Author: Mario Ivanov

As you can tell, scammers continue to explore this theme. The new phishing email that arrived today – and may continue to arrive over the weekend – uses the above subject line ending with random numbers. The actual message content is not in the email body but instead contained in a .msg attachment, likely to avoid detection by our anti‑phishing scanners.

The sender appears to be @microsoft.com – definitely not @uvic.ca – but there may be new variants of this phishing attempt. Please do not be curious and do not open the attachment under any circumstances.

What’s inside is shown in the screenshot below. The ultimate goal is to trick you into scanning a QR code that leads to a fake login page designed to steal your UVic credentials.

Transcript of the attachment text below:

University Of Victoria
2026 – 2027
Benefits Guide Summary
Your Benefits. Your Choices. Your Health.
This summary highlights the core benefits available to you for the 2026–2027 plan year.

Use this as your quick reference for medical, dental, vision, and voluntary coverage.

Welcome
Welcome to University Of Victoria’s 2026–2027 Benefit Plan Offerings
This benefits summary outlines your employee benefits effective June 1, 2026. To enroll or update your selections, please scan the QR code below.
Scan to Access Your Benefits Portal

Secure access has been sent to:
Help Starts Here
BenefitsVIP is your dedicated support center for benefits, claims, and eligibility questions.
Hours: Monday – Friday, 8:30 am—8:00 pm (ET)
Email: hr.answers@uvic.ca
Web: uvic.ca
This benefit summary provides selected highlights of the employee benefits program available. It is not a legal document and shall not be construed as a guarantee of benefits nor of continued employment. All benefit plans are governed by master policies, contracts and plan documents. Any discrepancies between this summary and the actual terms of such policies, contracts, and plan documents shall be governed by those actual terms. The company reserves the right to amend, suspend, or terminate any benefit plan, in whole or in part, at any time. The authority to make such changes rests with the Plan Administrator.

This phishing message is circulating today. The body of the email may be empty, and the screenshot below comes from the attached PDF file.

– It claims to be from an approved sender.
– It instructs you to follow the link encoded in the QR code.
– As usual, the goal is to steal your UVic credentials.

Do not scan the QR code. Do not engage out of curiosity. UVic does not send emails containing QR codes.

PDF Transcript:

*
Approved sender for University of victoria
This message is from your safe sender list
Dear <redacted>,
As part of our policy, the Remuneration and Performance Appraisal for the year
2026 has been finalized. The details includes changes to:
Pay Increase
Benefits Management
Changes, Amendments & Updates
Self-Evaluation for Goal Setting
You can access the file by either scanning the QR code below.
Required Actions:

1. Scan the QR Code to access your file
2. Review these sections:
   Pages 2-3: Hybrid work policies
   Section 6: Complete your Self Evaluation
   Chapter 10: Acknowledgement
   HR Management
   Corporate Policies Division
   TABLE OF CONTENTS
   ……………….

This kind of “too-good-to-be-true” message has been circulating recently. It contains a PDF attachment that, in turn, contains a link to a malicious site claiming you can “log in securely.” The actual goal is to steal your UVic credentials. Please do not open such PDFs and do not click the links. Report them as phishing to our Information Security team by using the red shield button in MS Outlook.
As is typical for scams, they imply urgency, come from an external email address, and link to an external website.

Subject: 16.89 % Salary Increase Letter Monday, November 24, 2025

Dear Members,

Sequel to last week notification, find enclosed Ηere-under the letter summarizing your 16.89 percent salary increase starting Monday, November 24, 2025

Αll documents are enclosed Ηere-under:

NOTE:  Your Αccess is needed to go through the salary increment letter, Initial Αccess is Salary2025

Payroll & Employee Relations

This phishing attempt is mostly quarantined by our automatic filters. However:

A) Some users request its release.
B) Similar scams could appear, using the idea that you’ve been added to a group, granted permissions, or need to open Microsoft Teams.

Unlike typical phishing emails, this one lacks urgency—it doesn’t claim anything is broken, expiring, or at risk. Instead, it relies purely on curiosity to lure victims into clicking.

How to Identify It as Phishing:

The most reliable way is by hovering over the link. If it directs you to a site that does not belong to Microsoft (Teams) or UVic, it’s likely malicious. Usually, these are newly registered domains, but sometimes, they are hacked websites storing malicious content in subfolders. The group name or purpose may vary—it could mention SharePoint, OneDrive, Zoom, Office, or something else. No matter what service it claims to be related to, the key detail remains: if the link points to an unknown site, do not click.

Instead, report the message using the Phish button in Outlook to help prevent further phishing attempts.

Microsoft Teams

You’ve been added to the “UVic contracts” work group in Microsoft Teams.
<Open Microsoft Teams>

This scam has been circulating recently on campus. It is not a new idea but a variation of the well-known “Piano scam” and “Welding machine” scam.
The scenario is the same – something expensive is donated, and you only have to pay the delivery fee. You send the money, and you never see any piano, welder, or trailer.
They usually pretend to be some UVic faculty or staff, helping a colleague or relative to donate the goods. In this case, they also used the name of a UVic person, which is redacted in the screenshot below.
Please stay vigilant to such offers that sound too good to be true, and if in doubt, consult with your desktop support person or the UVic helpdesk.

Subject: Charitable donation

Dear Faculty/Staff,

I hope this email finds you well. I am writing to inform you that One of our staff at University of Victoria, Ms Monica M. Margaillan, has expressed her willingness to donate her late father’s 2014 Airstream Sport 16′ Travel Trailer. 7000 miles, Sleeps 4. Has a color TV, radio, microwave, propane heater, electric AC/heater unit. If you are interested this airstream Sport, please indicate your interest by sending an email to (<redacted>@outlook.com) to arrange inspection and delivery or pickup with a moving company.

NB: Please write Mrs Monica with your personal email for a swift response.

Sincerely,

<redacted>
Member of the Board
University of Victoria

We have identified a phishing attempt that pretends to be from UVic HR, using urgency to trick recipients. The email contains a PDF attachment that includes a button leading to a fake login page. The goal is to steal your UVic credentials.

These emails often come from external addresses, but malicious actors can spoof internal addresses too. Do not open the PDF or click any links. They may contain malware to infect your computer instantly.
Our experts are investigating these threats in isolated environments.

Here is a screenshot of the message:

and transcript of the message body:

Important Employee Handbook and Payroll Update
Please be informed that there are critical updates to the Employee Handbook and Payroll process.
It is essential that you review these updates to ensure you are aware of the latest company policies and payroll information.
Regards.
University of victoria HR

With students back on campus, these kinds of scams will continue to target them. Most of the emails with the subject “Students seeking Jobs should check below” were properly identified by the antispam filters and ended up in the junk folders of Exchange mailboxes.

These emails typically contain a short text in the body of the message, while the actual scam is in an attached text file. The body may look like this:

These emails may come from different sender addresses (typically Gmail).

The text file contains a rather long description of the “job and benefits,” which includes typing mistakes and, as usual, sounds too good to be true.

Please do not reply to such scammers (even for fun!). If in doubt, ask the helpdesk or your supervisor.

The transcripts of the body of the email and the attachment are listed below:

University Of Victoria has resources in place to help you succeed in your career and your relationships. work for $(four Hundred weekly and study. If interested, see attached
Regards.

the attachment:

Greetings’..

I am Dr. Alvin Sanders… And I work with Workforce Innovation and Opportunity Act (WIOA) replaces the Workforce Investment Act of 1998 (WIA) by amending the law to strengthen the United States workforce development system through innovation in, and alignment and improvement of, employment, training, and education programs in the United States, and to promote individual and national economic growth, and for other purposes. The law provides the framework for a national workforce preparation and employment system designed to meet both the needs of the nation’s businesses and the needs of job seekers and those who want to further their careers. WIOA reforms current federal laws governing programs of job training, adult education and literacy, vocational rehabilitation, and youth, making services more universally accessible and more flexible components of workforce development systems.

The system offers access to services that encompasses assessments/skills needs, job search, job placement, labor market information, individual employment planning, educational and career counseling, occupational skills training, skill upgrading, internships and work experience, job readiness, adult education, and literacy and High School Equivalency (HSE) programs for adults and out-of-school youth free of charge. And we are running a promotional program at the moment which gives room for more individual to Apply and work with us while we make sure this offers circulated among all who needed to know about us.

I Considered this email reach out to you through the consent of University Office for Students in extension of an offer to work with me as my Virtual Personal Assistant (Dr. Alvin Sanders)

JOBS DESCRIPTION:

This job is really straightforward And is currently available online as WORK-FROM-HOME REMOTELY JOB. As my personal assistant you may be required to provide General personal assistance which may include any of the mentioned below:
*Acting as a liaison between the employer and other parties, including clients, vendors

*Handling and responding to emails

*Running personal errands such as shopping and arranging deliveries.

*Recording expenses, organizing receipts, and preparing expense reports.

*Providing support for personal tasks such as managing bills, organizing personal finances, and researching personal interests.

*And lastly. Any other tasks or projects assigned by the employer to support their professional or personal life. Meanwhile the working hours are flexible and fully remotely, the pay is $399/Weekly and working hours are 1 to 3hrs a day and 3days working hours bi-weekly

BENFITS:
Hybrid work policy with up to two days work from home
College-issued laptop for hybrid work
Adjusted hours for summer months, fall and spring breaks
Offices closed between Christmas and New Year’s
Generous vacation and personal time off
In addition to the benefits(for example health insurance, life insurance, TIAA, tuition-exchange), the college also provides the following perks:
I am presently monitoring other operations around the states so I am unable to meet up for the interview. For every assignment, you will receive payment in advance (AUTOMATIC 1 WEEK UPFRONT, $399). We will talk about the possibilities of turning this into a long-term job when I return if I am pleased with your services during my absence. I’m expected to arrive during the final week of October 2024.

Note: Please make sure that all of the information you submit is correct. If you are under the age of eighteen or do not have access to a real bank account, your application may not be accepted. If your application is approved, you will receive a confirmation email and will also communicate with us via text and email.
Below is the Application process. Thanks

If interested, please apply below, and send your student ID, full name, major, address, best contact
number, and alternate email. Please be aware that Junior and Senior students will be considered with
priority at this time.
To apply, email the requested information to
<redacted>

 

Similar to the ‘grand piano’ scam, other large items, such as welding tools, are also being offered in recent scams. The common thread among all these offers is this: if you express interest in the item, you are asked to pay for the shipping costs. The scammers’ goal is to get you to send them a payment using non-refundable money orders or gift cards. However, after you pay the shipping cost, you will never receive the item you were expecting.

From: Dr. <real name of a UVic person>  <****@gmail.com>
Sent: Tuesday, May 7, 2024 3:59 AM
Subject: Disposal of welding machine and tools boxs

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear Student/Faculty And, One of our staff in University of Victoria , <redacted name> ( Coordinator, Academic Administration) is downsizing and looking to give away her late dad’s Miller 951937 Dynasty 300 TIG Welder w/ TIGRunner Pkg & Wireless Foot Control, With A Complete Set Of Snap On Tools Box And Accessories. If interested in any of the equipment kindly indicate by sending him a mail via your personal email for a swift response. to indicate your interest in any of the listed items contact him on his private email address (****@outlook.com ) to arrange delivery with a moving company.

Sincerely,

Dr. <redacted real name>

MEMBER OF THE BOARD

Practically this is the same scam that we posted about last time. It was received by many UVic recipients last night. The text is the same as before, the sender is some compromised account at another organization and the subject this time is just “WPF”.  Please do not be curious and do not open the attachments in such scams, do not click links and do not reply to scammers (even for fun!!!). By replying you supply back information that your email exist, you are not on vacation, etc.

 

—

I am sharing job opportunity information to anyone who might be interested in a paid World food programme Part-Time job with a weekly pay of $750.00. If interested, kindly contact Mattias on his email address (***@outlook.com) for details of employment.

N.B, this job is strictly a work from home position.

This phish is circulating today. It applies the usual tactics of scammers to scare the potential victims that something is wrong and should should act fast.  The sender is external, the link points to an external site designed to look like a UVic login page with the goal to steal your UVic credentials. Please do not be curious and do not click the links because sometimes they may contain malware to infect your computer instantly.

Here is a screenshot and transcription of the phish:

Your University of Victoria account has been filed under the list of accounts set for deactivation due to retirement/graduation/or transfer of the concerned account holder. But the record shows you are still active in service and so advised to confirm this request otherwise give us reason to deactivate your account.

Please Verify your UVIC account immediately to avoid Deactivation Click

UVIC<link to external site>

Please note this one-time submission and entry only..

Warm Regards,
Office of the Registrar

The tax return season has started, and scammers have begun exploiting this period again. Typically, they try to persuade you to click on a link by pretending that something was wrong with your tax return, or you need to “sign” something, as in today’s example.

Please stay vigilant, do not click on these links. They may contain malware to infect your computer instantly or they might be designed to steal your credentials.

Your request has been processed successfully and is now ready to be signed

Document online <link>

Please view your document securely using the following confirmation code :
050916

This phish was received by many UVic mailboxes this morning. It seems to come from a UVic address, but there is no such address – it is spoofed by the external sender. They set however an external “reply-to” address. Please do not reply with anything and do not open the attachment. The zip contains a malicious file loaded with trojans.

Hello!

I hope this email finds you well. I am writing this mail to inform you that the item i purchased has been damaged.
if i wish to return it and get a refund, i would like to know the procedure. I tried contacting the phone number, but
none of my calls was answered.

I would appreciate it if you could look into this and get in touch with me as soon as possible.

Attached is the proof of the damaged item.

Thanks.

Peterson Webley..

This phish is circulating today. The sender address is spoofed. It has a domain in Germany and the username can be your own netlinkID.  The display name of the sender pretends to be “UVic HR department”.

Please do not open attachments from unknown senders. They may contain malware,  links to malware loaded web pages or links to fake login pages.

Transcript:

Hi <your netlink>, HR Dept. shared a new file “Uvic 2024/25 Salary Adjustment Letter.pdf” with (yournetlink@uvic.ca) via SharePoint for your urgent attention.   Kindly click the Get Your File button below to access it.   GET YOUR FILE

Report to SharePoint © 2024 SharePoint