Payment Confirmation

Always be wary of unexpected or unsolicited emails that contain attachments as they may contain malware. The vagueness and generic nature of this message should be a red flag and may be a ploy to get you to click on the attachment. Since the message does not address the recipient by name and provides no information about the supposed payment, it’s likely that it was a mass mailout and therefore not a legitimate invoice.

If you’re inclined to think that the attachment should be harmless because SVG is an image format, think again! SVG files can actually contain embedded scripts, meaning they can be laced with malware, which is definitely the case for this sample. If you clicked on this attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Vague email claiming to be an invoice but the SVG attachment actually contains malware

From: allen.lopez@o******.com
Subject: Payment Confirmation

Attachment: [Generic file icon] RTVBAS05GDBA09.svg (2 KB)

Payment Received, attached is your invoice.

Phish with excel file attachment

Phish with attached excel file has been circulating this morning. It has different subjects such as “Fwd: Products#<random number> “, “PO# <random number>”, or “Scan#<random number>”

These phishes are being send by many different random senders. Email body is also different but generally mentioning about some payment that needs to be remitted. In any case, the attacker is luring the users to open the attachment so that malware can be installed on the devices.

Please be aware of email attachments and open only the ones you are expecting and being send from a known sender. If still in doubt, always confirm with sender using a known contact information.

Phish with malicious excel file attached.

Subject: PO# W1834414259
Sender: Mariana Benitez <****@minaretmusings.com>
Attachment: scan-28-02-24_591.xlsx

Dear,
Repairs made to both the tire changer and the balancer. 2024 spec updates for the alignment machine.
Your invoice-RCH224-735 for 2,560.31 is attached. Please remit payment at your earliest convenience.
Thank you for your business – we appreciate it very much.
Please make payable to our company.

“Hello!” or “Greetings!” job scam email

These job scam emails appear to have come from compromised accounts at another Canadian university. Always evaluate whether the content of the email looks legitimate, even if it came from what would normally be a reputable source (even if it came from within UVic!).

This email has many of the typical signs of a job scam:

  • The email directs you to reply to an AOL email address from your personal email. If you are asked to apply to a job by contacting an address from a free email provider, in all likelihood it’s a scam. The request to shift to personal email is a tactic to shift the conversation to a place that UVic can’t monitor.
  • The salary is too good to be true.
  • There are no details about what the job involves.
  • There are grammatical errors including mistakes in capitalization.
  • The email claims to offer a job with the World Food Programme, but they did not send the message and the name of the contact person doesn’t match the name of the sender of the email.

If you replied to the scammer, contact the Computer Help Desk immediately for assistance.

Job scam email claiming to offer a generously paid part-time job with the World Food Programme

From: [redacted]@**********.ca
Subject: Hello!

I am sharing job opportunity information to anyone who might be interested in a World food programme Part-Time job with a weekly pay of $600.00. If interested, kindly contact Dr. Mattias on his email address. b******b@aol.com for details of employment.

You can contact him from your private E-mail address only.

“Work-Study Opportunity” and similar job scam emails

These job scam emails are very similar to previous ones we’ve written about. Scammers are continuing to try to take advantage of students’ financial need by offering a relatively generous amount of pay for a small amount of remote work.

Other red flags:

  • The email came from a Gmail address. A real UVic job offer would come from a UVic email address. Job offers sent from addresses from free email providers are typically scams.
  • The name of the sender doesn’t match the name of the professor supposedly offering the job. Inconsistencies like this can be a sign of a scam.
  • The scammer wants to shift the conversation to Google Chat. This is a common tactic to move the conversation away from UVic email to evade monitoring.

As always, if you replied to this email, contact the Computer Help Desk immediately for assistance.

Job scam email impersonating a UVic geography professor, sent from a Gmail address

From: Nwabueze Ekene Precious <[redacted]@gmail.com>
Subject: Work-Study Opportunity

The service of a student is urgently required to work part-time as a student assistant and get paid $250 weekly. Tasks will be done remotely and work time is 8 hours/week. To apply, kindly submit your resume and a Google chat email address to the Department of Geography via this email address to proceed.

Sincerely
D***********
Professor
Department of Geography
Office: [redacted]

Please find the attached

Just because a message appears to come from within UVic doesn’t necessarily mean it actually did. This example actually came from an external source but spoofs a UVic sender address.

Always be wary of unsolicited or unexpected emails that contain attachments since the attached file may contain malware, as is the case with this email’s ZIP attachment. The brief, vague message body that gives no indication of what the supposed documents are about is an additional red flag. If you clicked on the attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Vague email with a spoofed UVic sender that contains a malware-laced ZIP attachment

From: *******@uvic.ca
Subject: Please find the attached

Attachment: [ZIP file] Docs.zip (3 KB)

Please find the attached documents.

Thanks.
Khelmer

You have got an urgent message from The University of Victoria

This targeted phishing email takes the unusual step of asking you to send a text message to a phone number. Trying to quickly shift to a different communication method is often a red flag; phishers (and scammers) do this to move the conversation to a place that UVic can’t monitor. Real UVic communications will never ask you to send a text message to upgrade/keep/secure your account, and the fact that the phisher is using a phone number with a New York City area code is a further sign that the email is not legitimate.

Other red flags include:

  • The email was sent from a Gmail account. Note how the email system has added a warning that you don’t often get email from this address; this can be a sign that the sender is not someone you know already and may not be trustworthy.
  • The greeting is impersonal.
  • The email threatens you with an adverse impact to try and get you to act hastily.
  • There are a few grammatical errors and awkward wording choices.

If you texted the phone number in the email, disregard any instructions in any replies you receive and block the phisher’s phone number. You will also need to keep an eye out for future attempts to phish or scam you via SMS or phone calls as your phone number would now be in the hands of someone malicious.

Spear phishing email claiming to be from UVic when it actually came from a Gmail address. Instead of including a link, it asks you to text an American phone number.

From: ke*****1280@gmail.com on behalf of University of Victoria <g1*****+UniversityofVictoria@gmail.com>
Subject: You have got an urgent message from The University of Victoria

[You don’t often get email from g1*****+universityofvictoria@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification]

Dear User,
This is to let you know that our web-mail server will be upgraded and maintained soon.

If you don’t want your e-mail account to be terminated during the upgrade,

Send your “UV-UPGRADE” to (646) ***-****

You will receive instructions on how to upgrade your account via text message.

If you do not comply with the above, your email access will be disabled.
Please accept our apologies for any inconvenience this may cause.

Regards
System Administrator
University of Victoria

Request for refund

This phish was received by many UVic mailboxes this morning. It seems to come from a UVic address, but there is no such address – it is spoofed by the external sender. They set however an external “reply-to” address. Please do not reply with anything and do not open the attachment. The zip contains a malicious file loaded with trojans.

Hello!

I hope this email finds you well. I am writing this mail to inform you that the item i purchased has been damaged.
if i wish to return it and get a refund, i would like to know the procedure. I tried contacting the phone number, but
none of my calls was answered.

I would appreciate it if you could look into this and get in touch with me as soon as possible.

Attached is the proof of the damaged item.

Thanks.

Peterson Webley..

 

Please confirm receipt..

Always be extremely wary if you get an unsolicited email with a ZIP attachment, especially if the sender address isn’t one that you recognize. There’s a good chance the attachment contains malware, and that holds true for this example. The vagueness of the message and poor grammar are also red flags.

Do not click on the attachment–if you did, contact the Computer Help Desk or your department’s IT support person immediately! Also, do not forward these sorts of emails, even if your intent is to warn others, because forwarding the message inline will leave the attachment exposed where someone else can mistakenly click on it (it’s safer to send a screenshot instead).

Malicious email containing a malware-laced ZIP attachment.

From: ga******@******group.com
Subject: Please confirm receipt..

Attachment: [ZIP file] 87645345.zip (4 KB)

Hello,

Please acknowledge upon receipt of my today payment.
via (e-transfer)

Thanks

Irene Cordero.

You received a new Voice_message Phish

This phish has been making its way around many Canadian higher education institutions. It’s an email messaging asking to click on a link to listen to a voicemail message.

The ‘This Message has been scanned by antivirus and its safe’ messaging is a commonly used hook to make the email appear more legit. Other tricks the attacker is using here includes using a sender name spoof of ‘VoiceMail’, including the recipient email address as an ‘ID’, and including a nearly current date and time. The phishing email also attempts to convey urgency by stating the message will be deleted soon.

Some clear signs that this is a phish are that the sender is not from uvic.ca, and if you hover over the ‘Listen’ link (or long press on it on a mobile device), you can see it does not go to a uvic.ca website.

As usual, we recommend reporting phishing messages and deleting them. If you did click the link – even if you didn’t enter credentials – please change your passphrase and advise your IT support so they can check your device and advise Information Security to look for anything suspicious on your account and device.

 

STMicroelectronics Ltd Looking for representative in your area

Job scams have become common these days, trying to attract victims looking for part-time jobs to support themselves, especially in today’s tough financial times. Scammers take advantage of prospective candidates/victims by offering higher than expected pay for the amount of work required. If an offer is too good to be true, then probably it is.

The following job scam impersonates STMicroelectronics, offering a part-time job for enormously high pay. No matter what type of job scam it is or which organization is impersonated, the questions to ask yourself to spot these scams remain the same:

  1. Why are you receiving this email? Did you even sign up with this organization to send you job offers or did you ever apply with this organization? Try to think of a plausible explanation as to why did you get this email, if you don’t know then it is a scam.
  2. If you still somehow think of a reasonable reason to go beyond the first point, then look at the senders email address, which domain (domain is the part of the email address after the symbol “@”) is it coming from? Is it coming from the same domain as the organization claiming to send this job posting? Like, in this case, the domain should have been st.com but the sender email address is coming from a different one. One way of finding the real domain of an organization is to do a google search about it.
  3. Salary offered is also one of the strong indicators of spotting a scam. Generally, the salary offered would be much higher than the minimum wage for less amount of work than a regular part-time job. Why are they offering such a high salary? Obvious answer is, to scam you.
  4. Try reading the job description, are you able to make sense of what type of position is being offered? Usually, it is described in a very ambiguous manner, just giving you enough that it sounds like some job but not what the job is. And they ask you to reply with details first before revealing any more details. Should you be applying for a job where you don’t know what the job is?
  5. Generic salutation which is a sign of mass send email to unknown recipients, which further translates to whoever will take the bait. This ties back to the question in the first point, is there a legit reason for you to be receiving this mass send email? If not, it is a scam.
  6. Grammatical and spelling mistakes could be intentional by the scammers to dissuade the people who won’t eventually fall for the scam. If someone proceeds without spotting these mistakes would be their potential victims whom they can easily persuade. Sometimes these minor errors are made to make the email relatable or believable as humans are prone to errors. Should a legit job posting have such errors, especially coming from large organizations, wouldn’t it have been proofread?
  7. As is common with scams, they are always urgent. You need to urgently take action, as the people hiring are in urgent need. Such urgency is called upon so that victims don’t have time to think or question the legitimacy of the process. But you should always question yourself before being hasty, always allow yourself time to think before its too late.

Here’s hoping that the above questions would give you perspective on how to judge the legitimacy of job offers and easily spot job scams. If you replied to this scam, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Job scam impersonating STMicroelectronics offering too good to be true with subject "STMicroelectronics Ltd Looking for representative in your area".

Subject: STMicroelectronics Ltd Looking for representative in your area
Sender: Robert Smith <****@spcc.edu.hk>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Greetings,

Do you presently live in USA, CANADA or UK and would like to work part-timely from home? Then this is the opportunity you have been waiting for. Come join hundreds of our company representatives and you can earn $1000-$3000 weekly.

STMicroelectronics Ltd urgently requires reliable persons/companies who can act as RECEIVING OFFICERS for us from any of the above mentioned countries. He/she will act as a medium between our customers and us in their established area.

IMPORTANT NOTICE:

Please note that this service is based on part-time and will not affect your present job. Kindly reply with your full details as soon as you receive this notification.

Announcer,
Mr. Robert Smith
Human Resources Dept of STMicroelectonics Ltd
http:****

A view into a fake job scam

Scammers routinely attempt to target students with job scams, taking advantage of those trying to make ends meet or pay tuition and rent with a seemingly-attractive job offer.  In reality, the victim is asked to deposit a fake cheque and immediately send an e-transfer from their personal banking account.  Given the cheque is fake, the victim will see the deposit cancelled/reversed by the bank, and they will have lost their own personal funds.

Recently I had the opportunity to play the role of the victim using a persona configured for this purpose.  The following are some screenshots of SMS messages and emails that give insight into how the attacker works and how a victim might be fooled into giving up their hard-earned personal funds.

Note that some details have been redacted.  Also, do NOT try this yourself.  This is posted for educational purposes only.

A recent phishing attack included form fields for username, password, and cell phone number.  For this attack, a fake username and password were entered, as well as a temporary phone number from a SMS app.  A couple weeks after the data was entered into the form, I received a text at that temporary number.

 

The attacker tries to pivot off of @uvic.ca email so that the information security team can’t discover or block the fraudulent activity.  The use of SMS is also a common tactic for scammers to move the conversation off university infrastructure.  I had to quickly create a new Gmail address to engage with the scammer.

In my brand new Gmail account, I receive an email about the job offer.  “Mark” is careful to make sure I know why I won’t be interviewing in person (or by Zoom) just to make sure I won’t ask questions.  I carefully read the email, and then I respond with the requested information (plausible, but fake answers, knowing that Mark wouldn’t actually read them or care about them).

Date: January 19! , 2024 Hello Garry Zebaurelios I would like to apologize about our unseemly approach if this interview conducting method is unprofessional to you or if you are new to all this, but we believe the world is always advancing and so it is important to stay on top of things as change is inevitable. This is going to be a chat interview as a result of the bulkiness and complexity of the messages and I believe you are ready for the job briefing. Concerning the Personal Assistant Job that you have applied for. I am glad to congratulate you as your position has been confirmed. So sorry we couldn't meet up before you get started with work as I am presently away on a business trip in Australia running some network programs. I will be back to the states in 3 weeks or less, but be rest assured that you can officially get started. As soon as I have arrived we can discuss more issues. I really need the helping hand on my daily schedules. Working remotely as Part time/Full time Personal Assistant. NB : There will be no Interview till I'm back in person. Duties and Responsibilities: * Donations * Schedule Meetings * Booking Travels and Accommodations * Perform Market Research Where Applicable * Purchase Supplies First Task: However, your first tasks for this week will be as follows. You will be booking a reservation for some of my guests for an upcoming event which is taking place next week. Further instructions as to how to make the reservations will be forwarded to you before the end of the week. However, the funds to book for the reservation plus your payment for your first task will be sent to you via a cashier's check. Any other task arising will be duly communicated to you also. So I'll need you to be on-time and prompt with your response to my mails. * Firstly I would like you to attach a copy of your resume. * Your Full Name that will be on the Check Payment(First and Last Name) * Do you have an existing savings/checking account where you will deposit your check? (If YES What's the bank name) * Reconfirm your present local address for mail delivery. * What is your Mobile # that receives text messages? * Do you know how to initiate a mobile deposit? * What is your mobile daily deposit limit? Kindly make sure you acknowledge this email as that will re-confirm your readiness and willingness to proceed. Make sure to constantly look at my email and will be on stand-by to receive future instructions. I will be expecting your prompt response to my email in order to attest to the receipt of my messages. Thank you. Regards mark begger

 

And there it is!  I’ve gone through the very difficult interview process and have now become Mark’s employee.  And I’m really looking forward to my 401k (a US financial instrument, even though I’m Canadian), multiple employment benefits, and a sign-on bonus!  All for $450 per week.  Time to quit my CISO job for the lucrative opportunity….

 

Of course, I have to be polite and let Mark know how excited I am.  I wonder if he knows how “schmincere” I really am.

 

I am soooooo ready for the first task as my boss’s new personal assistant.

 

 

Amazingly, Mark emails me instructions on how to do a mobile deposit for the fake cheque using two devices.  The support and instruction is superb for a new employee.

 

While I review the instructions, Mark pretends to have the bank endorse the cheque, so that I will be more comfortable doing the mobile deposit.  Knowing the bank has blessed it makes me feel so much better.  And of course, he gives me some great instructions on how to deposit, just so I get it right.  Maybe Mark has worked at a help desk before.

 

Here is where it get’s even more interesting.  Mark emails me an image of a cheque from Royal Bank (I had indicated in my job application that I banked at Royal Bank).

The cheque appears to be plausible, if not legitimate.  The transit numbers were validated using an online bank routing database, and matched the branch address information on the cheque.  The names and address of the people on the cheque seem to be real, or at least based on a real person, from what I could tell from a searches of Google and Google Maps.

For most people, this look like a legitimate cheque… except that it’s a picture of a cheque, not a paper one.  (Note that I’ve reported this to Royal Bank.)

 

Now that I have some interesting information from Mark, I wanted to play a little and see if he noticed I was on to the scam.  I don’t think he picked up on the confirmation number I received when I “deposited” the cheque.

 

Mark’s name shockingly didn’t match the names on the cheque, so of course I had to see what reason he would give for that…

 

Mark still hasn’t told me what kind of business he is in, so I ask him, and of course it doesn’t even match the kind of business mentioned on the fake cheque.  Clearly he doesn’t want to share lots of detail, and he has an urgent job to do.  He provides me the name and email address to which I need to send an e-transfer.  (I’ve reported this to Interac support for their awareness and action.)

 

We suspect this threat actor is possibly of Nigerian origin, based on some past activity.  I decided to see if Mark would get another hint that I knew it was a scam, by mentioning Black Axe, which is a notorious Nigerian crime organization.

 

Mark is too busy for small talk and personal chatter.  I dropped another hint for him.  Air Lords are another known Nigerian criminal organization.  Perhaps Mark isn’t familiar with them, or maybe he’s not really reading what I’m saying.

 

Earlier Mark had sent me the name and email address of the person to whom I was supposed to send the e-transfer.  I looked up the person’s name on social media, and came back with several results, with multiple profiles indicating they lived in a particular town in Nigeria (surprise!).  So, I used that town name as a confirmation code.  I wonder if Mark started to suspect something…

 

I think he’s on to me….

Mark and I eventually got tired of each other, and the conversation ended up dwindling after nearly 24 hours.

Hopefully this gives some insight into how someone could become a victim of such a scam and how the scammer tries to extract money from victims.

Uvic Mandatory Multi-factor Authenticator

While it’s true that we are requiring everyone to enrol in UVic MFA, this email is not legitimate and is a case of quishing (QR code phishing). Here are the signs that this email is fraudulent and the QR code is not safe to scan:

  • Although the sender name mentions UVic, the email actually came from an external email address.
  • UVic is capitalized incorrectly and there are some wording errors in the message.
  • The email instills a sense of urgency by threatening expiry within a very short period of time, which is an attempt to trick you into acting hastily. Genuine emails of this nature will usually give you multiple notices well in advance of the deadline.
  • The email contains a QR code. Legitimate QR codes for MFA setup will never be sent by email. If a QR code is in an email, it’s usually because the scammer is using it to disguise a malicious link.

First half of MFA-themed quishing email - includes external sender and urgent language

Second half of MFA-themed quishing email - contains a malicious QR code that should not be scanned

From: Noreply_Uvic <greatfoob@grumpy******.ca>
Subject: Uvic Mandatory Multi-factor Authenticator
This message was sent with high importance.

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Microsoft Authenticator icon]

Microsoft 365 sign-in for multi-factor authentication

  • The multi-factor authentication for is set to expire within 24 hours.
  • Scan the barcode below to reauthenticate your multi-factor authentication within 24 hours and stay connected to Microsoft 365 apps and services.

[Malicious QR code]

Contact Microsoft help desk if you have any questions.

This email was sent from an unmonitored mailbox.
You are receiving this email because you have subscribed to Microsoft Office 365.
Privacy Statement
Microsoft Corporation, One Microsoft Way, WA 98052 USA
Microsoft

STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of

Salary Adjustment Letter

This phish is circulating today. The sender address is spoofed. It has a domain in Germany and the username can be your own netlinkID.  The display name of the sender pretends to be “UVic HR department”.

Please do not open attachments from unknown senders. They may contain malware,  links to malware loaded web pages or links to fake login pages.

Transcript:

 

Hi <your netlink>,

HR Dept. shared a new file “Uvic 2024/25 Salary Adjustment Letter.pdf” with (yournetlink@uvic.ca) via SharePoint for your urgent attention.

 

Kindly click the Get Your File button below to access it.

 

GET YOUR FILE

 
Report to SharePoint © 2024 SharePoint

 

 

 

 

 

Work-Study Opportunity

Yet another job scam is circulating today. As always, impersonating a real UVic professor to make the job offer look legitimate.

Here are some of the red flags:

  • The email comes from a Gmail address. Emails about real UVic job offers should come from a UVic email address.
  • The salary offered is too good to be true, that too for a part-time job.
  • The email requests your Google Chat email. Scammers often request alternative contact information to evade UVic detection.
  • The sender name does not match the name of the professor supposedly offering the job.

Never reply to such scams, always look for warning signs before taking any action. If you did reply, please stop any further conversation and reach out to helpdesk for assistance.

Job scam with subject "Work-Study Opportunity" impersonating UVic professor.

Subject: Work-Study Opportunity
From: Vania Smith-Oka <****@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

The service of a student/graduate student is urgently required to work part-time as a Research Assistant and get paid $400 weekly. Tasks will be carried out remotely, and work time is 8 hours/week.
If interested, submit a copy of your updated resume and functional google chat email address to the Department of Psychology via this email to proceed.

Sincerely
[impersonated professor name]
Assistant Teaching Professor
Department of Psychology
Office: COR ****

Tremendous Growth Opportunity!!!

If a job offer comes your way claiming to be too good to be true, it probably is. This job scam offers too good a salary for number of hours required for the job. Email doesn’t even mention the name of the post or the organization offering the job. The job description is too vague.

Even if the phish is being sent from an internal address doesn’t necessarily means it is trustworthy, one still needs to pay attention to the phishing signs as the sender address could be spoofed.

Always think and look for red flags in an email before taking any action. Whenever in doubt contact helpdesk.

 

Job scam phish with subject "Tremendous Growth Opportunity!!!", that also has phishing link to steal the credentials.

Subject: Tremendous Growth Opportunity!!!
Sender: [redacted sender name]

Looking for a candidate who is detail-oriented and capable of managing flexible tasks at any given time. To help deliver essential products and services to Students and educational workers with disabilities, frustrated with ignorance and lack of moral and other services, receiving, and purchasing Items for foster home, donating to foster home every month etc.

Job Offer Details:
This position will be home-based and flexible part time job, You can be working from home, School or any location, but you are required to cover a maximum 7hrs/week.

Employment Type: Part-Time Personal Assistant
Location: Remote Base
Hours: 7hrs per week
Weekly Payment: $350

Copy and paste the URL Below into the address bar of your web browser for more details

[redacted phish link]

Thank You.