Phish Bowl

This phish makes a tantalizing offer of up to $3,500 in financial assistance to tempt people to click on the link. However, the form that appears is a phishing site that first requests your username and password, and then tries to defeat MFA by telling you to be ready to confirm the login on your device.

The email is better-written than most phish, but there are still a few red flags that indicate that this offer is not genuine:

• The email did not come from a UVic email address
• The signature is generic and impersonal
• The message does not mention UVic anywhere–there is only a generic reference to “the University”
• Hovering over the link reveals that it goes to a non-UVic website

If you clicked on the link, contact the Computer Helpdesk or your department’s IT support staff immediately for assistance.

---

From: [redacted]@[redacted].us
Subject: FW: University Support Program

You don’t often get email from [redacted]@[redacted].us. Learn why this is important.

In response to the economic challenges we’re all facing, I’m excited to announce the launch of a Financial Support Program designed to help both staff and students at the University.

PROGRAM DETAILS:

• Start Date: October 8, 2024
• Eligibility: All university staff and students
• Financial Assistance: Up to $3,500 per eligible applicant
• Duration: Program available through December 31, 2024

We understand how overwhelming these times can be, and we’re committed to providing support where it’s needed most.

HOW TO APPLY:

1. Visit the Support Program [link] webpage.
2. Follow the simple step-by-step application process.
3. Ensure all required information is submitted.

If you think this program could benefit you, don’t hesitate to apply! We hope it brings some relief and reassurance.

Sincerely,

Employers Support Services

UNESCO job scams are making the rounds once more. Here are the signs that the job offer is not legitimate:

• The emails did not come from UNESCO or the UN (the scammer seems to have abused compromised accounts belonging to a national government).
• The emails tell you to contact a different address on Outlook.com. Job offers that tell you to apply by contacting an email address from a free email provider are very likely to be scams. Also, it’s suspicious that they did not provide a full name for the contact person.
• The message contains awkward wording and poor grammar.
• The salary is likely to be too good to be true for part-time remote work, especially if there turns out to be no interview or no knowledge/experience requirements.

We also recommend you check out our other posts on job scams for additional tips.

If you contacted the scammer, reach out to the Computer Help Desk or your department’s IT support staff immediately for assistance.

---

From: [redacted]@****.gov.m*
Subject: Part-Time job

I am sharing job opportunity information to anyone who might be interested in a paid UNESCO Part-Time job with a weekly pay of $750.00. If interested, kindly contact  Sarah on her email address. ([redacted]@outlook.com) for details of employment.

N.B, this job is strictly a work from home position.

Some scammers are using Microsoft Sharepoint sites to send scam emails that appear very legitimate. The emails are very similar to legitimate emails from Microsoft, they do not have any malicious links and appear to come from Microsoft. The scammers want you to call the support number in the email and will then attempt to compromise your computer or steal money.

One red flag is whether you are expecting this email or not, however it is possible you have a personal M365 subscription matching the information. Microsoft advises they do not include support phone numbers in emails to clients. For emails where you are not sure and want to contact the company in question, it is best to look-up the contact information on the company’s official website.

Delete or report these emails as phishing; do not call the scam numbers. If you did call the number, please contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Transcript:

Subject: Your Microsoft order on September 23, 2024

Email body:

Thanks for your Microsoft order
Thanks for your order on September 23, 2024.

You can manage your subscriptions in the Microsoft 365 admin center.

Go to Microsoft 365 admin center (link to admin center).

Billing information Order Id
Sales Team Helpline : 1-(818) redacted
Billing profile:
redacted SE Saint Andrews Dr
Portland, or, 97202-9015 b28b3f74-1a22-4def-c96e-cca1dafb8ee7
Table with
Global Microsoft 365 Business Premium, quantity 1, price $792.00 USD
Subtotal $792.00 USD

We have identified a phishing attempt that pretends to be from UVic HR, using urgency to trick recipients. The email contains a PDF attachment that includes a button leading to a fake login page. The goal is to steal your UVic credentials.

These emails often come from external addresses, but malicious actors can spoof internal addresses too. Do not open the PDF or click any links. They may contain malware to infect your computer instantly.
Our experts are investigating these threats in isolated environments.

Here is a screenshot of the message:

and transcript of the message body:

Important Employee Handbook and Payroll Update
Please be informed that there are critical updates to the Employee Handbook and Payroll process.
It is essential that you review these updates to ensure you are aware of the latest company policies and payroll information.
Regards.
University of victoria HR

With students back on campus, these kinds of scams will continue to target them. Most of the emails with the subject “Students seeking Jobs should check below” were properly identified by the antispam filters and ended up in the junk folders of Exchange mailboxes.

These emails typically contain a short text in the body of the message, while the actual scam is in an attached text file. The body may look like this:

These emails may come from different sender addresses (typically Gmail).

The text file contains a rather long description of the “job and benefits,” which includes typing mistakes and, as usual, sounds too good to be true.

Please do not reply to such scammers (even for fun!). If in doubt, ask the helpdesk or your supervisor.

The transcripts of the body of the email and the attachment are listed below:

 

University Of Victoria has resources in place to help you succeed in your career and your relationships. work for $(four Hundred weekly and study. If interested, see attached
Regards.

the attachment:

Greetings’..

I am Dr. Alvin Sanders… And I work with Workforce Innovation and Opportunity Act (WIOA) replaces the Workforce Investment Act of 1998 (WIA) by amending the law to strengthen the United States workforce development system through innovation in, and alignment and improvement of, employment, training, and education programs in the United States, and to promote individual and national economic growth, and for other purposes. The law provides the framework for a national workforce preparation and employment system designed to meet both the needs of the nation’s businesses and the needs of job seekers and those who want to further their careers. WIOA reforms current federal laws governing programs of job training, adult education and literacy, vocational rehabilitation, and youth, making services more universally accessible and more flexible components of workforce development systems.

The system offers access to services that encompasses assessments/skills needs, job search, job placement, labor market information, individual employment planning, educational and career counseling, occupational skills training, skill upgrading, internships and work experience, job readiness, adult education, and literacy and High School Equivalency (HSE) programs for adults and out-of-school youth free of charge. And we are running a promotional program at the moment which gives room for more individual to Apply and work with us while we make sure this offers circulated among all who needed to know about us.

I Considered this email reach out to you through the consent of University Office for Students in extension of an offer to work with me as my Virtual Personal Assistant (Dr. Alvin Sanders)

JOBS DESCRIPTION:

This job is really straightforward And is currently available online as WORK-FROM-HOME REMOTELY JOB. As my personal assistant you may be required to provide General personal assistance which may include any of the mentioned below:
*Acting as a liaison between the employer and other parties, including clients, vendors

*Handling and responding to emails

*Running personal errands such as shopping and arranging deliveries.

*Recording expenses, organizing receipts, and preparing expense reports.

*Providing support for personal tasks such as managing bills, organizing personal finances, and researching personal interests.

*And lastly. Any other tasks or projects assigned by the employer to support their professional or personal life. Meanwhile the working hours are flexible and fully remotely, the pay is $399/Weekly and working hours are 1 to 3hrs a day and 3days working hours bi-weekly

BENFITS:
Hybrid work policy with up to two days work from home
College-issued laptop for hybrid work
Adjusted hours for summer months, fall and spring breaks
Offices closed between Christmas and New Year’s
Generous vacation and personal time off
In addition to the benefits(for example health insurance, life insurance, TIAA, tuition-exchange), the college also provides the following perks:
I am presently monitoring other operations around the states so I am unable to meet up for the interview. For every assignment, you will receive payment in advance (AUTOMATIC 1 WEEK UPFRONT, $399). We will talk about the possibilities of turning this into a long-term job when I return if I am pleased with your services during my absence. I’m expected to arrive during the final week of October 2024.

Note: Please make sure that all of the information you submit is correct. If you are under the age of eighteen or do not have access to a real bank account, your application may not be accepted. If your application is approved, you will receive a confirmation email and will also communicate with us via text and email.
Below is the Application process. Thanks

If interested, please apply below, and send your student ID, full name, major, address, best contact
number, and alternate email. Please be aware that Junior and Senior students will be considered with
priority at this time.
To apply, email the requested information to
<redacted>

 

Job scam impersonating UNESCO has been circulating over the weekend.

Please read the given post to learn about spotting such scams and next steps if you have fallen for it:

Part-Time job.

From: [redacted sender address]
Subject: Part-Time job.
Attachment: [Word document icon] UNESCO JOB.docx

You don’t often get email from [redacted sender address] . Learn why this is important.

—
Job opportunity information to anyone who might be interested in a paid UNESCO Part-Time job with a weekly pay of $750.00. If interested, kindly contact Schulz Niels on his email address. ([redacted]@outlook.com) with your alternate non-educational email address I.e., Gmail, yahoo, Hotmail etc.) for further details of employment.

N.B, this job is strictly a work from home position.

In this targeted phish, the phishers use the appeal of a salary increase to get you to open the PDF and click on the link inside it. Red flags to watch out for:

• The email did not come from a UVic email address.
• The greeting is impersonal.
• There are errors in spelling, punctuation and grammar. If you are very sharp-eyed, you might also notice that lowercase a’s have been replaced with lowercase Greek letter alpha.
• Official university emails would not use difficult-to-read light green text.

If you opened the attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

---

From: University of Victoria <*******@*******n.edu>
Subject: Salary Adjustment Acknowledgement
Attachment: [PDF icon] UVIC-protected.pdf [59 KB]

You don’t often get email from ********@*******n.edu. Learn why this is important.

Deαr Emplοyees,

I αm hαppy to let you knοw that yοur salary increase has been apprοved. We appreciate yοur hαrd wοrk and dedicαtion to The University of Victoria, and this αdjustment reflects yοur cοntributions appropriately.

Stαrting from 26 July 2024, your sαlαry will be increαsed by 16⋅82 percent.
This αdjustment αcknοwledges yοur effοrts and αligns with our cοmmitment to recοgnizing αnd rewαrding our vαluαble emplοyees.

NΟTE: Your Αccess is needed to go thrοugh the sαlαry increment letter, Initial Αccess is Salary

We lοk fοrward to yοur cοntinued successful input at The University of Victoria

Pαyrοll & Emplοyee Relαtiοns

Job scams impersonating UNESCO and other UN agencies are something we see on a regular basis. By offering a generous salary for only a few hours a week of simple remote work tasks, these unscrupulous scammers prey on students looking for extra money to cover the cost of tuition, rent and other necessities. The red flags in the email message are the usual ones:

• The email did not come from a UNESCO or UN email address, nor did it come from a UVic sender.
• The salary is too good to be true for part-time remote work.
• The email contains grammatical errors and awkward wording.
• You are told to send replies to an Outlook.com email address. If a job offer asks you to contact an address from a free email provider, there is a very high chance that the offer is a scam.
• You are asked to reply from your personal email address. Scammers do this to shift the conversation away from UVic’s email security controls and avoid detection.

If you contacted the scammer, reach out to the Computer Help Desk or your department’s IT support person immediately for assistance. If you opened the attachment, update your computer’s antivirus and perform a full scan as a precaution.

If there is no job interview before you’re accepted into the position, or you never get to meet your supposed employer (either in person or by video call) before you start working, that is a very strong sign of a job scam. If any of the following occur, do not proceed!

• You are told to share your UVic or other login credentials–never share those with anyone!
• You are asked to purchase gift cards, then send photographs of them with the PIN revealed. Don’t do this even if you were given a cheque beforehand–that cheque will probably bounce and you’ll lose the money used to purchase the cards.
• You are given a cheque to deposit in your account and told to send part of the amount to someone else. This may be a cheque overpayment scam (the cheque you received would eventually bounce, meaning the money you sent would come from your own funds), or the scammer may be trying to use you as an unwitting money mule to launder money.

---

From: N****** <[redacted]@quadro.net>
Subject: Part-Time job.
Attachment: [Word document icon] UNESCO JOB (1).docx

You don’t often get email from [redacted]@quadro.net. Learn why this is important.

—
Job opportunity information to anyone who might be interested in a paid UNESCO Part-Time job with a weekly pay of $750.00. If interested, kindly contact Cargill on his email address. ([redacted]@outlook.com) with your alternate non-educational email address I.e., Gmail, yahoo, Hotmail etc.) for further details of employment.

N.B, this job is strictly a work from home position.

If you get an unsolicited email that offers to give away something valuable for free and it’s not from someone you know, it’s probably too good to be true. This is very likely to be the case when someone says they are giving away a late family member’s grand piano–emails of that sort are a common scam. Some versions may even attach photos of the supposed piano, but they’re probably stock images or ripped off of somebody else’s listing. If you are told to reply from personal email or a different communication method, that is a red flag as well; scammers do this to move the conversation away from UVic email to avoid detection.

If you reply to indicate you’d like the piano, you’ll be told to contact and pay a “moving company” to ship the piano from out of town, but the moving company will turn out to be fake and you’ll never receive a piano after you’ve paid up. In general, it’s extremely risky to pay a random person or moving company for a piano (or other item of value) sight unseen; the item may not actually exist or not be what you were expecting.

Watch out for versions of the scam that impersonate real people at UVic. If the email was not sent from a UVic email address, or you’re instructed to contact an email address that is not from UVic, you can be certain the email is a scam. If in doubt, don’t reply to the email–to determine the email’s legitimacy, contact the person through another method that you know is safe (e.g.: using the contact information on their directory entry or by asking in person). Sometimes, one name will correspond to a real person at UVic but the other one will not, which is another sign of a scam.

---

From: Paulina Hagerman <s*********8@gmail.com>
Subject: Yamaha baby grand 05/13/2024

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello,

I’m offering my late husband’s Yamaha Piano to any music enthusiast who may appreciate it. If you or someone you know might be interested in receiving this instrument for free, please feel free to reach out to me.

Warm regards,
Paulina

From: [impersonated UVic employee] <[redacted]@gmail.com>
Subject: Yamaha Piano donation

Attachments: [Three thumbnail images showing a Yamaha baby grand piano from different angles]

Dear Student /Staff/Faculty,
One of our staff, Mr.Stephen Whitehead. is looking to give away his late dad’s piano to a loving new home. The Piano is a 2014 Yamaha Baby Grand size used but still new. Kindly write to him to indicate your interest on his private email( [redacted]@mail.com) to arrange an inspection and delivery with a moving company. Kindly write Mr. Stephen Whitehead via your private email for a swift response.

[impersonated UVic employee]
Assistant to the Dean
https://www.uvic.ca

Similar to the ‘grand piano’ scam, other large items, such as welding tools, are also being offered in recent scams. The common thread among all these offers is this: if you express interest in the item, you are asked to pay for the shipping costs. The scammers’ goal is to get you to send them a payment using non-refundable money orders or gift cards. However, after you pay the shipping cost, you will never receive the item you were expecting.

From: Dr. <real name of a UVic person>  <****@gmail.com>
Sent: Tuesday, May 7, 2024 3:59 AM
Subject: Disposal of welding machine and tools boxs

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear Student/Faculty And, One of our staff in University of Victoria , <redacted name> ( Coordinator, Academic Administration) is downsizing and looking to give away her late dad’s Miller 951937 Dynasty 300 TIG Welder w/ TIGRunner Pkg & Wireless Foot Control, With A Complete Set Of Snap On Tools Box And Accessories. If interested in any of the equipment kindly indicate by sending him a mail via your personal email for a swift response. to indicate your interest in any of the listed items contact him on his private email address (****@outlook.com ) to arrange delivery with a moving company.

Sincerely,

Dr. <redacted real name>

MEMBER OF THE BOARD

This phish specifically targets UVic and contains many of the classic red flags:

• The email was sent from someone outside of UVic
• The greeting is impersonal
• The message creates a sense of urgency and threatens you with an adverse impact
• The message contains many grammatical errors
• The signature is generic and doesn’t mention UVic

Hovering over the link without clicking on it (or holding down your finger on it on a mobile device) will reveal that the link goes to a page from a free online form builder. A legitimate UVic login page would not be hosted on an online form builder.

If you entered credentials on the phishing page, change your password immediately and contact the Computer Help Desk or your department’s IT support person.

---

From: [redacted]@h******.se
Subject: University of Victoria_Update

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello user,

This is the last and final notice or our administrator will disable your access to your email.

Please click here to upgrade your University Of Victoria_Update your account security by completing the required details to avoid the deactivation of your University of Victoria edu account.

A cordial greeting wu,
IT Service Desk (c)2024

Practically this is the same scam that we posted about last time. It was received by many UVic recipients last night. The text is the same as before, the sender is some compromised account at another organization and the subject this time is just “WPF”.  Please do not be curious and do not open the attachments in such scams, do not click links and do not reply to scammers (even for fun!!!). By replying you supply back information that your email exist, you are not on vacation, etc.

 

—

I am sharing job opportunity information to anyone who might be interested in a paid World food programme Part-Time job with a weekly pay of $750.00. If interested, kindly contact Mattias on his email address (***@outlook.com) for details of employment.

N.B, this job is strictly a work from home position.

Job scam offering too good to be true salary for part-time job.

Following post can be referred to look for red flags in this or any job scam:

https://onlineacademiccommunity.uvic.ca/phishbowl/2024/01/29/stmicroelectronics-ltd-looking-for-representative-in-your-area/

Never send your personal information to such scammers, always take the time to look for warning signs in an email. If you replied to this scam, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Subject:Part-Time job
Sender: Brown Corman <****@quadro.net>
Attachment: WFP Job Description (1).docx

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

—
I am sharing job opportunity information to anyone who might be interested in a paid World food programme Part-Time job with a weekly pay of $750.00. If interested, kindly contact Mattias on his email address.(****@outlook.com) for details of employment.

N.B, this job is strictly a work from home position.

 

 

 

This phish uses scary tactic to get the user to take action to click on the link. The sender email address is external to UVic, subject of the email is very generic, link given (check by hovering over the link) is external to UVic, it has formatting errors, and signature is also very generic. All these are phishing signs.

Another thing of note in this phish is the mention of next steps where you will receive a call and then press 0, whenever such steps are mentioned beware as the phisher will try to further social engineer you into revealing personal information or confidential information (such as MFA info) via phone call.

Always look for red flags in an email before taking an action. Whenever in doubt contact helpdesk.

Subject: Dear user
Sender: uvic.ca <****@quadro.net>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

—
2-step login maintenance is required for your email before April 29th, 2024, to avoid login interruption.

Setup maintenance for 2-step login here [external link]

Note: A notification call will come through your phone, kindly answer the call and then press 0 on your phone to complete your new 2-step login setup.

IT Service Center

Regards,

 

This phish came over the weekend and was sent in massive volume. There is only an attachment and no email body, hence, it is mostly to lure the curious users who want to know more what this email is about. Empty email body is a big red flag as there is no context provided about the email itself and the related attachment. The subject used is pretty generic and it is coming from an external sender. Hence, beware of such phishes, and don’t open attachments from unknown senders or even known senders if you were not expecting it.

Subject: Dear Qualified Student
Sender: Jucélio Ribeiro <****@sinaltech.pt>
Attachment: Federal College Relief.docx