Phish Bowl

Be on the look out for job recruitment scams like the one below that impersonate real companies to try and lure you into providing personal information or ask you for money before submitting your application.

Spot the RED FLAGS:

• An unsolicited offer that is too good to be true.
• Check the number or email address it came from. The area code is most often out of country and the email address is from a free provider.
• They request you to contact them via WhatsApp or follow peculiar links.
• A job offer without an interview and in some cases requesting payment to process your application.

Do not follow any links or respond to the text message, use the report junk option at the bottom of the text message. Alternately, you can forward the message to 7726. Both will report it to your mobile carrier. If you are unsure, reach out to the UVic helpdesk for assistance at helpdesk@uvic.ca

Hello! I am an HR representative from <redacted>. We recently reviewed your resume and believe you are a great fit for a remote online job opportunity we have available. This is a flexible remote part-time/full-time online job where the role involves assisting merchants with product reviews. The job is simple, and we provide comprehensive guidance to help you get started quickly.

• – Work only 60-90 minutes a day
• – Daily pay ranges from $100 to $300, depending on your working hours
• – Work from anywhere, any time

If you would like to join us, please contact us via WhatsApp: +133<redacted>

(Please note that applicants must be at least 23 years old to be eligible for this role)

This phishing attempt is mostly quarantined by our automatic filters. However:

A) Some users request its release.
B) Similar scams could appear, using the idea that you’ve been added to a group, granted permissions, or need to open Microsoft Teams.

Unlike typical phishing emails, this one lacks urgency—it doesn’t claim anything is broken, expiring, or at risk. Instead, it relies purely on curiosity to lure victims into clicking.

How to Identify It as Phishing:

The most reliable way is by hovering over the link. If it directs you to a site that does not belong to Microsoft (Teams) or UVic, it’s likely malicious. Usually, these are newly registered domains, but sometimes, they are hacked websites storing malicious content in subfolders. The group name or purpose may vary—it could mention SharePoint, OneDrive, Zoom, Office, or something else. No matter what service it claims to be related to, the key detail remains: if the link points to an unknown site, do not click.

Instead, report the message using the Phish button in Outlook to help prevent further phishing attempts.

Microsoft Teams

You’ve been added to the “UVic contracts” work group in Microsoft Teams.
<Open Microsoft Teams>

These phishing emails claimed to be from various UVic department chairs in an attempt to make the emails look legitimate and important. However, looking at the sender information raises some red flags: not only does the name not match the name of the department chair, but the email address is also not from UVic. That’s a strong sign that this is an impersonation attempt and you should not open any links or attachments in the email.

Not surprisingly, salary increases and bonuses, or important internal documents, are some email themes that phishers regularly use to lure people into clicking links and attachments. If you are sharp-eyed, you might also notice that there’s a zero instead of an O in “B0NUS”. This is a further sign that the email is not legitimate.

If you opened the attachment, run a full malware scan on your device as a precaution, and contact the Computer Helpdesk or your department’s IT support staff immediately. Be wary of documents that ask you to click on a link to login or access the real content. Also, watch out for and report any MFA pushes that come from outside of the country that you’re in, and change your password immediately if that sort of MFA push comes your way.

From: N********@*****.edu
Subject: Dr. J***** ****** shared a file with you- FACULTY & ᏚTAFF B0NUS

Attachment: [Word Document icon] FACULTY & ᏚTAFF B0NUS.docx

Some people who received this message don’t often get email from n********@*****.edu. Learn why this is important

Dr. J***** ****** shared a file with you- FACULTY & ᏚTAFF B0NUS

From: N********@*****.edu
Subject: Dr. M****** ******* shared a file with you- Essential_Departmental_interview

Attachment: [Word document icon] Essential Departmental Inter…

Some people who received this message don’t often get email from n********@*****.edu. Learn why this is important

Dr. M****** ******* shared a file with you- Essential_Departmental_interview

This email might look like it came from UVic, but in reality it’s a phishing email that leads to a fake CAS login page. Notice how the email threatens you with account deletion if you do not act immediately–the phisher is trying to trigger your fight-or-flight reaction to make you act hastily and do something that isn’t in your best interest. If a message leaves you with a feeling of fear, urgency or panic, try to pause for a moment and take a few deep breaths before you click or reply, then examine the message to see if there are any red flags.

In addition to the urgent and threatening language, other signs that this message is a phish are:

• The sender address: although the email claims to be from UVic, the email came from an educational institution in Poland (probably a compromised account)
• The generic, impersonal greeting
• The link destination: hovering over the link shows it does not go to a site from UVic or Microsoft

If you clicked on the link from this email, contact the Computer Helpdesk or your department’s IT support person immediately, especially if you entered your username and password.

From: University of Victoria <[redacted].edu.pl>
Subject: Action Required – Webmail Account Verification

You don’t often get email from [redacted].edu.pl. Learn why this is important

Dear User,

As part of the update to our Webmail platform for the year 2025, we kindly invite you to verify your account to ensure its proper functionality.

• VERIFY MY ACCOUNT [link]

Please note that all unverified accounts will be considered inactive and will be deleted within 72 hours of receiving this message.

We appreciate your understanding and remain available for any assistance you may require.

Best regards,
IT Support Team University of Victoria

This scam has been circulating recently on campus. It is not a new idea but a variation of the well-known “Piano scam” and “Welding machine” scam.
The scenario is the same – something expensive is donated, and you only have to pay the delivery fee. You send the money, and you never see any piano, welder, or trailer.
They usually pretend to be some UVic faculty or staff, helping a colleague or relative to donate the goods. In this case, they also used the name of a UVic person, which is redacted in the screenshot below.
Please stay vigilant to such offers that sound too good to be true, and if in doubt, consult with your desktop support person or the UVic helpdesk.

Subject: Charitable donation

Dear Faculty/Staff,

I hope this email finds you well. I am writing to inform you that One of our staff at University of Victoria, Ms Monica M. Margaillan, has expressed her willingness to donate her late father’s 2014 Airstream Sport 16′ Travel Trailer. 7000 miles, Sleeps 4. Has a color TV, radio, microwave, propane heater, electric AC/heater unit. If you are interested this airstream Sport, please indicate your interest by sending an email to (<redacted>@outlook.com) to arrange inspection and delivery or pickup with a moving company.

NB: Please write Mrs Monica with your personal email for a swift response.

Sincerely,

<redacted>
Member of the Board
University of Victoria

Attackers do abuse legitimate services like DocuSign to send phish, commit spoofing, fraud or steal personal data.

Take note that the sender address is legitimate, dse_NA4@docusign.net. The body contains a 32 character security code in it, usual for a DocuSign email. If you scroll over the link, it also appears to be on DocuSign’s servers, however this could contain a redirect, sending you to a malicious website or download malware.

Red flags:

• The sender name and email address contained in the body do not match. They are also very generic ie. james wood and mark harry.
• The link contained in the email “_wildcard_.usentden***” is suspicous.
• Grammatical error, the use of a capital letter in the middle of the sentence where it says, “These document(s) are related to the Completed transaction”.
• If you do not recognize the sender, this should raise a red flag.

Reach out to the helpdesk if you have clicked on any links or provided any personal information to fake DocuSign emails like this.

Subject: Approved: See Completed EFT Payment
From: james wood via Docusign

james wood sent you a document to review and sign.
Review Document [by clicking on the review document button]

james wood
markharry[redacted]@outlook.com

These documents are related to the Completed transaction.

You can download these documents by clicking the links below.
_wildcard_.usentden[redacted]

This phishing email pretends to be from Microsoft alerting the user that their UVic email has quarantined messages. You may see variations of this pretending to come from UVic tech support or something to that effect. It uses a false sense of urgency to try and trick you into clicking on the “View Messages” button. They use the Microsoft logo to try appear to be legitimate.

Here are some ways to recognize this as a phishing email:

• Always check the sender address, in this case it was a phishing email address.
• Urgent call to action creating a false sense of urgency.
• The warning message “You don’t often get email from info@***.pe. This is an alert that this sender may be untrusted.
• Poor grammar – “act now to release messages to avoid missing on important message.”

Remember to be cautious and never click on any link unless you are sure it is coming from a trusted source. If you are unsure reach out to the helpdesk or your support person.

Subject: You have high priority messages in quarantine

From: info@[redacted].pe

You don’t often get email from info@[redacted].pe. Learn why this is important.

Action required

• User ID: [redacted]@uvic.ca
• Date and Time Added: 1/13/2025, 9:12:53 PM
• Message ID: 5 incoming messages are being held for your review.

Act now to release messages to avoid missing on important message. [By clicking on View Messages button.]

This grant scam impersonates a Canadian non-profit research organization and specifically targets UVic students by claiming to offer monetary grants to students. The attachment even includes MITACS and UVic logos to make the offer look more legitimate. However, there several signs that this is a scam:

• The email came from a Gmail address–UVic or MITACS would send real grant notices from their organizational email email addresses, not using a free email provider.
• The email says you were specifically selected based on your performance, but the email is addressed impersonally.
• The formatting issues within the email and missing signature block give it a less-than-professional look.
• The attachment directs you to apply by contacting a phone number with an American area code. If you are told to apply by SMS, it’s probably a scam. It also uses language that creates a sense of urgency to get you to act hastily.

If you replied to the scammer, contact the Computer Help Desk or your department’s IT support person immediately for assistance.

From: MITACS GLOBALINK <o*******2001@gmail.com>
Subject: CONGRATULATIONS!

Attachment: [PDF] MITACS STUDENT GRANT SCHEME.pdf

You don’t often get email from o*******2001@gmail.com. Learn why this is important

 

MITACS STUDENT GRANT SCHEME

To whom it may concern _{We are delighted to offer you a grant to support your academic, personal use and research endeavors at University of Victoria (UVic).}

You were selected based on your academic performance and potential to make meaningful contributions in your research aspect.

Find the attached details,

This email tricks the user into clicking the link in the attached PDF. The link opens a Google form and requests the user to enter their username, password and Duo code. In this case the attacker is impersonating UVic payroll.

This one has the usual red flags:

• Take note of the sender email address, it is not from a UVic account.
• The salary increase, if it’s too good to be true, it usually is. 16.89% is far more than a typical yearly increase.
• The password to open the PDF was in the same email.
• There are spelling and grammar mistakes, “here-under” being a glaring one.
• The use of homoglyphs, for example the word “NOTE”, have a look at the O in the example below and see if you can spot it.

If you clicked on the link reach out to the computer helpdesk or your support.

Subject: 16.89% Salary Increase Letter 2024-11-19
From: University of Victoria <[redacted] @***e.edu
Attachment: PDF with file name UVIC Salary- Audit Nov

You don’t often get email from [redacted]@***e.edu. Learn why this is important

Dear Αll,

Sequel to lαst week notificαtion, find enclosed here-under the letter summαrizing your 16.89 percent sαlαry increαse starting 2024-11-19

Αll documents are enclosed here-under:

NΟTE: Your Αccess is needed to go through the sαlαry increment letter, Initiαl Αccess is Salary
Pαyroll & Employee Relαtions

Piano and welder scams are two variations of the same tactic: the scammer claims to offer a large valuable item for free, but then tells anyone who replies that they’ll need to pay to have the item shipped from out of town. At that point, the scammer will provide an email address for a supposed moving company, which will often be from a free email provider like Gmail or Outlook (not exactly a professional look!). That moving company will turn out to be fake–if you contact them to make arrangements and pay them money, you’ll never hear back from them again and never receive the item you were expecting.

The latest batches of these scams are impersonating a real person from UVic to make the offer look more legitimate. Check the sender information and reply address carefully; if the email was sent from or tells you to reply to a non-UVic email address, in all likelihood it’s a scam and not actually from the person it claims to be from. The fact that you are told to reach out using your personal email is another bad sign; that is a common trick used by scammers to move the conversation away from UVic’s monitoring.

Also, in the examples below, the faculty or staff member who is supposedly giving away the piano or welder is actually fictitious. The poor grammar is an additional red flag.

From: [redacted] <[redacted]@optonline.net>
Subject: FREE PIANO DONATION.!!!

Attachments: [three photographs of a black Yamaha baby grand piano sitting on an ornate rug]

You don’t often get email from [redacted]@optonline.net. Learn why this is important

Dear Student/Staff/Faculty,

One of our staff, Mr. Mark Gary is downsizing and looking to give away his late dad’s piano to a loving home. The Piano is a 2014 Yamaha Baby Grand size used like new. You can write to him to indicate your interest on his private email ([redacted]@writeme.com)to arrange an inspection and delivery with a moving company. Kindly write Mr. Mark via your private email for a swift response.

Best regards,

[redacted]
University Advancement
[redacted]@uvic.ca
University of Victoria
https://www.uvic.ca

From: [redacted] <[redacted]@gmail.com>
Subject: Disposal Of Welding Machine And Tools Box

You don’t often get email from [redacted]@gmail.com. Learn why this is important

Dear Student/Faculty And Staff,

One of our staff at University of Victoria Ms Mary Figuerova, Assistant Professor. is downsizing and looking to give away her late dad’s Miller 951937 Dynasty 300 TIG Welder w/ TIGRunner Pkg & Wireless Foot Control, With A Complete Set Of Snap On Tools Box And Accessories.
If interested in any of the equipment  kindly indicate by sending her a mail via your personal email for a swift response.
to indicate your interest in any of the listed items contact her on her private email address ([redacted]@outlook.com) to arrange delivery with a moving company.

Sincerely,

[redacted]
Member Of The Board
University of Victoria

Phishers often try to create a sense of urgency to get people to click the link in haste, and that tactic is on full display in this fake HR email. If you receive an email that claims to be from HR, especially one that seems urgent or feels intimidating, first take a few deep breaths, and then look closely at the email to see if there are signs that it’s fake. This one has quite a few red flags:

• The email did not come from UVic (in fact, the phisher appears to be abusing a compromised account at another university). A real UVic HR email would come from a UVic email address.
• The email was sent to hundreds of people, many of whom were not from UVic. That is a strong sign that this is a non-targeted mass phishing email and not a genuine HR notification.
• The greeting is impersonal, there is no signature block, and the email doesn’t specifically mention UVic.
• Hovering over the link will reveal that it does not go to a page from UVic; it actually goes to a page from a free online form builder.

From: [redacted]@********t.edu
To: [redacted] + 397 more
Subject: October 2024 Staff Report and Individual Assessment

You don’t often get email from [redacted]@********t.edu. Learn why this is important.

Assessment Dear Team,
I am pleased to inform you that the HR Department has recently finalized the Staff Report for October 2024.  It is imperative that you treat this matter with urgency.

Attached below, you will find the relevant file that contains your individual Assessment Report. Please open it to access the information

Click Here [link] To View Report

Thank you for your prompt attention to this matter.

Once again, job scammers are impersonating real UVic professors to target students in need of extra funds to pay for tuition and other necessities. This latest batch isn’t as elaborately written as the last one posted here, but still has some of the usual red flags:

• The email came from a Gmail address. If a job offer comes from or tells you to contact an address from a free email provider like Gmail or Outlook.com, it’s extremely likely to be a scam.
• The name of the sender does not match the signature block. Inconsistencies like that can be a sign that something is not right with the email.
• The scammer may be trying to create a false sense of urgency by saying a student is “urgently required” to trick you into replying hastily.
• The salary is too good to be true–$320 per week for only 8 hours of remote work is well above the typical wage for co-op or other student jobs.
• Although there are no glaring grammatical errors, the wording still comes across as stilted and awkward.

If you replied to the scammer, cease contact and reach out to the Computer Help Desk or your department’s IT support person for assistance.

From: P***** C***** <[redacted]@gmail.com>
Subject: Student Job Opening

You don’t often get email from [redacted]@gmail.com. Learn why this is important.

The service of a student is urgently required to work part-time as a student administrative assistant in the Department of Biology and get paid $320 weekly. This is a remote opportunity and work time is 8 hours in a week.
To apply, please submit your resume to the Department of Biology via this email address to proceed.

Sincerely
Dr. ****** B*****
Professor
Department of Biology
Office: CUN ****