Phish Bowl

Phishing Icon

Verified phishing emails at U of T

The following is a list of verified phishing emails circulating U of T email inboxes.

Please visit this page often for updates. Don’t click it, delete it!

Spotted November 9, 2017

From: jflores@petroperu.com.pe
Subject: Mail Quota
Content:

This phishing email uses a common tactic: the inbox quota warning. In this kind of phishing email, the attacker warns the recipient that their inbox has reached it’s storage quota and will be shut down if the user doesn’t take action. If they click the ink they may be prompted to enter their login information into a form or they may unwittingly download malware.

Warning: New Word Document Virus

Please be advised that there is a new trojan virus that attempts to trick you into allowing it to be executed.

Normally when you open a Word Document it will open it in “Protected Mode” to prevent you from being compromised. This document has nothing in it except a picture that tells you to turn that protection off. Once you do, the macro will infect your computer.

DO NOT do what it says to do.

You can simply delete the email if you receive something like this:


Spotted October 31, 2017

From: service@constateurtnt.com
Subject: Problem with your Netflix Membership
Content:

This phishing email is attempting to coerce the reader to divulge their credit card information. This message can be identified as a phishing email because the sender’s address is clearly not Netflix based.


Spotted October 25, 2017

From: Redacted
Subject: Message Alert on Health concern
Content:

This phishing attempt uses fear to manipulate the reader into clicking on the link. The sender informs the reader that there is a security concern on campus and the only way they can find out more is by clicking on the link. The link then leads to a fake login page. This login page can be identified as being fake because the page’s address is a “.xyz” url.


Spotted October 5, 2017

From: databasse737737@comcast.net
Subject: Your Password Expires today… (from Support)
Content:

Social Engineering: This phishing attempt capitalizes on users’ fear that they could lose access to their account. To prevent their password from “expiring” they click on the link.
Identifiable Traits: You can tell this is a phishing attempt because the return address is clearly a non-U of T account.


Spotted October 5, 2017

From: admin@gogogobaby12.com
Subject: You are invited to the court because of crime commitment
Content:

Social Engineering: This phishing attempt uses fear to coerce users’ into clicking the link. The user may be concerned that they have done something wrong so they will click the link to ensure they avoid any negative consequences.


Spotted September 28, 2017

From: english87778@comcast.net
Subject: Campus Email Security Alert
Content:

Identifiable Traits: This phishing attempt can be identified in two ways: the word Toronto is spelled with a zero and the return address is clearly not from a U of T based account, with the return address originating from “comcast.net”.


Spotted September 27, 2017

From: Retracted
Subject: Voice Message from (901) ___-_______
Content:

This phishing attempt leads the user to believe that they have a voicemail waiting for them. When they click on the link they are brought to a page that looks very similar to the Office 365 login page. Unfortunately, if they enter their credentials into this form their login details are stolen and there is no voice message.


Spotted August 28, 2017

From:Daniel.Galvis@hpidc.com
Subject: Re: Helpdesk
Content:

Identifiable Traits: This email originates from a non-U of T account.
Social Engineering: This scammer took advantage of the fact that U of T staff and faculty had a migration coming up. By using this knowledge they were able to convince users that clicking the link was part of the migration process.


Spotted August 28, 2017

From: utoronto-notif@home.nl
Subject: Urgent Issue
Content:

Social Engineering: This phishing attempt pressures the user into taking action by suggesting that the user’s incoming emails will be lost if they don’t click the link to get extra storage for their account.


Spotted August 23, 2017

From: vmservice@uni-mail.org
Subject: Voice Message from 066657702381 – name unavailable
Content:

This phishing attempt is an example of how voicemail can be used to compromise your security. The sender is masquerading as a voicemail service that sends a link via email when you receive a voice message. Unsurprisingly, The link is malware-backed. Never click on links from unknown senders.


Spotted August 21, 2017

From: _____________@utoronto.ca
Subject: Urgent attention needed
Content:

Falsified Traits: The author of this phishing email has stolen the identity of a respected U of T faculty member. They are using this person’s email address and even go so far as to copy their email signature.
Social Engineering: This phishing attempt manipulates the reader by convincing them that subject must be dealt with urgently and suggests that the user is at fault (they owe the sender money).


Spotted August 21, 2017

From: andy-noreply@gmail.com
Subject: Google
Content:

Falsified Traits: This phishing email is using the Google logo to make it seem like a legitimate message.
Identifiable Traits: This email claims to be from Google UK rather than from Google Canada for Google. This phish claims that the attached file is part of the “Google E-Mail Online Sweepstakes Promo”. This promotion does not exist.


Spotted August 21, 2017

From: barbara.meinzer@gmx.de
Subject: S E T T I N G S
Content:

Identifiable Traits: The sender’s email address is not an official U of T address. Spelling/Grammatical errors: The words “lose” and “messages” are misspelled.
Social Engineering: This phish pressures users into clicking the link by telling them that they will lose incoming messages if they do not validate their log in information.


Spotted August 4, 2017

From:verify@emailupdate.com
Subject: Important – Email Update
Content:

Social Engineering: This phish is pressuring the recipient into revealing their login details. The sender claims that the recipient’s email address will be deleted if they do not enter their login details.


Spotted August 4, 2017

From: service@decpacito.com
Subject: Your Netflix membership is on hold — Please update your payment
Content:

Identifiable traits: This email claims to be from Netflix but this is clearly false because the sender’s email originates from “decpacito.com”.

Social Engineering: This email claims to be from Netflix and is trying to get the recipient to divulge their credit card information.


Spotted on August 4, 2017

From: discover@tigana.zerozero.pt
Subject: Information Regarding Profile
Content:

Identifiable Traits: The sender’s email address is clearly not from “Discover Card”.

Social Engineering: This phishing email is attempting to get the user to divulge their personal information.


Spotted on August 3, 2017

From:@hvacofamerica.com
Subject:Re: invoice 50705733 bull****
Content:

Falsified Traits: This phish is a fake “reply” with a carefully crafted false email chain attached to it.

Identifiable Traits: The phone number and fax numbers all have different area codes. The domain in the “from” address and the domain in the link do not match.

Social Engineering: Use of profanity elicits an emotional response in the reader.


Spotted on August 2, 2017

From: support@hmmc.com
Subject: You have received a new document from support@utoronto.ca!
Content:

Falsified traits: This phish claims to link to a file sent to the recipient from support@utoronto.ca

Identifiable traits: When the user hovers over the link it is obvious that it will be leading to an “adoption doctor” page and not to a google doc.


Spotted on July 28, 2017

Falsified Traits: the url contains a mispelling (e.g. wblogn), does not meet the criteria listed on the page itself, begins with http instead of https, and does not end with utoronto.ca (it ends with dx.am)

Social engineering: Phish encourages users to provide credentials (username/password)


Spotted July 27, 2017

From: [name redacted]
Subject: Welcome to the new Gateway for Faculty and Staff
Content:

Falsified traits: This phish claims to from ITS and is encouraging users to migrate to a “new” employee gateway (which does not exist).

Identifiable traits: The sender is encouraging the user to click on a sketchy link in the e-mail. Also, there is also a clear sense of urgency, users are informed that ITS wants them to migrate immediately.

Social engineering: This phish claims that the new gateway will provide users with a better experience and give them access to information they would not normally be able to view online.


Spotted on July 10, 2017:

From: [student’s name redacted]@mail.utoronto.ca
Subject: Mailbox Issues

Content:

July 10, 2017 Phishing Message

 

Falsified traits: The phish is from a student’s “@mail.utoronto.ca” e-mail address.

Identifiable traits: E-mail URL takes users to a non-university of Toronto domain. Help desk e-mail arrives from a student “@mail.utoronto.ca” address instead of a staff address “@utoronto.ca.”

Social engineering: Phish purporting to be from a help desk employee attempts to trick user into addressing a quota issue within a fake time-limit to keep their e-mail account active.


Spotted on June 13, 2017:

From: [student’s name redacted]@mail.utoronto.ca
Subject: Support

Content:

 

Falsified traits: The phish uses a compromised student’s e-mail address. The TO field is erroneously addressed to info@helpdeskutoronto.edu

Identifiable traits: E-mail URL takes users to a non-university of Toronto domain. Help desk e-mail arrives from a student “@mail.utoronto.ca” address instead of a staff address “@utoronto.ca.”

Social engineering: Phish purporting to be from a help desk employee attempts to trick user into addressing a fake security incident to reactivate their e-mail address.


Spotted on June 13, 2017:

From: “Dropbox”
Subject: Protected Communication from BMO Group

Content:

Dropbox phish

Falsified traits: uses the Dropbox logo and e-mail format and fake Dropbox landing Page.

Identifiable traits: E-mail URL takes uses to non-Dropbox domain, encourages users to log-in with their e-mail address instead of their DropBox account.

Social engineering: Phish encourages users to provide e-mail credentials (username/password).


Spotted on May 10, 2017:

From: BMO Group
Subject: Protected Communication from BMO Group

Content:
BMO Phishing Scam May 10 2017PROTECT Message Center and Email Encryption
You have received a secure encrypted email from BMO PROTECT Message Center and Email Encryption, email encryption service delivers you personal, financial or confidential information. To ensure the highest level of security this message has been encrypted, please check attached document for more information. Our PROTECT Message Center lets you confidently receive and send emails including attachments sent by your BMO representatives, knowing your personal information is secure.

Always Remember – members of BMO Financial Group will NEVER request personal or financial information through unsolicited emails. If you suspend you have been a victim of fraud or would like to report suspicious activity, please call us immediately at 1-877-CALL-BMO.

Do Not Share This Email
The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax – except its direct delivery to the intended recipient – is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.


Spotted on May 5, 2017:

From: @ccbcmd.edu address
Subject: Welcome to the new outlook web app for Staff

Content:

May 5 2017 phishing message about new outlook web app for StaffWelcome to the new outlook web app for Staff 

Migrate to The new Outlook Web app for Staff is the new home for online self-service and information.

Click on GATEWAY {link} and login to:

  • Access the new staff directory
  • Access your pay slips and P60s
  • Update your ID photo
  • E-mail and Calendar Flexibility
  • Connect mobile number to e-mail for Voicemail
    Everyone is advise to migrate immediately.
    Help Desk Support Team

Spotted on May 4, 2017:

From:Crosby, Lisa (Medel) [LFCrosby@STJAMES.IE]
Subject: OWA NOTIFICATION.

Content:

May 4 Microsoft Phishing MessageYou’re receiving this email because we are updating the Microsoft Services Agreement, which applies to one or more Microsoft products or services you use updates to clarify our terms by  CLICKING UPDATE {link} and ensure that they remain transparent for you Failure to update this futures your account will be suspended.

Microsoft respects your privacy. To learn more, please read our Privacy Statement.

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052


Spotted on May 3, 2017:

From: {Various names} has shared a document on Google Docs with you

Content:

May 3 2017 Google Docs Phishing Message{various user names} has invited you to view the following document:

Open in Docs {link}


Spotted on May 3, 2017:

From: Royal Bank of Canada

Content: 

May 3 Phishing Message Royal Bank of CanadaThis secure email was sent to: xxxxx.xxxxxx@utoronto.ca
Wed, 3 May 2017 13:47:22 +0000

From:
To:
Subject:
Date:
Password:

Royal Bank of Canada
xxxxx.xxxxxx@utoronto.ca
RBC Secure DOC / DOC Sécurisé

 

  1. Open the SecureMessage.doc attachment by double-clicking or using the “Open” or “View” action within the email application.
  2. Your default DOC viewer software should open automatically. In the “Password”field, enter the password given to you by the sender at RBC and press “OK”.
  3. The SecureMessage.doc will be displayed, and any included attachments may now be opened. Large DOC messages may take several minutes to display.
  4. You can access the attachments by simply double-clicking the file.
Attachments:
SecureMessage.doc (42 KB)
Royal Bank of Canada Secure DOC, © 1995-2017

Spotted on: May 1, 2017

From: Canada Revenue Agency
Subject: Secure email message

Content: 
May 1 Phishing Message "Canada Revenue Agency"To read your secure message , follow the instructions below.

1. Look for an open SecureMessage.doc ( typically at the top or bottom; location varies by email service).
2. Your Authorization code is: 78AS92918CRA.
3. Enter the authorization code when prompted.

The secure message expires on May 02, 2017 @ 09:21 AM (GMT)
Disclaimer: This email and its content are confidential and intended solely for the use of the addressee. Please notify the Canada Revenue Agency if you have received this email in error or simply delete it. Secured by Symantec Encryption. Copyright © 2017 Symantec Corporation. All rights reserved.

 


Spotted on: April 20, 2017

From: Canada Revenue Agency
Subject: Unique Reference No: 31072016
Content:
Apri 20 2017 Canada Revenue AgencyAfter the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of 210.98 CAD.

Please submit the tax refund request and allow us 15-30 days in order to procces it
Please use the link below to complete your claim online this only take you a few minutes to complete

– Tax Reference No: 31072016

– You have until the 24th of Avril 2017 to make your claim.

Get Started ⇨

Please note: A refund can be delayed for a variety of reasons, For example submitting invalid records or applying after the deadline.

Best regards,
Canada Revenue Agency Team

Learn how to spot a phish!

Visit our resources on phishing and learn about how to spot a phish and different types of phishing scams.

All about phishing