Author: Laura Chan

This phish tries to lure you in with a payroll-related document. It claims to be from UVic, but there are several signs it’s not from us:

• The sender address is external. Real payroll or HR emails should come from a UVic email address.
• “Uvic” uses incorrect capitalization, and there are other capitalization errors.
• The subject line has incorrect grammar.

Hovering over the link will show that its destination is also not uvic.ca. The phisher also seems to have used individualized click tracking links for this campaign. This highlights another good reason why you shouldn’t click the link out of curiosity–the phisher may be tracking who clicked and send those people more phishing emails.

Subject: You Have 2 New Shared File
From: Uvic Shared Document <file@quadrantpsc.com>

[redacted]@uvic.ca

Please find the attached Document “Staff Payroll”.

Review Document

Note: This email grants access to this Document.

Uvic Docs: Create and edit documents online.
You have received this email because someone shared a document with you from Uvic Docs.

Once again, scammers are sending out fake job offers that are impersonating real UVic faculty. These emails are similar to four previous batches we saw on May 8, 12, 16 and 19. Nevertheless, it’s worth doing a refresher on the red flags to look out for:

• The emails are coming from Gmail addresses. A legitimate UVic job offer should come from a UVic email address.
• The salary offered is too good to be true, especially for only eight hours per week of casual work.
• The scammer tries to move the conversation away from non-UVic email to avoid UVic’s monitoring.
• In some variants, the sender’s name will be different from the faculty member who is supposedly offering the job. Inconsistencies like that can be a sign that something isn’t right about the email.

If you received this email, do not reply to the scammer with your resume or contact information. If you did, cease contact with the scammer and reach out to the Computer Help Desk for assistance. If you forwarded the email to other people, recall the message and contact the recipients immediately to warn them of the scam.

Subject: Part-Time Job Needed
From: CAMPUS JOBS <[redacted]@gmail.com>

The service of a student administrative assistant is urgently required to work part-time and get paid $650 bi-weekly. Tasks will be carried out remotely and work time is 8 hours/week.

If interested, submit a copy of your updated resume and a functional google chat email address to our Department of Sociology via this email address to proceed.

Sincerely
[name redacted]
Professor of Sociology
Department of Sociology
Office: [redacted]

This is yet another job scam impersonating a UN agency, where the scammer has taken the additional step of using a reply address on a fraudulent domain that impersonates UNESCO. Here are the red flags indicating that this email is not legitimate:

• The offer is way too good to be true: $500 for only three hours of casual work per week and no need to go through an interview is not realistic at all.
• The email is poorly-written, with lots of awkward wording and grammatical errors.
• The email asks you to send personal information and reply with your “Alternative Email”. This is a ploy to move the conversation off UVic email to evade monitoring.
• The entire message is actually an image, not text. This is a trick scammers use to evade spam filters and is therefore a bad sign. The image has also been turned into a link that will make your mail app begin a new email with the scammer’s email address prefilled.
• The sender is not from the UN and does not match the representative named in the email. Inconsistencies like this can often be a sign of a scam.

If you replied to this email, cease contact with the scammer and reach out to the Computer Help Desk immediately for assistance.

---

Subject: Small Duties
From: [redacted] <*****@f***.org>

This job is for university students with academic difficulties and no prior diagnosis are see and assessed through the academic screening and assessment process. You have received this email because we subscribe to the university in general./

I am Matthias Larsen, project coordinator UNESCO’s mission which our aims and objectives is to contribute to the building of a culture of peace, the eradication of poverty, sustainable development and intercultural dialogue through education, the sciences, culture, communication and information.

We consider this employment simple for anyone to handle because you will only help me purchase items when needed and clear purchase invoices for donor services. This employment only takes an hour a day and 3 times a week with a $500 (five hundred cad) weekly salary.

There won’t be any interview because i am currently away on an official assignment to helping students in Sudan. You will be paid in advance for all tasks and purchased to be done on my behalf. Upon my arrival we will discuss the possibility of making this a long-term employment if i am impressed with your services while i am away and if you are interested.

My arrival is scheduled for 28th of august 2023. I got your email through a short list from the university human resources department.

To apply, kindly email back with your Alternative Email | your full name | age | Address and mobile number to my email below.

Sincerely,

Matthias Larsen

Project coordinator

Unesco email: work@[scam email domain redacted]

Today’s batch of job scam emails is very similar to the ones we wrote about on May 8 and May 12. Like the previous rounds, the scam uses the name of a real professor from the UVic Department of Computer Science to make the offer seem legitimate. As a refresher, here are the red flags in the email that indicate this offer is a scam:

• The emails come from Gmail addresses. A legitimate UVic research job opportunity should come from a UVic email address.
• The sender of the email differs from the professor named in the signature block. Inconsistencies like this can be a sign that the offer isn’t legitimate.
• The email tries to shift the conversation off UVic email to Google Chat to evade monitoring.
• The offer is too good to be true–$315 for 7 hours of work a week is more than twice the minimum wage in BC.

We have since learned that people who respond to the scammer will be told they got the job without having to go through an interview or even meet the professor (not even virtually). This is yet another sign that the supposed opportunity is a scam.

The scammer will then proceed to build trust by sending tasks for performing market research for office equipment and supplies. Eventually, this will culminate in asking the victim to purchase office supplies by sending their own money to a specified “supplier” (actually the scammer) and that they will be reimbursed later (which of course doesn’t happen).

If you received this email, do not reply to the scammer with your resume or contact information. If you did, cease contact with the scammer and reach out to the Computer Help Desk for assistance. If you forwarded the email to other people, recall the message and contact the recipients immediately to warn them of the scam.

Subject: Part-time Job Opening
From: Dr Henry Garcia <dr[redacted]@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

The service of a Student Assistant is urgently required to work part-time and get paid $315 weekly. Tasks will be carried out remotely and work time is 7 hours in a week.
If interested, submit a copy of your updated resume and a functional google chat email address to our Department of Computer Science via this email to proceed.

Sincerely
[name redacted]
Professor
Department of Computer Science
Office: ECS [room redacted]

Subject: Part-time Job Opening
From: DEPARTMENT OF HUMAN RESOURCES <dr[redacted]@gmail.com>

The service of a Student Assistant is urgently required to work part-time and get paid $315 weekly. Tasks will be carried out remotely and work time is 7 hours in a week.
If interested, submit a copy of your updated resume and a functional google chat email address to our Department of Computer Science via this email address to proceed.

Sincerely
[name redacted]
Professor
Department of Computer Science
Office: ECS [room redacted]

We’ve been seeing several variations of these fake research assistant job offers, each one impersonating a real UVic faculty member to make the opportunity look legitimate. However, there are several red flags that indicate these are scams:

• The emails come from Gmail addresses, not from the faculty members’ UVic email addresses.
• The scammer asks you to respond using a different communication method (SMS or Google chat). This is an attempt to evade our monitoring systems by moving the conversation away from UVic email.
• The versions that request responses via SMS don’t provide a local phone number; the 323 area code corresponds to Los Angeles, California.
• The pay offered is several times higher than the minimum wage in BC and therefore too good to be true, especially for part-time/casual work.
• The messages contain errors in grammar, spacing and/or punctuation.
• The name of the sender of the email may differ from the professor mentioned in the message.

If you replied to one of these emails, contact the Computer Help Desk immediately for assistance, especially if you sent money or personal information.

Subject: Office of Research Assistants
From: [name redacted] <csdepartment.uvic.***@gmail.com>

University of Victoria is currently seeking a Research Assistants to join the Department of computer science, under the supervision of professor: [name redacted].
The hours are flexible and students will be required to work not more than 6 hours weekly. The position can be carried out remotely and the pay is $300 weekly. Salary increment will be reviewed after gaining more training and experience on the position. The position is open for any student of the institution.
Major skills needed are ; Maintaining effective working relationships, Ability to establish effective working relationships and to prioritize tasks and projects, Ability to work independently. Basic Knowledge of Microsoft Word and Excel will be an added advantage.
If interested , submit your full name, department and year of study to me directly via text message on (323) [scammer’s phone number redacted].

Best regards,
[name redacted]
Professor in the department
of Computer Science.
(323) [scammer’s phone number redacted].

Subject: Office of Research Assistants
From: Prof. Colette Coco <ac****mo@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

University of Victoria is currently seeking a Research Assistants to join the Department of computer science, under the supervision of professor: [name redacted].
The hours are flexible and students will be required to work not more than 6 hours weekly. The position can be carried out remotely and the pay is $300 weekly. Salary increment will be reviewed after gaining more training and experience on the position. The position is open for any student of the institution.
Major skills needed are ; Maintaining effective working relationships, Ability to establish effective working relationships and to prioritize tasks and projects, Ability to work independently. Basic Knowledge of Microsoft Word and Excel will be an added advantage.
If interested , submit your full name, department and year of study to me directly via text message on (323) [scammer’s phone number redacted].

Best regards,
[name redacted]
Professor in the department
of Computer Science.
(323) [scammer’s phone number redacted].

Subject: Student Research Assistant Urgently Needed
From: Larry Grace <lg3****9@gmail.com>

The service of a student research assistant is urgently required to work part-time and get paid $650 bi-weekly.Tasks will be carried out remotely and work time is 8 hours/week.
If interested, submit a copy of your updated resume and a functional google chat email address to our Department of Psychology via this email address to proceed further.

Regard
[name redacted]
Associate Professor of Psychology
Department of Psychology
Office: COR [room redacted]

This phish tries to look like a secure file that came from an internal system, but in reality the uvic.ca sender address has been spoofed.

Other signs that this email is not legitimate:

• There are grammatical and capitalization errors, including the incorrect “Uvic” in the sender display name
• The email creates a false sense of urgency by saying the file will expire tomorrow
• Hovering over “Get your file” would reveal a destination link that’s not on UVic or Microsoft.
• The broken images might also be a bad sign, but in this case it’s not clear whether they would have worked in a different mail client.

This scam email is trying to impersonate President Kevin Hall and resembles the start of a gift card scam. Below are some signs that this email is not really from the president:

• The “From” address is from Gmail, not UVic. Also note the warning banner at the top saying that you don’t often get email from that address; that is a signal to take an extra minute to evaluate whether this email is legitimate and actually coming from the person it claims to be from.
• The subject line creates a sense of urgency, and yet the actual message is extremely vague. That probably means there isn’t really an emergency.
• The email contains quite a few errors in capitalization, grammar and punctuation, which is not the writing style you would expect from a university president.
• The email is trying to shift to a different communication channel to evade detection (WhatsApp in this case, though Google Chat, SMS and personal email are also common requests). If you replied with your alternative contact information, be vigilant and watch out for further phishing or scam attempts on that channel, since your contact information is now in the hands of someone malicious.

If you receive an email that claims to be from someone at UVic but you’re not sure if it’s genuine, do not reply to the email or use any contact information from it. Instead, contact that person through a different method that you know is safe, such as by phoning the Office of the President.

With income tax filing season approaching, it’s not surprising that phishers are sending emails pretending to be from the Canada Revenue Agency (CRA). The “From” addresses for these emails were not ones from canada.ca or a domain ending in .gc.ca, meaning the emails did not actually come from the Government of Canada. The samples reported to us had sender addresses from various Austrian domains.

There are several other signs that this is a phish in the message contents:

• The greeting is impersonal, and it seems odd for the CRA to address you as a customer when they’re a government agency.
• There are some grammatical errors and also weird extra spaces before colons.
• The use of “datum” instead of “date” is a word choice error.
• The text about “managing your usage” near the end of the message doesn’t make sense in this context.

The ultimate red flag: hovering over either link will reveal that they use TinyURL or some other link shortener. Be very suspicious of shortened links in emails, as phishers often use them to hide the true malicious destination of the link. We used a security scanner on these shortened URLs and can confirm that they do not go to the real CRA website.

Real CRA webpages are on either canada.ca or domains with names ending in .gc.ca. It’s also worth noting that cra[.]ca actually belongs to a market research company, not the CRA!

For more information, the Canada Revenue Agency also has a page with additional tips on how to protect yourself from fraud.

This is not the first time we’ve posted about piano scams, but this one is unusually well-crafted and also takes the extra step of impersonating President Kevin Hall. The sender email address in the example below even looks like it came from within UVic, but in reality it was spoofed.

The fact that the email tells you to contact someone you don’t know at a different email address from a free email provider is a red flag. If you’re not sure about the legitimacy of the email, verify it by contacting the supposed sender through a different contact method that you know is safe. Do not reply directly to the suspicious email–in this case, the email was crafted to send any replies to yet another Gmail address that is controlled by the scammer. And as always, be wary of unsolicited offers that look too good to be true.

With the holidays coming soon, there’s a fair chance that you’re someone who is waiting for a package to be delivered. Phishers regularly try to take advantage by sending out phony package notification emails, hoping that someone will think  it’s related to a delivery they’re expecting and click the link.

If you are expecting a package and want to check the status of the delivery, obtain tracking information from your order receipt or by logging into the site on which you made the order, and then go to the official site of the delivery provider to track your package. Do not use a link from an email to go to those sites if you’re not certain that the email is legitimate. Instead, use a bookmark for the site if you made one earlier, or carefully type the site’s address into your browser. Alternatively, for delivery providers you can use Amazon.ca’s reference page with links and phone numbers for delivery providers that they work with.

Now we’ll look at some examples of package phishes and how to spot them. Below is an example of a fake Canada Post email. There are quite a few signs that the email is not legitimate:

• In the subject line, there is a word choice error (malapropism) in “Delays excepted”
• The sender display name and address are very generic in that they don’t match a specific delivery provider
• The description of the shipment as being “from a webshop” is oddly vague

The link in this phish seems to be abusing a legitimate link scanning and redirect service to hide the true destination. That can make it tricky to determine where the link actually goes, but given the red flags above, you can reasonably conclude it’s not going to be the real Canada Post website.

Here’s an example of a fake UPS email. This one is better-crafted than the one above, but there are still some red flags you can spot:

• The sender email address is not from UPS (it appears to be from an unrelated Japanese site)
• Wonky formatting like the misaligned “Track This Parcel” button can be a sign the email is fake

Hovering over “Track This Parcel” will reveal a link to a site on s3.amazonaws.com. It’s worth noting that Amazon isn’t just an online marketplace. Amazon AWS is a major cloud computing provider, and phishers are known to abuse it to host phishing sites. If you see a link to a site on s3.amazonaws.com in an unsolicited email, be wary. Links from an Amazon order email are more likely to go to amazon.com or amazon.ca.

 

This purported job offer uses the name of a real faculty member from the Department of Sociology, but this job offer did not come from that person or department and is a scam. There are several signs that this is not a legitimate opportunity:

• The sender’s name does not match the name of the faculty member in the signature. This can be a sign of an impersonation scam.
• The sender is not using UVic email. Instead, they are using a Gmail address and asking you to reply to it. Always be wary of unsolicited job offers that come from  an address from a free email provider or that ask you to contact that sort of email address.
• The pay being offered for 8 hours of work per week is too good to be true–that’s much higher than the minimum wage in BC!
• The scammer is asking you to send alternative contact information to move the conversation away from UVic email to evade detection.
• There are capitalization errors in the signature block.

If you replied to the scammer, especially if you provided money or sensitive personal information, reach out to the Computer Help Desk for assistance and advice on how to report the fraud.

If an unsolicited email seems very vague or generic, that can be a sign it’s a phish. That certainly can be said of this one, which uses a undescriptive subject line and doesn’t even try to give any context or a reasonable explanation for why your account is supposedly being deactivated. On a similar vein, the email claims to be from “IT Helpdesk” in a generic fashion that doesn’t mention UVic in any way, and the greeting is equally impersonal and generic.

The vague and generic nature of the email, along with the non-UVic sender address, inconsistent font formatting, and errors in capitalization and punctuation, are all signs that it is not legitimate. The ultimate red flag is the fact that hovering over the link shows it goes to a website on the Weebly free website builder–a real UVic login page would not be hosted there.

 

This phish spoofed a UVic email address but actually came from outside of UVic. As well as the empty subject line, there are plenty of red flags in the message content:

• The message instills a false sense of urgency and threatens an adverse impact.
• There are plenty of capitalization and grammatical errors, and the spacing in the last paragraph is weird. Indeed, the whole email looks like it was put together rather sloppily.
• The link shown to you is for a site on Weebly, a free website builder. No real UVic login page would ever be hosted on a free website builder.

If you hover over any of the links, you’ll actually see a Google redirect URL. Phishers may use a Google redirect or something similar to make the URL look less phishy and hide the real destination.

As always, don’t click on the links! If you did, reach out to the Computer Help Desk or your department’s IT support staff for assistance.

This Outlook-themed phish has a lot of the usual red flags:

• The sender is not from UVic or Microsoft
• The greeting is impersonal
• The message contains numerous errors in grammar and capitalization
• The email tries to create a sense of urgency and threatens you with an adverse impact
• Hovering over the link reveals that it does not go to UVic or Microsoft

All of the above signs indicate that the link should not be clicked on.

Other variations of the subject line have also been seen.

This is a job scam email that is impersonating UVic, specifically the Department of History. There are several red flags that indicate that this offer is not legitimate:

• The sender is not from UVic–it’s a Gmail address. Unsolicited job offers from free email providers should always be viewed with suspicion.
• The capital I’s in the sender display name may look wonky depending on your mail app’s font. That’s because the scammer is actually using lowercase l’s.
• The greeting is impersonal and awkwardly worded.
• There are a few grammatical errors.
• The high amount of weekly pay for a small amount of remote work is too good to be true. Describing an urgent need for students is also suspicious.
• The email asks you to reply with your personal information via text message to get more information about the supposed job.
• The phone number provided doesn’t use a local area code–the area code in the example below is for Southern California!

If you got this email, do not reply to the scammer and definitely do not send your personal information or contact information to their email address or phone number (doing the latter might also incur a charge for long-distance SMS). If you did, contact the Computer Help Desk for assistance.

Update 2022-11-04: we have also seen some later variants of this scam that have added UVic Edge branding to make the emails look more polished and legitimate. The red flags above still apply, including the use of a (different) non-local phone number.