Images

An employee of a local vendor had their email address compromised and used to send phishing emails. Notice the part that looks like a file attachment–it actually is a link to a malicious file on OneDrive.

If you receive emails that appear to come from someone you know but don’t quite look right, don’t reply and don’t click on the links. Instead, contact them via a phone number that you already have and know is safe. Also inform your department’s IT support staff and report the phish to the Information Security Office so that we can follow up as necessary.

This phish tries to persuade the victim to “activate their anti-spam” by clicking on a link. Both the link and the sender are clearly not UVic addresses. Nevertheless the email is signed “University of Victoria” and the page contains the UVic logo.

As usual the goal is to steal your credentials. Do not click on the link!

 

---

 

Many UVic users received this phish today. It claims that “Microsoft Verification is required” and supposedly comes from “support service”.  However the sender is clearly not a UVic address. The body of the message looks like this:
Please do not be curious and do not click on the link.  The goal is to steal your UVic credentials (fake Outlook Web App page is shown below). Besides stealing credentials, these pages may contain malware which is why even opening the page is not a good idea.

This is another phish that tries to persuade the victim something was wrong with their email account. They are supposed to click a link to “release” quarantined messages. Note that UVic does not have such a practice.

---

---

The sender is forged to seem internal, but the links are clearly external.
Please do not be curious and do not click. The links lead to a fake Outlook Web App page that’s designed to steal your credentials:

---

Many users received this “verify your account” phish today.

 

---

Please don’t be curious and do not click on the link!  It leads to a fake OWA page pretending to belong to UVic and designed to steal your passphrase:

---

This phish tries to persuade the user there was a problem with their emails and they need to act immediately in order not to loose the unsent emails.
The sender is clearly external.
Do not click on the link. It leads to a fake OWA page that pretends to belong to UVic and is designed to steal your credentials. See below the screenshots of the email and the fake Outlook Web App page

 

 

This is another phish that tries to persuade the victim to “update their account”.
The message looks like this:

Please do not be curious and do not click the link if you get this phish.
It leads to a page that’s designed to stole your credentials.
One can clearly see in the address bar that it is not hosted at UVic:

This payroll scam email resembles many we’ve seen the past. Note the non-UVic sender.

The link goes to a Fake OWA page that does not resemble any of our UVic services.

This has nothing to do with UVic. You’ll notice the godaddysite domain in the address bar.

Ignore and delete this email.

The phish tries to persuade the victim that their email was blocked and they need to click the button in order to “restore access”.

After clicking a fake OWA page opens with the intent to steal the victim’s UVic password.  The fake OWA (Outlook Web App) page is in fact hosted on a Russian server (see the address bar).

Do not click on the “restore access” in that email!

Today a number of UVic recipients received an impersonation email supposedly from the president Jamie Cassels.
The email looked like this:
This is a typical start of a gift card scam. We wrote about those back in November:
https://www.uvic.ca/systems/status/notices/current/gift-card-scam_nov2019.php

and later on the topic was covered with more detail by our Chief Information Security Officer:
https://onlineacademiccommunity.uvic.ca/cisoblog/2020/02/20/an-email-exchange-with-the-president-not-really/

Please do not respond to impersonating emails (even for fun) and report them by using the “phish” button.

This phish pretends to be sending financial statements for 2020 (misspelled in the subject as “satement”). The email body looks like this:
The actual attachment is a html file which redirects the victim to a UVic like OWA page:
with the intention to steal your credentials. That page is clearly external – look at the address bar in the screenshot.

An email account at one of UVic’s suppliers was compromised.  The attacker accessed the email account at the supplier and attempted to have staff at UVic send payment to a bank account owned by the attacker via wire transfer.

While the staff person in this particular department did not immediately suspect a fraud attempt, they eventually called the supplier contact and confirmed with the supplier that they did not send those emails.  No payment was sent.

Below are redacted screenshots of emails sent by the attacker.  If you receive similar emails, contact your supplier using a phone number you already have on file, inform UVic Accounting, and contact the Information Security Office.

This is the initial contact from the attacker:

The attacker starts to get demanding here:

And finally, the attacker forgets that improper spelling and grammar is a strong indicator that something is wrong:

This is not a legitimate UVic email; it is yet another phish that spoofs a UVic email address. Replies actually go to a Hotmail address.

Reminder: legitimate UVic communications will never ask you to send your login information via email.

This phish tries to persuade the victim that they need to click a link to verify their account.  It opens a page that pretends to belong to UVic and steals the credentials of the victim. Do not click on that link!
The email looks like this:

 

The page pretends to be UVic, but clearly is external (see the address bar)

This email was not sent by UVic; do not click on the link. The sender addresses of Outlook.Team@uvic.ca, Outlook-Web-App.Team@uvic.ca and Outlook.Web.App@uvic.ca have all been spoofed by the phisher to make the email look legitimate.

This is a spear phishing email pretending to be a notification related to UVic OWA. Subject lines are variable but all of them mention account migration. If you clicked on the link or entered your credentials, contact your department’s IT staff or the Computer Help Desk immediately.