Author: Laura Chan

Work from home job scams are unfortunately very common right now with scammers trying to take advantage of people having financial difficulties due to the pandemic. If you receive an unsolicited email like this, do not reply with your email address, phone number or any other personal information. If you did, be extra vigilant about scams, phishing, smishing (SMS phishing) and vishing (voice phishing) since the scammers may view you as a promising target.

More on work from home job scams:

CBC News – Online job scams on the rise during pandemic year, fraud prevention expert says

CTV News – Better Business Bureau warning about these work-at-home scams

 

Various groups at UVic received this targeted phish. Note how the phisher used a spoofed sender to make the message look more legitimate. The URL that you can see in the phish message looks OK, but if you were to hover over those links you would find that they actually go to a phishing site on a completely different domain. This is why it is very important to hover over links to check the true destination before clicking on them.

While UVic does officially use and support Zoom, this email is not a genuine Zoom invitation. Note the sender email address–it is clearly not affiliated with UVic or Zoom. If you were to hover over the link, you would find that the URL does not go to either uvic.ca or zoom.us and therefore should not be clicked. If you did click it, contact your department’s IT support staff or the Computer Help Desk.

Phishers are well aware that people are using videoconferencing platforms like Zoom and Teams more and more because of the pandemic, so it is no surprise that they would try to take advantage by creating fake notifications. If you’re not sure if the meeting request is legitimate but it looks like it came a person or organization you recognize, contact them through a different communication channel that you know is safe to verify that it’s legitimate.

This was a spoof phish that tried to look like it came from noreply@uvic.ca. However, the sender was actually external and the link goes to a phishing site on Google’s Firebase platform, which is definitely not affiliated with UVic SharePoint or M365.

Purchase orders, invoices and receipts are very common lures for phishing and malspam campaigns. In this case, the vagueness of the message should be a red flag. When in doubt about emails like this, it’s best to err on the side of caution and not click on any links or attachments, which may direct you to phishing content or contain malware.

In this case, the PDF tries to make you believe that it has been secured in a way that means you have to login to view the content. In reality, clicking on “View On Adobe” will actually take you to a phishing site that pretends to be the Adobe login page.

This phish tries to use Microsoft branding and a sender display name that mentions UVic to try to look legitimate. As always, do not click on any links or attachments from messages like this.

If you were to hover over “increase storage” you would find it uses the ow.ly link shortener to hide its true destination, which should make you suspicious. The link ultimately takes you to a fake OWA login page designed to steal your login credentials.

In this case, the phishing link is not in the email body but in the attachment. As always, if you receive an unsolicited email and it looks suspicious, don’t open any attachments; they may contain malware or redirect you to a dangerous site (this one would have done the latter).

The sender email address is also a giveaway that this is not a UVic email, despite what the sender display name and email body claim.

This is another spoof phish; the phishing email that claims to come from UVic but is actually from an external source. Fake Outlook and Microsoft notifications are a perpetually popular theme for phishes. As always, do not click on links or attachments from such emails.

Do not reply to unsolicited emails about COVID-19 aid or click on any links in them (not that there are any in this particular one). In the vast majority of cases, they are scams sent out by malicious people trying to take advantage of the pandemic.

There are a couple of variations of this campaign that use different Gmail addresses from the one in the screenshot. If you see an email of this sort and the sender is using a free email provider like Gmail, you can be pretty certain it’s a scam.

For official information about government COVID relief:

• BC: https://www2.gov.bc.ca/gov/content/covid-19/economic-recovery/benefit
• Federal: https://www.canada.ca/en/department-finance/economic-response-plan.html

This is a spoof phish; the phisher tried to make this email look like it came from a UVic sender but it really came from an external source. The second half of the subject line varies between recipients but follows the same pattern. Hovering over the links would show that they do not go to UVic SharePoint and should not be clicked.

A few people received the variant below. This version had a spoofed sender of accounts@uvic.ca.

Another COVID-19 alert phish. Please be aware that scammers will often take advantage of major events like the pandemic when crafting phishing emails. Do not enter your personal information in links from unsolicited emails like this one.

For official UVic COVID-19 information, go to https://www.uvic.ca/covid-19/index.php 

Don’t trust the link text that you see in an email. While that link claims to be from amazon.com, if you were to hover over it you’d find it’s actually a shortened URL from bit.ly. Be wary of shortened URL in emails; while the shortening service might be legitimate, phishers often use them to obscure the true destination of the link.

You can try using a URL unshortener like Unshorten.it to see if it can obtain the true destination. Here’s a screenshot of the results I got from running it on the URL from that phish–you can see that bit.ly link definitely doesn’t go to Amazon and shouldn’t be clicked!

This is a fake SharePoint notification. Hovering over the link reveals that it goes to a domain that might be mistaken for the real SharePoint one if you don’t look at it closely.

This is a spoof phish; while it looks like it came from administrator@uvic.ca, it actually came from a non-UVic sender. The green “trusted source” banner is not something that was added by the UVic mail system either; that was added by the phisher in an attempt to make the message look legitimate.

The link goes to a phishing site that made some effort to copy the appearance of the UVic homepage. If you clicked on that link, reach out to the Computer Help Desk or your department’s IT support staff immediately.

Note how the sender display name claims to be from Office 365 but the sender address says otherwise.