This carefully-crafted spear phish for the most part looks like it could have been written by Jamie Cassels–but of course it wasn’t. One of my colleagues found that the phisher actually copied much of the wording from an April 22 open letter from the president of McMaster University.
If you recall opening the attached PDF, please contact your departmental support staff or the Computer Help Desk as soon as possible.
The CRA has a reference page on how to recognize scams here: https://www.canada.ca/en/revenue-agency/corporate/security/protect-yourself-against-fraud.html
This con is a pure social engineering relying on fear alone and not utilizing any technical means or knowledge.
This phish mentions phishing to trick you into thinking it’s a legitimate email.
However, it goes to a URL that is clearly not a Microsoft site. Notice how the word “Password” has been changed to use special characters to avoid detection by automatic scanners.
The UVic email system did not add the “From a trusted sender” banner. The phisher added this fake banner to make the message look legitimate.
University Systems has received reports of multiple blackmail-related emails targeting UVic users. The email is a blackmail or extortion attempt which includes a previously-used password and threatens that potentially embarrassing information will be disclosed if the fee is not paid, in a certain amount of time. The tone and content of the email is frightening, but the threat is not credible. The senders of the phishing message retrieved the disclosed password by data-mining past breaches of accounts associated with other services such as Facebook, Twitter, Yahoo, LinkedIn and Adobe.
If you have received one of these emails, here are some steps you can take to protect yourself:
This phishing attack mimicked the login page for the UVic Computer Help Desk.
