to spot, but as a start, be wary of document sharing emails that you weren’t expecting, especially if they don’t come from someone you know. If you spot a mismatch between who sent the file and who the email says the file is supposed to be from, that can often be a sign that it’s not legitimate. Similarly, if the file is supposed to be from within UVic but it was sent by someone outside of UVic, the email is very likely to be a phish.

From: K***** (via Google Docs) <drive-shares-dm-noreply@google.com>
Subject: Document shared with you: “FALL FACULTY AGENDA 29 SEPTEMBER 2023.docx”

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

K***** shared a document

Unknown profile photo

K***** has invited you to edit the following document:

Dr. L****** shared a file with you.

FALL FACULTY AGENDA 29 SEPTEMBER 2023.docx

Open [link]

If you don’t want to receive files from this person, block the sender from Drive.

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this email because [redacted] shared a document with you from Google Docs. [Google logo]

Even if an email came from within UVic, you should still examine it to evaluate whether it’s actually legitimate before you click on any links or attachments. In this case, a job scammer used a compromised UVic account to send out the fraudulent job offer below.

The email includes the following indicators that the offer is not legitimate:

• Errors in grammar and capitalization
• A generic signature that does not mention UVic, or give a specific contact person at either UVic or UNICEF
• Instructions to contact somebody else using your “alternative email address” (i.e.: your non-UVic email address) – the scammer does this to move the conversation away from UVic email to evade detection
• The weekly salary offered is quite generous and probably too good to be true, especially if it’s for a small number of hours per week doing simple tasks

Other red flags that are signs of a job scam:

• You are told to reply to an email address from a free email provider like Gmail, Outlook, Hotmail or Yahoo
• No interview is required to get the job
• You do not get to meet your employer/supervisor virtually or in person before getting the job

Do not open the attachment or send a reply. If you did, reach out to the Computer Help Desk for assistance.

Subject: 09/04/2023

Attachment: [Word document] UNICEF – Work from Home Ca.docx

To whom it may concern,

I am sharing a Job Information to students who might be interested in a Paid UNICEF Part-Time Job to make up to $500 CAD Weekly

Attached is further information about the employment schedule, if interested kindly contact Dr Nicholas Hoffman with your alternative email address for urgent details of employment

NOTE: THIS IS STRICTLY A WORK FROM HOME POSITION.

Regards,
Academy Career Opportunity

Job scammers are once again impersonating real UVic professors when they offer fake research job positions. The red flags that indicate this offer is not legitimate are the usual ones:

• The emails come from Gmail addresses. A legitimate UVic job offer should be announced from a UVic email address.
• The salary offered is too good to be true given the very small number of hours per week to be worked.
• The email contains errors in punctuation, spacing and capitalization.
• In some cases, the name of the sender may differ from the professor mentioned in the email. Inconsistencies like this can be a sign that something is not right about the email.

Do not reply to these emails with your information. If you did, cease contact with the scammer and reach out to the Computer Help Desk for assistance.

Subject: Research Assistants Needed
From: [professor name] <*******@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

University Of Victoria , Department of Psychology requires the services of Graduate and Undergraduate students to assist with research projects on campus. The successful candidates will work closely with our research team to support ongoing data collection, and analysis . They are to work remotely and get paid $400 weekly.

Responsibilities:

Assist with the design and implementation of research projects on campus
Conduct literature reviews and summarize key findings
Collect and analyze data using appropriate statistical methods
Prepare and present findings to the research team
Perform administrative duties such as scheduling, data entry, and record keeping
Assist with writing research reports and manuscripts for publication
Recruit participants and conduct research studies
Qualifications:

Excellent organizational and time management skills
Strong attention to detail
Availability to work on campus or remotely
Proficient in Microsoft Office (Word, Excel, PowerPoint)
This is a part-time position with a flexible schedule, and the successful candidate will work approximately 7 hours per week. The position offers valuable research experience, and the opportunity to work with a dynamic and collaborative research team on campus.

To proceed with the application process and other eligibility descriptions, submit your resume for review.

Best regards,

[Redacted]

Position
Professor
Psychology
Contact
Office: COR ****

Fake invoices are a common theme for PDF phishing. Be wary if you receive an invoice email that you weren’t expecting, especially if it comes from a company that you don’t have any dealings with. This fake invoice email is relatively well-written, but there are a couple of signs that the attachment isn’t legitimate:

• The email contains no personalized greeting; this can be a sign of a mass email sent to many recipients, when legitimate invoices are something that are supposed to be individualized.
• The email is unusually vague and doesn’t give any information about the supposed invoice; it just tells you to look at the attachment. Usually a legitimate invoice or receipt email will mention some basic information about the transaction, such as the total amount or perhaps the billing/order date.

The red flags above are a sign that you shouldn’t open the attachment. InfoSec examined the contents using a secure tool and found that it contains a blurred out picture of an invoice, overlaid with a box that says, “View Protected Document”. If a PDF tells you to click to view protected content, that is a sure sign the PDF is malicious. If you did open the PDF, reach out to your department’s IT support contact immediately for assistance, especially if you clicked on “View Protected Document”.

From: Ultramar <support@cobills.com>
Subject: Your Ultramar invoice is now available to view/Votre facture Ultramar est maintenant disponible à la consultation

Attachment: Invoice3421.pdf

Thank you for choosing Ultramar as your product and service provider. We appreciate your business! We would like to remind you that e-Bill is our environmentally friendly billing option.
Please do not reply to this email.
If you have any questions, please see the attached statement for Ultramar contact information.

Merci d’avoir choisi Ultramar comme fournisseur de produits et services. Nous apprécions votre entreprise ! Nous vous rappelons que l’e-Bill est notre option de facturation écologique.
Veuillez ne pas répondre à cet e-mail.
Si vous avez des question, veuillez consulter la déclaration ci-jointe pour les coordonnées d’Ultramar.

Who wouldn’t like a sizable salary increase, especially in these times when the cost of living has gone up so much? But that’s precisely what phishers are trying to prey upon when they craft these fake salary increase emails. Thankfully, they left plenty of red flags that you can look for to determine this email is fake:

• The email did not come from UVic–a real salary increase notice would come from a UVic email address.
• The greeting is generic and impersonal.
• The salary increase amount is too good to be true, especially since it’s not spread out over multiple years
• There are a lot of spelling and grammar errors in both the email and the file name.
• The signature block is generic and doesn’t mention UVic.

All of those items are signs that you should not open the attachment, as it will either contain phish/scam content or malware.

InfoSec ran the file through some specialized tools to safely examine the content. The results showed the file simply says that the document is protected and that you have to click on a link to view the actual content online. If you open a file and see something like that, contact the Computer Help Desk or your department’s IT support staff immediately for assistance, as that’s a sign that the file is not legitimate.

Subject: Salary Increase Notification Letter
From: Payroll Department <[redacted]@********u.edu>

Attachment: [PDF icon] Salary-Increasment-July…    80 KB

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear All,

Sequel to last week notification, find enclosed here-under the letter summarizing your 16.89 percent salary increase starting 21 July 2023

All documents are enclosed here-under:

NOTE:  Your Access is needed to go through the salary increment letter, Initial Access is Salary

Payroll & Employee Relations

If you get an unsolicited email with an attachment and you don’t recognize the sender, be extremely wary, especially if the message is very vague and only tells you to open the attachment. The vagueness is a ploy to try and get you to open the attachment out of curiosity. Don’t open such attachments! Many contain malware to infect your computer, and even ones that don’t are likely to either load a phishing site or contain a scam.

InfoSec staff use specialized tools to examine the contents in a secure manner. When we examined the attachment for this phishing email, it turned out to contain a job scam pretending to be someone from the World Health Organization. To quickly recap, here are the red flags that can help you identify the offer as a scam:

• The pay is too good to be true–this one offered $500/week for only a few hours a week of simple tasks.
• The sender does not match the name of the person supposedly offering the job.
• You do not need to go through an interview or meet your supposed employer (either virtually or in person) before getting the job.
• The email asks you to reply and/or provide contact information for a different communication method such as personal email, SMS or Google Chat. This is a common trick that scammers use to move the conversation to a place that cannot be monitored by UVic.

We have many other posts on job scams that are worth a read if you want to learn more about how to spot them.

Subject: Job Title
From: M******** Arrizki <m******arrizki@iconpln.co.id>

Attachment: [Word document icon] Remote Job Details.docx    23 KB

VIEW ATTACHED FILE FOR DETAILS

---

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus (ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

Similar to cases we saw in May and June, job scammers are impersonating real UVic professors to make their fake offers look more legitimate. The red flags remain the same as before:

• The emails are coming from Gmail addresses. A legitimate opportunity should be coming from a UVic email address.
• The sender name does not match the name of the professor supposedly offering the opportunity. Inconsistencies like this are often a sign of a scam.
• The salary offered is too good to be true, especially for a small amount of casual work to be done in your free time.
• The email requests your contact information for a different communication method, in this case Google Chat. This is a trick to move the conversation to a place that can’t be monitored by UVic.

Do not reply to these offers–these scammers are usually trying to defraud you of money in one way or another. They may ask you to transfer money using your own funds (with a promise to reimburse you that will never materialize) or ask you to buy gift cards and send photographs of them. If they ask for personal information such as your driver’s licence or passport, do not provide it or you may be at risk of identity theft.

If you responded to the scammer, contact the Computer Help Desk for assistance, especially if you sent money or personal information. If you forwarded the email to other people, recall the message and warn the recipients as soon as possible.

From: Franka Arden <farden***@gmail.com>
Subject: Work Part-Time

The service of a Department Assistant is urgently required to work part-time 12hours/week and get paid $650 weekly. Tasks will be carried out remotely in your free days/time.
If interested, submit a copy of your updated resume and a functional google chat email address to our Department of Economics via this email address to proceed.

Sincerely
Dr. [redacted]
Associate Professor
Department of Economics
Office: BEC ***

Gift card scammers impersonate people in positions of authority to try to make requests look legitimate and prey on people’s desire to be helpful. This example impersonates UVic President Kevin Hall, but other popular impersonation targets include VPs, faculty deans and directors.

Always pay attention to the sender address for emails that claim to be from someone in a position of authority. This one came from a Gmail address, which is a big sign that this email is not really from the president. A real email from the president or any other UVic authority figure would come from their UVic email address (although you still have to be wary in case that was spoofed).

Another bad sign is the fact that the scammer asks to continue the conversation via text messages and wants your phone number for that reason. Requesting your contact information in order to move the conversation to a different method is a common trick that scammers use to avoid detection. Finally, the errors in punctuation and capitalization and the overall vagueness of the message are also signs that this request is not legitimate.

If you replied with your cell phone number, ignore any text messages that come from the scammer and reach out to the Computer Help Desk or your department’s IT support contact for assistance. You will also need to be on the lookout for future phishing and scam attempts via phone or text message because your phone number is now in the hands of a scammer.

From: Kevin Hall <d******compton0@gmail.com>
Subject: Please

—
Hello, Got a moment right now?, kindly text back with a number I can text you on.
Kevin Hall, PhD
President

This phish is an actual SharePoint Online file sharing email, but that doesn’t mean the file it goes to is legitimate. Phishers are known to use compromised Microsoft 365 accounts at other organizations to create a phishing document. Instead of creating their own phishing email, they instead send out the phish by sharing that phishing document with the other people they want to target. That can potentially make the phish harder to detect because the emails have the same look and feel as legitimate SharePoint Online file sharing emails.

Despite all that, there are still some red flags:

• The message claims that the file is from the UVic president, but the file wasn’t shared by him or someone from the UVic President’s Office. Inconsistencies like this can often be a sign of a phish or scam.
• The message is very vague. This may be a trick to make you curious and go to the file to find out what’s actually in it.
• There is incorrect grammar and capitalization in the message.
• At the bottom-right corner of the message, you’ll see a different university’s logo. This is a sign that the file did not come from within UVic’s Microsoft 365 tenant. An actual file from the UVic President should not be coming from a different university’s Microsoft 365 service.

From: E********** <noreply@sharepointonline.com>
Subject: E********** shared “FILE REVIEW 2023” with you.

E********** shared a file with you

FWD: President Kevin Hall you a file using one drive.

[Word document icon] FILE REVIEW 2023

This link will work for anyone.

Open

[Microsoft logo]
[Other university’s logo]

Alas, scammers and phishers have no hesitation about taking advantage of events like the COVID-19 pandemic and preying on people who are in financial need. This phish does just that, using the lure of financial assistance to get people to click on the link. Look closely at the email and you will find a number of red flags that indicate that this is not a legitimate offer from UVic:

• The sender is not from UVic.
• The signature block is generic and does not mention UVic at all. It also contains an American city and zip code, which does not fit for a Canadian university.
• Hovering over the link reveals a destination that is not on uvic.ca.

Therefore, do not click on the link from this email and do not enter login credentials on the page. Also, avoid rushing to approve MFA pushes when they come. If an MFA push is unexpected or it’s coming from a weird/unexpected location, it’s safest to deny the attempt, then report it as a suspicious login so that the UVic Information Security Office can investigate. You should also change your password as soon as possible.

Subject: 2023 Employee Assistance Program
From: [redacted]@******xusa.com

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

I want to let you know about the 2023 Employee Assistance Program [EAP], which will be available to help employees and their families with financial assistance.

Most families have had trouble over the past few years because of the COVID-19 pandemic. The goal of the Employee Assistance Program[EAP] is to give workers and their families financial support up to $800.

New applications are being accepted for the Employee Assistance Program. Applications can be submitted via the 2023 Employee Assistance Program [link].

Sincerely,

EAP COVID-19 support team.
Los Angeles, CA 90032.

It’s certainly ironic when phishers say something about an increase in spam emails and even say you should be careful when handling emails. That being said, it’s not an uncommon tactic; they do it to make you think it’s from your IT Security staff, hoping that you won’t apply that sense of caution to this particular email. They also create a false sense of urgency by requiring you to act before a fast-approaching deadline.

However, the sender address is not from UVic, which is a sign that the email is not legitimate. Hovering over the link (without clicking on it!) also reveals that the destination is not on uvic.ca. Do not click on the link from this email and do not enter login credentials on the page.

Also, avoid rushing to approve MFA pushes when they come. If an MFA push is unexpected or it’s coming from a weird/unexpected location, it’s safest to deny the attempt, then report it as a suspicious login so that the real UVic Information Security Office can investigate. You should also change your password as soon as possible.

Subject: Email Security Gateway Update
From: [redacted] <[redacted]@******xusa.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

The amount of spam emails reaching email inboxes has increased recently, according to the IT department. We wish to warn you to open and respond to any email with caution.

All users must register for the new email security filter on or before June 17, 2023, to use it. To register, go to Barracuda Email Gateway  and log in with your details.

Kind Regards,

[redacted]

Here is yet another job scam email impersonating a real UVic faculty member. This job scam uses a variety of different subject lines; other ones we’ve seen include:

• UVIC STUDENT JOB
• Part-time Student Job
• Administrative Assistants Needed
• Organizational Research

The red flags to look out for are pretty much the same as the ones we’ve seen in previous batches from earlier this month:

• The emails come from Gmail addresses–a real UVic job opportunity should be coming from a UVic email address. Note: if the email appears to have been forwarded by someone at UVic, check to see who sent it to them in the first place, and be very wary if the original sender was using a Gmail or other freemail address.
• The sender’s name may differ from the professor supposedly offering the position.
• The salary offered is too good to be true, especially for a small number of hours of remote casual work. The scammer also can’t seem to get their own facts straight, as they give two different weekly amounts in the same email!
• There are errors in capitalization, spacing and formatting, as well as odd/awkward wording.
• The scammer asks you to reach them via SMS to shift the conversation to a place that UVic can’t monitor. Also, the phone number provided is not local; the 916 area code corresponds to Sacramento, California.

Do not engage with the scammer via email or SMS and do not forward these emails around. If you responded to the scam, contact the Computer Help Desk immediately for assistance, especially if you sent personal information or money.

Subject: UVIC STUDENT EMPLOYMENT
From: Prof. Sarah Gibbons <s*****25@gmail.com>

University of Victoria , Department of Physical and Health Education urgently requires the service of students to work part-time as administrative assistants and get paid $350 weekly.
The hours are flexible and students will be required to work not more than 6 hours weekly. The position can be carried out remotely and the pay is $400 weekly. Salary increment will be reviewed after gaining more training and experience on the position.
Major skills needed are ; Maintaining effective working relationships, Ability to establish effective working relationships and to prioritize tasks and projects, Ability to work independently. Basic Knowledge of Microsoft Word and Excel will be an added advantage.
To proceed with the application process and other eligibility descriptions, contact me directly on ‪(916) ***-**** stating your full name, email address, year of study, and department to receive the job description and further application requirements.

Best regards.

[impersonated professor]
[impersonated professor]
–
Professor
–
Office: MCK ***

Subject: Organizational Research
From: UVIC Support Services <greg*****522@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

University of Victoria , Department of Physical and Health Education urgently requires the service of students to work part-time as Research assistants and get paid $350 weekly.
The hours are flexible and students will be required to work not more than 6 hours weekly. The position can be carried out remotely and the pay is $400 weekly. Salary increment will be reviewed after gaining more training and experience on the position.
Major skills needed are ; Maintaining effective working relationships, Ability to establish effective working relationships and to prioritize tasks and projects, Ability to work independently. Basic Knowledge of Microsoft Word and Excel will be an added advantage.
To proceed with the application process and other eligibility descriptions, contact me directly on ‪(916) ***-****‬ stating your full name, email address, year of study, and department to receive the job description and further application requirements.

Best regards.

[impersonated professor]
–
Professor
–
Office: MCK ***