Phish Bowl

This phish is circulating today.

The goal, as usual is to steal your UVic credentials by using a fake login page. The sender is external but they may impersonate different internal people.

 

<name of the compromised external account> shared a document
<name> (******.edu) added you as an editor. Verify your email to securely make edits to this document. You will need to verify your email every 7 days. Learn more [link to Google documentation]

Dr. <UVIc person name> shared a file with you
AI Literacy, Assessment, and Fall 2023 Teaching.docx

Open [link to the fake login page]

Use is subject to the Google Privacy Policy [link to Google documentation].
If you don’t want to receive files from this person, block the sender from Drive[link to Google documentation]

 

 

This phish is to steal user’s banking (credit/debit card) information. The phisher is giving a bait of $2500 to lure users into giving their banking details. As always, this email has following phishing signs:

1. Subject of the email is to attract users to open the email and read further.
2. This email impersonates Green dot bank as it claims to come from this company but the sender email address is different and no signer name at the bottom.
3. Link given does not go to Greendot domain (always check links by hovering over it).
4. The email mentions American Opportunity Tax Credit for which the jurisdiction is US and not applicable in Canada.

Never overlook the warning signs in such emails as even the minor details can lead to detection of scams. Always beware of giving out any personal or confidential information.

Subject: $2,500 Credit Fund
From: Bayu Kurniawan <[redacted sender address]>

We are pleased to inform you that the school management and its community in collaboration with @GreenDot, after the recent annual calculation of your educational expenses, you have been determined eligible to receive an education credit from the American Opportunity Tax Credit (AOTC) in the amount of $2,500.

To ensure you receive your education credits, it is important that you fill the bank details for proper verification before remittance into your bank account details.

Connect your account[link to phish] to verify identity and submit your direct deposit details.

Thank you for your attention to this matter.

Sincerely,

Green Dot,
P.O. Box 1070,
West Chester, OH 45071

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus ( ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

 

Job scam impersonating UVic professor to make the job employment look legit. There are other similar emails circulating with different subject and different senders. We have been continuously seeing these types of scams this summer. Please pay attention to the phishing signs before taking action on such emails. Here are some easy to spot phish signs:

• External email address, which wouldn’t be the case if it was coming from UVic office.
• Sender name doesn’t match with the name of the professor impersonated.
• Salary offered is too good to be true.

Never reply to such scams and take a moment to look for warning signs. Most of these scams are to defraud you of money.

If you responded to the scammer, contact the Computer Help Desk for assistance, especially if you sent money or personal information. If you forwarded the email to other people, recall the message and warn the recipients as soon as possible.

Subject: Job Opening
From: Stanford Psychology.edu <doug****@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

University of Victoria ,Department of Psychology requires the services of Undergraduate students to assist with research projects on campus. The successful candidates will work closely with our research team to support ongoing data collection, and analysis . They are to work remotely and get paid $400 weekly.

Responsibilities:

Assist with the design and implementation of research projects on campus
Conduct literature reviews and summarize key findings
Collect and analyze data using appropriate statistical methods
Prepare and present findings to the research team
Perform administrative duties such as scheduling, data entry, and record keeping
Assist with writing research reports and manuscripts for publication
Recruit participants and conduct research studies
Qualifications:

Excellent organizational and time management skills
Strong attention to detail
Experience with research methods and statistical analysis
Strong written and verbal communication skills
Ability to work independently and as part of a team
Availability to work on campus or remotely during weekdays and weekends
Proficient in Microsoft Office (Word, Excel, PowerPoint)
This is a part-time position with a flexible schedule, and the successful candidate will work approximately 7 hours per week. The position offers valuable research experience, and the opportunity to work with a dynamic and collaborative research team on campus.

To proceed with the application process and other eligibility descriptions, submit your resume for review and approval for the position.

 

C/O

[redacted professor name]
—
Professor
Psychology
—
Contact
Office: COR [redacted]

 

A job scam phish trying to lure users with a lucrative pay offer. There is not much mentioned in the email body itself rather asks for users to open the pdf attachment for details. There is no reason for anyone to open the attachment as it has clear signs of phishing. Email body doesn’t give any information of why someone is sending you this email and subject just states the salary to attract users which is uncommon for legit job emails.

Before opening any attachments, look for phishing signs as those could be infected files. If you have fallen for this scam please contact helpdesk or your IT support contact.

Subject: $500 Weekly Pay
From: Tito Tatag Prakoso <[redacted sender address]>

Attachment: $500 Weekly Pay.pdf

View attached for Temp Job details.

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus ( ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

Many UVic recipients received this phish in the morning.  It is easy to see that the links point to a site outside UVic (by hovering the mouse cursor on top without clicking).  As usual the goal is to steal your credentials. Please do not be curious and do not click on such links because they may contain malware to infect your computer instantly.

Note that sometimes the sender may look internal (or be indeed internal if a UVic account was compromised). If not sure, whether an email is legit, ask your Desktop support person or the helpdesk.

Dear ,
You are now enrolled in Multi-Factor Authentication . You must complete this training within 24hrs.

The assignments you’ve been enrolled in are displayed below:

– Hacking Multi-Factor Authentication with Roger Grimes[link to the fake login page/

Please use this link to start your training:
https:\\training.knowbe….[link to the fake login page]

It is important that you complete this training within 24hrs. Thank you for helping to keep our organization safe from cyber crime.

 

Another massive phish today comes from google docs and points to a malicious document. The subject contains the name of the document.

Please do not open the document and do not enter any credentials.
A screenshot of the phish is shown below.

 

 

Andrew Shepherd shared a document
Andrew Shepherd (***.edu) added you as an editor. Verify your email to securely make edits to this document. You will need to verify your email every 7 days. Learn more[link to the malicious document]

Vasco Gabriel shared a file with you.

Summer Faculty Bonus.docx

Open[link to the malicious document]

Use is subject to the Google Privacy Policy[link to the google policy].

This phish is circulating since yesterday. It is clearly coming from some external email address. There is no personal greeting, and the whole text is pretty common, it does not even try to imply it was UVic related. The goal of course is to harvest credentials. Please do not be curious and do not click these links because sometimes they may contain malware to infect your computer instantly.

Subject: Account Storage

We have noticed some unusual activity and the warning limit of your storage email account. To ensure the security and increasing your mail storage, please click the button below:

Increase Mail Storage[link to phish]

If you cannot click the button, please click here.
Administrator
Help Desk

Who wouldn’t like a sizable salary increase, especially in these times when the cost of living has gone up so much? But that’s precisely what phishers are trying to prey upon when they craft these fake salary increase emails. Thankfully, they left plenty of red flags that you can look for to determine this email is fake:

• The email did not come from UVic–a real salary increase notice would come from a UVic email address.
• The greeting is generic and impersonal.
• The salary increase amount is too good to be true, especially since it’s not spread out over multiple years
• There are a lot of spelling and grammar errors in both the email and the file name.
• The signature block is generic and doesn’t mention UVic.

All of those items are signs that you should not open the attachment, as it will either contain phish/scam content or malware.

InfoSec ran the file through some specialized tools to safely examine the content. The results showed the file simply says that the document is protected and that you have to click on a link to view the actual content online. If you open a file and see something like that, contact the Computer Help Desk or your department’s IT support staff immediately for assistance, as that’s a sign that the file is not legitimate.

---

Subject: Salary Increase Notification Letter
From: Payroll Department <[redacted]@********u.edu>

Attachment: [PDF icon] Salary-Increasment-July…    80 KB

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear All,

Sequel to last week notification, find enclosed here-under the letter summarizing your 16.89 percent salary increase starting 21 July 2023

All documents are enclosed here-under:

NOTE:  Your Access is needed to go through the salary increment letter, Initial Access is Salary

Payroll & Employee Relations

If you get an unsolicited email with an attachment and you don’t recognize the sender, be extremely wary, especially if the message is very vague and only tells you to open the attachment. The vagueness is a ploy to try and get you to open the attachment out of curiosity. Don’t open such attachments! Many contain malware to infect your computer, and even ones that don’t are likely to either load a phishing site or contain a scam.

InfoSec staff use specialized tools to examine the contents in a secure manner. When we examined the attachment for this phishing email, it turned out to contain a job scam pretending to be someone from the World Health Organization. To quickly recap, here are the red flags that can help you identify the offer as a scam:

• The pay is too good to be true–this one offered $500/week for only a few hours a week of simple tasks.
• The sender does not match the name of the person supposedly offering the job.
• You do not need to go through an interview or meet your supposed employer (either virtually or in person) before getting the job.
• The email asks you to reply and/or provide contact information for a different communication method such as personal email, SMS or Google Chat. This is a common trick that scammers use to move the conversation to a place that cannot be monitored by UVic.

We have many other posts on job scams that are worth a read if you want to learn more about how to spot them.

---

Subject: Job Title
From: M******** Arrizki <m******arrizki@iconpln.co.id>

Attachment: [Word document icon] Remote Job Details.docx    23 KB

VIEW ATTACHED FILE FOR DETAILS

---

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus (ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

Please be aware of this job scam which tries to lure users with too good to be true offer. Although, it is well written but one can still spot the phishing signs, sender name and signature name doesn’t match. The email mentions about a college website where ours is a University, clearly this email was used to target some other institute and have been reused for our environment. The pay offered is way too high for the job described.

Here is a BBB article which describes such job scams in more detail:

https://www.bbb.org/article/scams/24708-scam-alert-pet-sitting-job-is-too-good-to-be-true

Never be in a hurry to give your personal information for job offers, always look for warning signs. Whenever in doubt contact helpdesk.

 

Subject: A Little Request
From: Ashlie Roberts [redacted external sender address]

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello,

I hope this message finds you well. As a former staff member of the college, I recently came across your email on the College website. I wanted to reach out to you regarding an exciting opportunity. My uncle will be relocating to the college area this summer, and he is in need of someone who can provide care and attention to his beloved pets.

Specifically, he is looking for someone who can take care of his furry companions by sitting with them, taking them for walks, and ensuring they are fed properly. To make this arrangement mutually beneficial, he is offering a competitive weekly payment of $400.

If you happen to know any staff or students who might be interested in dog-sitting, I kindly request you to refer them to my uncle. They can simply send an email to [external outlook email for contact], providing their name, phone number, and email address. This will allow my uncle to get in touch with them and discuss the full terms and requirements of the job.

Thank you for your time and assistance. Your referral could potentially help my uncle find a reliable and caring individual to take care of his fur babies. Please feel free to reach out if you have any further questions or need additional information.

Best regards.

Christopher Rosenfelt

 

This job scam phish has been circulating today, which spoofs another Canadian institute email. Here is how you can spot this scam:

1. Subject doesn’t match the content of the emails.
2. Sender name and Signature name are different.
3. Too good to be true offer, paying way too high a wage for surveys.
4. External gmail address is provided for contact, which neither belongs to the sender institute nor the company mentioned in this email.
5. Alternate email and phone number are asked, this tactic is used by scammers to evade detection from UVic network protections in-place.
6. Spelling and grammatical mistakes.

Please be aware of such scams, always take a moment to look for red flags. In case, you have already fallen for this scam, please immediately stop any further conversation with the scammer and report it to helpdesk or your departmental  IT support.

Subject: Dear UVIC.
From: [redacted sender address]

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear University of Victoria Students/Staffs/Non-Staffs,

I am introducing you to a part time opportunity, you can show interest and apply after reading.

Opinion Outpost, A leading agency specialized in Global Customer Service Research, is expanding customer service research projects in Canada. This project takes place every week, they need to recruit Shop Elevators to do surveys on Local retail stores in your environment. Applications are welcomed from qualified individuals (18+) to become Store Evaluators. You will get paid $400 – $500 on each assignment/evaluation

JOB DESCRIPTION:
* You will be assigned to visit a Retail store.

* You will be sent funds and instructed to purchase a few items from the store. You will then finish an on-line questionnaire to share with us your customer experience.

* Most of the time you will only need to spend 20 minutes on the visit.

To register for this survey, you are required to fill out the form below and send it to: [scammer’s gmail address]

Full Name:
Address:
Alternative Email Address:
Cell Phone Number:

Thank you for the participation, you will be contacted as soon as your application has been received.

Regards,

Basil Mervyn.
Recruitment and Job Evaluation Advisor.
Opinion Outpost.

Similar to cases we saw in May and June, job scammers are impersonating real UVic professors to make their fake offers look more legitimate. The red flags remain the same as before:

• The emails are coming from Gmail addresses. A legitimate opportunity should be coming from a UVic email address.
• The sender name does not match the name of the professor supposedly offering the opportunity. Inconsistencies like this are often a sign of a scam.
• The salary offered is too good to be true, especially for a small amount of casual work to be done in your free time.
• The email requests your contact information for a different communication method, in this case Google Chat. This is a trick to move the conversation to a place that can’t be monitored by UVic.

Do not reply to these offers–these scammers are usually trying to defraud you of money in one way or another. They may ask you to transfer money using your own funds (with a promise to reimburse you that will never materialize) or ask you to buy gift cards and send photographs of them. If they ask for personal information such as your driver’s licence or passport, do not provide it or you may be at risk of identity theft.

If you responded to the scammer, contact the Computer Help Desk for assistance, especially if you sent money or personal information. If you forwarded the email to other people, recall the message and warn the recipients as soon as possible.

---

From: Franka Arden <farden***@gmail.com>
Subject: Work Part-Time

The service of a Department Assistant is urgently required to work part-time 12hours/week and get paid $650 weekly. Tasks will be carried out remotely in your free days/time.
If interested, submit a copy of your updated resume and a functional google chat email address to our Department of Economics via this email address to proceed.

Sincerely
Dr. [redacted]
Associate Professor
Department of Economics
Office: BEC ***

Gift card scammers impersonate people in positions of authority to try to make requests look legitimate and prey on people’s desire to be helpful. This example impersonates UVic President Kevin Hall, but other popular impersonation targets include VPs, faculty deans and directors.

Always pay attention to the sender address for emails that claim to be from someone in a position of authority. This one came from a Gmail address, which is a big sign that this email is not really from the president. A real email from the president or any other UVic authority figure would come from their UVic email address (although you still have to be wary in case that was spoofed).

Another bad sign is the fact that the scammer asks to continue the conversation via text messages and wants your phone number for that reason. Requesting your contact information in order to move the conversation to a different method is a common trick that scammers use to avoid detection. Finally, the errors in punctuation and capitalization and the overall vagueness of the message are also signs that this request is not legitimate.

If you replied with your cell phone number, ignore any text messages that come from the scammer and reach out to the Computer Help Desk or your department’s IT support contact for assistance. You will also need to be on the lookout for future phishing and scam attempts via phone or text message because your phone number is now in the hands of a scammer.

---

From: Kevin Hall <d******compton0@gmail.com>
Subject: Please

—
Hello, Got a moment right now?, kindly text back with a number I can text you on.
Kevin Hall, PhD
President

This phish has no hidden agenda, plain and simple job scam. The phisher has clearly put no effort, whatsoever, into making it look legit.

There is no mention of who this person is and what organization they work for, not even their last name. Salutation is generic and formatting of the text is weird along with grammatical errors.

Please don’t reply to such job scams and be aware of the phishing signs.

Subject:Job Offer
From: [external sender]@gmail.com

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear Job seeker,
My name is Alec . I have an urgent need to replace my representative across Canada. I am looking for a friendly, simple & trustworthy individual . Someone with a good sense of humor that can take the company to the next level.
Do get back if you are available to work so I can give you details of the job required as this will not disturb your other work .

Sincerely
Alec

This phish is an actual SharePoint Online file sharing email, but that doesn’t mean the file it goes to is legitimate. Phishers are known to use compromised Microsoft 365 accounts at other organizations to create a phishing document. Instead of creating their own phishing email, they instead send out the phish by sharing that phishing document with the other people they want to target. That can potentially make the phish harder to detect because the emails have the same look and feel as legitimate SharePoint Online file sharing emails.

Despite all that, there are still some red flags:

• The message claims that the file is from the UVic president, but the file wasn’t shared by him or someone from the UVic President’s Office. Inconsistencies like this can often be a sign of a phish or scam.
• The message is very vague. This may be a trick to make you curious and go to the file to find out what’s actually in it.
• There is incorrect grammar and capitalization in the message.
• At the bottom-right corner of the message, you’ll see a different university’s logo. This is a sign that the file did not come from within UVic’s Microsoft 365 tenant. An actual file from the UVic President should not be coming from a different university’s Microsoft 365 service.

From: E********** <noreply@sharepointonline.com>
Subject: E********** shared “FILE REVIEW 2023” with you.

E********** shared a file with you

FWD: President Kevin Hall you a file using one drive.

[Word document icon] FILE REVIEW 2023

This link will work for anyone.

Open

[Microsoft logo]
[Other university’s logo]