As always, don’t rush to click on the link; you should hover over it first to see where it goes. This one goes to a page on a free website builder, which is a sure sign this upgrade notice isn’t legitimate.
Notice the note at the end saying “This message has been scanned for malware”. That should not be interpreted as a sign the email is safe; the phisher could have faked that text.
This phish tries to trick you into clicking the link by claiming to be an important document from management and HR (note the inclusion of HR@uvic.ca in the sender display name). The actual sender email address is not from UVic but uses a suspicious domain that is trying to pose as SharePoint. Hovering over the link would show that the link goes to neither UVic nor Microsoft SharePoint.
This generic phish was sent to a lot of people today. Messages urging you to click on a link in the next 24 hours to upgrade your email and/or keep your password to avoid being locked out of your account is a clear sign of a phish.
The purported invoice attachment in this email is a .img file. You might be tempted to think the file is an image (that is, a picture), but .img files are actually disk images, which means they can contain other files. This particular example contains a malicious program.
If you receive an email with a suspicious attachment, do not forward it as is, even to report it or warn other people. Doing so leaves the attachment exposed where someone could accidentally click on it. If you want to safely report it to your departmental support staff or the Computer Help Desk, forward the email as an attachment instead, or better yet, use the Report Phishing button if you have it.
Another typical generic phish pretending to be a Microsoft Exchange alert. Emails threatening to close your account if you do not click the link in a short period of time are a common sign of a phish (legitimate account closure warnings would give you much more advance notice, usually weeks or months). In this case, the phishy nature of the link is also on clear display.
This phish is likely to be targeting users from higher education institutions in general, as the sender made no attempt to tailor this phish or impersonate someone from UVic. The poor quality and errors in the message should also be a red flag.
As usual, you can hover over the link to see where it goes. You would find it does not go to a UVic website; it actually goes to a website on a free web hosting provider. That is not something a legitimate payroll or benefit site would use, so do not click on that link.
This phish attempts to pose as a UVic Webmail alert, but hovering over the link would clearly show it does not actually go to UVic.
This spear-phishing email used a tailored sender display name, spoofed UVic email address and the UVic logo to make this spear phishing email look more legitimate. Unlike most other phishes, which tend to have a generic signature, the signature block here impersonates the UVic Computer Help Desk.
Though there are other red flags in the email’s contents, the smoking gun is the link–if you hover over it, you can clearly see that it goes to a suspicious non-UVic website (see the bottom of the screenshot). That website hosts a realistic copy of the UVic OWA login page, complete with the policy text. Don’t click on that link or enter your credentials on that page!
If you clicked on the link, contact your department’s IT support staff or the Computer Help Desk immediately.
This phish spoofed the recipient’s email address. It tries to use Microsoft branding to make the email look like a Microsoft Planner notification, even going so far as to make all of the blue links go to legitimate Microsoft Planner pages. However, the green “Open in Microsoft Planner” is a different story–it goes to a feedproxy.google.com URL, which is a red flag in this context.
While feedproxy.google.com itself isn’t a phish site, that service is used to redirect visitors to other sites, so the final destination is likely to be completely different and untrustworthy. The phisher has used a legitimate redirect URL to hide the real malicious destination.
Another fake SharePoint email. The external email address is a giveaway but it may not be visible at first on a mobile email client.
Recently there have been cases where a user at some other Victoria-area organization had their account compromised and used to send phishing emails. These emails come with a PDF attachment that poses as a M365 SharePoint file sharing notification and directs you to click on a link to login and view the shared file. That link takes you to a fake M365 login page to try and trick you into providing your username and password. If you opened this PDF, please reach out to your department’s IT support staff or the Computer Help Desk immediately.
If a phisher manages to compromise an account belonging to someone you know or have prior dealings with, they may try to take advantage of that existing relationship in their phishing attempt, hoping that you’ll think the message is safe and click on links or attachments. When in doubt, contact the sender via another communication channel that you know is trustworthy (e.g.: a known good phone number) to verify that the email is legitimate.
See also: CISO Blog post – How can I tell it’s really you?
Gift card scammers often start by sending emails like the example below. They pretend to be a person in a position of authority (the president in this case) and ask the recipient if they are free to help with an urgent task. People who reply will be asked to purchase several hundred dollars’ worth of gift cards out of their own pocket and then send pictures of them with the numbers revealed to the scammer. If you’re curious, this CISO Blog post has a detailed example of how the correspondence can pan out.
We’ve also seen variations where the scammer begins by asking the recipient to send their mobile phone number. This lets the scammer shift to communicating by SMS to try and avoid detection.
Tips to avoid falling for these gift card scams:
Note how the phisher used a spoofed sender to make this phish look like it originated from within UVic (of course, it actually didn’t).
This phish pretends to be from an internal UVic fax service. It used a sender display name of “Uvic” but actually came from an external email address, which of course is a red flag. Also note the green “sender has been verified” banner–that is a fake one added by the phisher.
The phish also came with an attachment called “Uvic statement.pdf”. Do not open it–the contents direct you to login to a phishing site. In general, opening such attachments is very risky since they could contain phishing content or malware. If you opened this attachment, contact your department’s IT support staff or the Computer Help Desk immediately. 
