Skip to Page Content
section image picture

Office of Information Security

Fresh Phish

As part of our phishing awareness campaign, Fresh Phish features recent phishing attempts directed at the UGA campus.  These emails have been reported by UGA faculty, staff and students who are alert to the dangers of scams and phishing attacks.

Messages are listed by subject line and date reported. A brief critique of each message is included to help you spot the red flags - the features found in most phishing emails - and the common patterns that can alert you to the potential dangers in your inbox.

Every once in a while you will notice that the name of the sender has been changed in an example. Why? It was a real person. And there's no reason to be mean or point fingers. Just imagine your name in place of "User Name" and you will understand why we chose to make the switch.

For some not-so-Fresh Phish, visit the Fresh Phish Archive for 2016 or 2017 where we have older examples of phishing email so you can see how phishing attacks get re-used.


Sextortion Scams: Coming to an Inbox Near You

August 14, 2018

Hey, All Y’all – there are a lot of phishing scams going around claiming the sender took over one of your devices and recorded you “having fun” while visiting adult video (porn) sites.

Each scam is a tad bit different – and the Bad Guys are making money hand over fist. In fact, they demand $1000.00 from each victim. And they are getting it.

So here’s the deal. Somewhere, sometime, someone (a Bad Guy) got hold of a database that had some personal information, some old passwords, an email address or two and some partial phone numbers. There’s no way to be sure where this information came from. Honestly, it hardly matters: Given all the big data breaches that happen, it’s a sure thing your information is out there on the web somewhere.

Okay. Where were we? Oh, yeah. Any information in that database is more or less phish food.

All the Bad Guys have to do is drop some of that information into a threatening email, send it to everyone on their list, then sit back and wait. The money rolls in with no real effort on their part. In fact, one scam got over $50,000.00 in a single week.

Fresh Phish already talked about one of these emails back on July 19, 2018 – but the darned things just keep coming. Guess you can’t keep a good scam down.

Now you gotta ask yourself (Fresh Phish is not judging):

Have you been visiting adult video (porn) sites?

  • Of course not! - You have not downloaded malware from a porn site.
  • Report the message to the Abuse Team (abuse@uga.edu), delete it and move on.
  • Paranoid? Go ahead - update and run your antivirus program if appropriate. It won't hurt anything.
  • Remember, it's unlikely that the Bad Guys have your whole phone number. They would have used it if they did.

From: A Bad Guy <weBvilns[@]badgusy.com>
Subject: Subject:(Part num your Hacked phone +XX XXXXXX5555)

It seems that, +XX XXXXXX5555, is your phone.
 
You may not know me and you are probably wondering why you are getting this e mail, right? actually, I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean).
While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) having a keylogger which gave me accessibility to your screen and web cam. after that, my software program obtained all of your contacts from your Messenger, FB, as well as email.
 
What did I do? I backuped phone. All photo, video and contacts. I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam. exactly what should you do?
 
Well, in my opinion, $1000 is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).
 
BTC Address: 1GYNGZLEUGkkQjHo19dHDnGE87WsAiGLLB
(It is cAsE sensitive, so copy and paste it)
 
Important: You have 48 hour in order to make the payment. (I've a unique pixel in this e mail, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment, I'll destroy the video immidiately. If you need evidence, reply with "Yes!" and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.

Special thanks to Lawrence Abrams, creator and owner of BleepingComputer.com, who was the source the example phishing email text.

 

***ATTENTION REQUIRED***-from president Jere W. Morehead to all employees on August 09, 2018 !

Reported August 9, 2018

Every once in a while phishers go for the big targets - directors and others who are highly placed enough to be ideal victims of phishing atttacks. The more highly placed a person is in an organization, the greater the possibility of a big data or monetary score exists for the phishers.

Most of us don;t get to see these sorts of attacks, so it's important that this message gets shared. As usual, you can open a bigger version of the image. (It won't work well on smartphones because the file is very large.)

The red box, arrows and blue highlighting are all indicators of red flags:

  • The sender's name and return email address do not match
  • The attached pdf.pdf file is unexpected (and the double .pdf extension may be hiding the true nature of the attachment.)
  • You are not addressed by name in the greeting. (Gerorgia? Puh-leez!)
  • The language in the body of the email is awkward and poorly written.
  • The "access" link is very sketchy: mouse over the link to see it goes to a phishing website in Germany.
  • "President" is not capitalized - and you know it would be.

Notice that the recipient is also encouraged to share this message.

You can read the text of this message a bit further down the page.

Morehead phish

From: Jere W. Morehead <notpresm[@]agerman.site>
Subject: ***ATTENTION REQUIRED***-from president Jere W. Morehead to all employees on August 09, 2018 !

(UGA logo here)

Dear University Of  Gerorgia Employees,

It's of high importance all Employees read through on what improves the welfare of our institution,including a few organizational changes which require all Employees prompt attention.

complete the following new updated 45 seconds survey which is important to all University of Gerorgia staffs to access attach today.

Thanks

Note: The  message is sent out of high importance to all employees to access attach and share.

Jere W. Morehead
president
University of  Gerorgia

(Photo here)

URGENT Please read

Reported July 31, 2018

Phish Spotters unite! This is a very nasty scam. And it comes at a very bad time for incoming students who do not yet know that EITS will never ask them to update their accounts.

This email is a FAKE. (Phish Spotters say it loud and say it proud!)

The audacious use of the UGA logo adds a hint of authenticity to the email - but do not be fooled. Anyone who can copy and paste can steal an image off the internet.

Let's run through the red flags - warning signs that a message is a phish - shall we?

  1. The "From" and "To" fields are the same - that's phishy!
  2. Official email from UGA will address you by name - not as "University of Georgia User"
  3. EITS will not ask you to update your email account - it's all MyID driven.
  4. EITS will not close down your account because you did not update it - refer to the last point.
  5. You do not update anything on the University home page - besides, that link goes to a non-UGA website.
  6. All UGA business should be conducted on an official UGA website.
  7. Correspondence about EITS services will come from EITS - not the ambiguous "University of Georgia Team."
  8. Official business email should include contact information for the department that sends it - and that goes for any business email.
  9. The copyright notice at the bottom is only there to make the email look official - so don't be fooled!

If you get a suspicious looking email and you think it might be a phish, send it to abuse@uga.edu or contact the EITS Help Desk at 706-542-3106.

If you know that an email is a phish, you can use your delete key - it's a great tool in the fight against phishing.

From: User Name <username[@]uga.edu>
Sent: Tuesday, July 31, 2018 10:58 AM
To: Same User Name <username[@]uga.edu>
Subject: URGENT Please read

UGA logo

Dear University of Georgia User

Our record indicates your email account is not updated, which may lead to the close down of your email account.

Please visit the link h--ps://www.uga.edu/ (we removed the link. It actually pointed to a site that had nothing to do with UGA) to avoid the close down of your account and keep enjoying our services


Sincerely,
University of Georgia Team

Copyright © University of Georgia, Athens, GA 30602

ACTION REQUIRED: I just shared a file with you via Dropbox

Reported July 26, 2018

Wow. This phish came across the staff list serve and our Expert Phish Spotters were all over it! Y'all are amazing! Fresh Phish feels kinda unnecessary right now - but there are plenty of people who don't follow the staff list, so here we go.

So, y'all remember "Hover to Discover"?

  1. move your mouse pointer over the link
  2. resist the urge to click
  3. the arrow will become a pointing finger
  4. a box will pop up showing the link location

Hover to Discover was the fastest way to figure out if this email was legit or not. If you did, this is what you saw:

Dropbox phishing message

The link pointed to a URL that had nothing to do with Dropbox. (You can view a bigger picture of the revealed link if you need to. It will open in this window.)

We know you are curious, so here is a look at the fake Dropbox page  -which is a fake OneDrive page (Say what?):

Fake Dropbox page

Do not try this yourself!

Fresh Phish uses security tools to click through safely so we can see what's up. And know how to take steps to protect others from being bait for a phish; like blocking the link on campus (so you can't reach the dangerous page.)

Need a bigger image of the fake Dropbox/OneDrive page for a closer look? It will open in this window and it's not sized for viewing on phones - it's just too big for that to be useful. (BTW: the red bar at the top of the image is a built in Firefox feature.)

The message itself looks pretty legit. That means it is very dangerous! Many of us use Dropbox, so it would be tempting to click evenif we do not know the sender. Not may would notice that the link to a Dropbox page actually went to a OneDrive page.

About the only red flags for this phish are:

  1. do you know the sender?
  2. why would the sender have a file to share?
  3. viewing the file as an unexpected attachment

From: User Name
Sent: Thursday, July 26, 2018 10:00 AM
Subject: ACTION REQUIRED: I just shared a file with you via Dropbox

[Dropbox icon]



Hi There,
(username[@]uga.edu) invited you to view a file via Dropbox.

(We removed the)  Go to folder (link to a fake Dropbox page.)

Enjoy!
The Dropbox team

Tl;dr - the phishers are sending more and more dangerous emails. You need to stay alert to a lot of tricks to catch messages like this one. It definitely illustrates the fact that the criminals are trying to catch us off guard and take advantage of our trust. Pay attention. Stay off the hook.

Meeting Notice - Warning: Long Post

Reported on July 25, 2018

Okay, Phish Spotters, this is the third time we have had a "Meeting Notice" phish this month.

It is also the third time one of our own has become a victim of this type of phish. We need to step up our phish spotting game.

This Meeting Notice is, unfortunately,  more dangerous than any of the others we have seen before. It uses a fake CAS page to gather UGA credentials before allowing access to a webpage.

We've seen that before, but:

  1. This time the fake CAS page displays the green lock icon, we are used to trusting.
  2. The web address (URL) is an "https://" address we recognize as secure - as in okay to enter our credentials.
  3. It's only when we look at the actual URL that we see it is not a UGA website.

If you noticed that the URL is not for a UGA site, you have gone above and beyond. Few people will check the URL when presented with an authentic-seeming CAS page and a green lock icon. This is a very high quality phish!

Let's take a look at the two pages.

First the real CAS page. It displays a green lock icon and a UGA web address (arrows) and a link to the UGA Privacy Policy (circled). Display a bigger image of the real CAS page

Real CAS page

 This is the fake CAS page. It features a green lock icon and a secure - but non-UGA -  web address (arrows). It is missing a link to the UGA Privacy Policy. We circled the place that should be displayed. This is a small image. See a larger image of the fake CAS page

fake CAS page

Now let's look at the message. Can you spot the red flags? We'll list them under the example.

From: User Name <username[@]uga.edu>
Sent: Wednesday, July 25, 2018 5:55 AM
To: Another User <nothrusr[@]uga.edu>
Subject: Meeting Notice

Dear User,

This is to notify all of an important meeting which is scheduled to hold 26th July 2018.

Click here for details <We removed a link to a phishing site behind a fake CAS login page designed to steal your credentials.>

Thank you.
University of Georgia

The red flags are:

  • the sender: is the sender known to you?
  • is the sender someone who should be sending an 'all hands' meeting notice?
  • a generic subject line
  • you are not addressed by name
  • language slightly off ("scheduled to hold")
  • link not in plain text
  • hovering reveals link not to a UGA site or service
  • message signed by "University of Georgia" (not  person or department / unit)
  • no contact details in the signature

Phishers gonna phish - it's up to us to avoid getting caught.

 

re: jdoe3390 – loveU2 (UGA MyID and password)

Reported on July 19, 2018

If you get today's fresh phish, please respond as follows:

  • Do not panic
  • Do not reply
  • Do not pay up
  • Do not hesitate to report the message to abuse@uga.edu

Blackmail and extortion scams are popping up in inboxes across campus.

Always ugly, this particular type of scam uses threats and intimidation to make you react. The phishers want your money. They are willing to scare you into giving it to them.

Worried about this message?

  • Look at the subject line -
    • Is that your MyID?
      • Quite probably
      • Your MyID is public directory information.
      • Breathe.
    • Is that your current password?
      • No. It's old - Report the message to the Abuse Team, delete it and move on.
      • Yes = Change your UGA password immediately. Call the EITS Help Desk (706-542-3106) if you need help. Then report the message, delete it and move on.

Any time there is a data breach, user names and passwords are gathered up and sold on the internet. Hundreds of criminals could have your MyID and an old password. As long as you don't use that password anywhere else, you should be fine. If you do use that password elsewhere - go change it now.

  • Have you been visiting adult video (porn) sites on your UGA owned computer?
    • No. You have not - You have not downloaded malware from a porn site.
    • Report the message to the Abuse Team (abuse@uga.edu), delete it and move on. 
    • Paranoid? Go ahead -update and run your antivirus program. It won't hurt anything.

If you look for the red flags you will find them, too.

From: Online Criminal <ima.criminal[at]outlook.com>
Sent: Thursday, July 19, 2018 3:55 AM
To:User Name <username[at]uga.edu>

Subject: re: jdoe3390 – loveU2

This is your badluck. I know that loveU2 is your password. More importantly, I know your secret and I have evidence of this. You do not know me personally and no one employed me to examine you.

It's just your hard luck that I stumbled across your blunder. Let me tell you, I placed a malware on the adult vids (porn material) and you visited this site to experience fun (you know what I mean). While you were busy watching video clips, your web browser started operating as a Rdp (Remote control desktop) that has a key logger which provided me with access to your screen and web camera. Right after that, my software program gathered every one of your contacts from your messenger, facebook, and email.

After that I put in much more time than I probably should have looking into your life and generated a double-screen video. First part displays the recording you were viewing and other part shows the recording from your web cam (its you doing inappropriate things).

Frankly, I am willing to forget all information about you and allow you to get on with your regular life. And I am about to present you 2 options that will achieve that. The above choices to either ignore this letter, or simply just pay me $ 3600. Let's understand those 2 options in details.

First Option is to ignore this email. Let me tell you what is going to happen if you select this path. I will send your video recording to all your contacts including family members, colleagues, and many others. It won't help you avoid the humiliation your household will face when family and friends uncover your unpleasant videos from me.

Second Option is to make the payment of $ 3600. We will call this my "confidentiality tip". Now let me tell you what will happen if you pick this choice. Your secret will remain your secret. I will erase the recording immediately. You keep your life as if none of this ever happened.

Now you must be thinking, "I'm going to report to the cops". Let me tell you, I have covered my steps to ensure this email message can't be tracked back to me also it will not stay away from the evidence from destroying your health. I'm not looking to steal all your savings. I just want to be paid for efforts and time I place into investigating you. Let's assume you decide to make all this go away and pay me the confidentiality fee. You'll make the payment via Bitcoins (if you don't know how, search "how to buy bitcoins" on search engine)

Transfer Amount: $ 3600
Send To This Bitcoin Address: 19diopb5QpYyURWZWXf9sWWCwNLjkHRGmH
(It is CASE sensitive, so you should copy and paste it)

Share with no person what will you be transferring the Bitcoins for or they will often not give it to you. The task to get bitcoins usually takes a few days so do not wait.
I have a unique pixel within this email, and right now I know that you've read through this e mail. You have one day in order to make the payment. If I don't receive the Bitcoin, I will send your video recording to all your contacts including members of your family, coworkers, etc. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I will erase the video immediately. It's a non negotiable offer, thus kindly do not waste my time and yours. The clock is ticking.

Meeting Notification and Other Phishy Email - A Fresh Phish PSA

Reported on July 16, 2018

Long post ahead.

Did you get one of these Meeting Notification phishing messages in you inbox? Fresh Phish did. And so did many others if the reports to abuse@uga.edu is anything to go on.

This is actually the second time this phish has gone the rounds on campus this month. It's an oldie but a badie, and common as dirt.

Phishing is a type of social engineering. The bad guys send out a message in order to use your trust and desire to be included to trick you into reponding. The goal is almost always to get your personal information or your login credentials for a system or site.

How can you spot a phish? In many cases there are a set of "red flags" - common features that should alert you to the danger. Phishing is dangerous - never doubt that - and almost every big data breach has started with a phish.

Red flags in this message:

  • Do you know who the sender is?
    • Always check the sender's name. Question why they would be sending you this message. (We removed the sender's name because Fresh Phis does not point fingers.)
  • You are not addressed by name.
    • Or is your name "Important Message"? We didn't think so.
  • What is the "urgent meeting" about?
    • The lack of details should set your phishy senses tingling.
  • You are asked to take action to learn more
    • This is where trust comes in.
  • The link to "click here for more details" has no context.
    • The link is hidden behind the words, rather than spelled out.
    • Never trust a hidden link or a shortened link, unless you are sure the message is legitimate.
    • We recommend you distrust the request to "kindly" do anything.
  • An official UGA business email will include an identifiable office or person in the signature.
    • University of Georgia is not a person. It's not an office either.
We will likely see more of these sorts of phishing messages as the academic year rams up. Be alert to them along with variants like "Blackboard Newsfeed" or "New Blackboard Message".  (Do not click the link -log in to eLC directly to see if these messages are real.)
 
Bug Eyed Phishers want your info. Don't let them have it.

From: User Name <username[@]uga>
Sent: Monday, July 16, 2018 8:55 AM
Subject: Meeting notification

Important Message

There would be an urgent meeting tomorrow, 17th July 2018.

Kindly clickhere (we removed the link to a phishing site) for more details.

Thank you.
University of Georgia.

Tl;dr - Expect phishing to ramp up as the academic year does. We expect to see many repeat messages and variations on them. Stay alert. use your delete key to give phishing the finger.

UGAAlert

Reported on July 13, 2018

This phish a typical "vlaidate your account" type of phish.

Fresh Phish is happy to point out that it is highly unlikely that your email box is 98.9% full. Fresh Phish polled a few Outlook users and most have plenty of space left, even after being at UGA for several years. (You can find out how to check your UGAMail usage after the UGAAlert phish example.) 

Let's take a quick look at the red flags in this message:

  1. The Subject line does not tell you anything about the content (it's generic.)
  2. You are reduced to "Dear UGA User": You are not addressed by name.
  3. The message tries to make you react without thinking (panic.)
  4. You are threatened with the loss of a service - your mailbox.
  5. You are instructed to take action.
  6. The language in the body of the email is off: "We apologies for any inconveniences..."
  7. If you hover, you'll discover the VALIDATE link goes to a non-UGA site. Place your mouse pointer over the link - do not click it! - to see where it goes.
  8. The exclamation points in the sign off are just bizarre, not to mention unprofessional.

From: User Name
Sent: Thursday, July 12, 2018 6:04 PM
To: Same User Name
Cc: Same User Name Again
Subject: UGAAlert


Dear UGA User

You have used 98.9% of the total data space allocated to your mailbox. To avoid placing your incoming messages on hold or lose them permanently ,we require you to validate your mailbox to expand your data allocation size.

Kindly click VALIDATE (we removed the link to a bogus page) to update your mailbox

We apologies for any inconveniences this might have caused you

Thank you!

Mail administrator!

How can you find out how much space you have in your email inbox?

In Office 365 do the following:

  • Open Outlook
  • Click on the gear icon near your name
  • Select Options from the drop down menu
  • Select Clean UP Mailbox to view your available space

In the Outlook on the desktop:

  • Select the File tab
  • Select Info to view your Account Information
  • View your mailbox usage under Mailbox Cleanup

Phishers gonna phish. Don't get caught!

 

Your message has not been delivered to the following recipients:

Reported on July 10, 2018

This phish poses as a Microsoft Account alert - but it's definitely a phishing message.

The red flags are as follows:

  1. Missing pronoun in "Message is Microsoft trusted source"
  2. The message recipient for the fake error is never identified
  3. You are not greeted by name (your email address is not your name, y'all.)
  4. Strange phrasing fo "Error Email Delivery"
  5. Threatens to delete your fake "undelivered" messages "if not Deliver in less than 24hrs"
  6. Requires you to take action to prevent deletion of the fake messages
  7. The link to "Release Pending Message" goes to a site in Vietnam (.vn).
  8. The signature is all wrong - no individual is identified
  9. The stop receiving notifications "Options" link points to Google, not Microsoft, Outlook or Office 365.

From: Microsoft Office account <notification[at]outlook.postmater.cat>
Sent: Tuesday, July 10, 2018 1:31 PM
To: User Name <username[at]uga.edu>
Subject: Your message has not been delivered to the following recipients:


Message is from Microsoft trusted source.

Error Delivering Message to Inbox.

Dear [username[at]uga.edu],
This is a system notification for Error Email Delivery.

There are many Undelivered messages for your Microsoft Office account [username[at]uga.edu]. This messages will expire and will be deleted from our main Server if not Deliver in less than 24hrs

Please follow action below to correct Email Delivery Error.

Release Pending Message (we removed the link to a bogus site in vietnam)

Thanks

Microsoft Office account

To stop receiving notifications about your Email delivery?, go to Options (link points to Google)  and turn them off.
This system notification isn't an email message and you can't reply to it.

Message from HR Department

Reported July 9, 2018
 
Well gosh. This phish is a doozy. It's short, it's sweet and vicious - in a knife-behind-the-back sort of way.
 
Where is red flag #1? The subject line: it's in all caps. That should alert you to this message being less than professional. So it's unlikely to be from the UGA HR Department.
 
Red flag #2 is in the greeting: You are a person, not an email address. The HR Department won't substitute your email address for your name.
 
Red flag #3: Punctuation - using a comma at the end of a sentence and failure to capitalize the next word. Oh, and no period at the end of the sentence. Not a professional / business communication.
 
Red flag #4: The use of a hidden / obscured link. If you hovered you mouse over the link it would show as a tiny.url link. This is not a clear link to a UGA site; do not trust it.
 
Plus, why on earth would HR ask you in an email to open an Outlook app to retrieve a message when you are already in Outlook? Does that seem odd to you? It does to us. Why not just send the message in the email? It's a mystery.
 
The EITS Office of Information Security has already blocked this link so no one can click through to the hidden site. Unfortunately, it looks someone did before it was reported to abuse@uga.edu as a phish.
 
Online criminals have no problem pretending to be someone important to trick you into falling for a phish. Stealing credentials is like shooting phish in a barrel for them.
 
Not sure if a message is legit? If you get a message that seems 'phishy' you can always contact the EITS Help Desk via email or phone (706-542-3106) for confirmation.

From: User Name (username[at]uga.edu)
Sent: Monday, July 9, 2018 12:01:16 PM
To: A Specific Set of Supervisors
Subject: MESSAGE FROM HR DEPARTMENT

 

Dear username[at]uga.edu


You have a new message. open with outlook app (shortened link removed) to view your message

 

User Name
UGA Department | Administrative Position
University of Georgia


Additional contact information
was removed.

REQUEST

Reported July 5, 2018

Out of the sea of "final notice", "meeting notification", and "mailbox quota exceeded" emails rises a spear phish - a phishing email targeting an entire department or group.

Like a hungry shark it tries to take a bite out of an Expert Phish Spotter! And fails.

Whew. Good thing our Expert Phish Spotter was easily able to reel in this spear phish  and report it. It's a very phishy message, but in the wrong mailbox it might have caused some financial havoc. What makes it so dangerous?

  1. It claims to be from an actual UGA Department Head (checking the From address shows it came from a random numbered account at Gmail.)
  2. It was sent to a director in the same department and in this case, the criminals did Thier due diligence. Fresh Phish replaced the Important Director's real name, but the bad guys actually used it in the email.
  3. In addition, the bad guys used the real Department Head's name as a signature.

It has only a few of the red flags associated with a phish.

  • Odd word choices
  • Strange grammar and punctuation
  • Run on sentences
  • Implied sense of urgency
What tipped off our Expert Phish Spotter? The request in the email. Would your boss ask you to:
 
  • Buy 5 $100 itunes gift cards
  • Scratch off the silver security strip on the back to reveal the numbers
  • Take a picture of the numbers and send them to me
  • And oh, yeah, I'll pay you back - how do you want that?
  • Forgive me for not calling; because fake reasons
  • So just do what I want. Now.

    Subject: Re: REQUEST
    Date: Mon, 2 Jul 2018 18:17:07 +0100
    From: UGA Department Head <random numbered address[at]@gmail.com>
    To: Important Director <idirecto[at]uga.edu>

    Important Director, I am so tied up this moment, Can you buy an iTunes gift card 5pieces - $100 each? I need you to enable me to scratch the silver board at the back and help me take a reasonable photo of the card including the 16 digits code and send it on here, I would repay you when am through, Let me know how you would need the installment back, either with check or cash, likewise I would have liked to call you however can't get or call right now with my line, I might want you to assist me with it ASAP.

    Respect
    UGA Department Head

    sent from iPhone

A special thank to P.T. for catching the REQUEST spear phish and alerting the abuse team.

Don't Get Schooled by a Phish

Phishing email can teach anyone a lesson the hard way.

Phishing is designed to trick you into giving away information that online criminals find desirable and useful in committing crimes. We are talking crimes like identity theft or fraud, credit fraud, income tax fraud and computer fraud. Fraud is definitely a theme in online crime.

So what do all those mean?

Identity theft or fraud - Identity theft or fraud is what happens when one person steals another person's personal information and uses it without authorization. It is usually used to commit a crime (like one of the following!) The goal of identity theft or fraud is most frequently economic gain. Yep. It's all about the money.

Credit fraud - It's kind of a wide-reaching term, but at its core credit fraud often involves stealing someones identity to get credit, use it, and not pay the bills. Credit fraud involves all kinds of credit, including credit cards and loans. So yeah, getting caught by a phish could leave you on the hook for hundreds of thousands of dollars in debt. And you may not know it.

Income tax fraud - This is another broad category. What we are talking about here is someone stealing your personal info to file faked tax returns in your name. They criminals get a hefty tax return and you have to prove it wasn't really you. It could take months for you to get your legitimate tax return. Are you sensing a pattern?

On a related note, at tax time there is commonly a rash of fake IRS phone calls. Someone claiming to be from the IRS says you owe them money. They might threaten to send local law enforcement around to arrest you if you don't pay right then and there. (You can find out more about IRS scams in an earlier post.)

Computer fraud - Is using a computer to steal or change electronic data, or to gain unlawful use of a computer or system. Most major information security breaches start with a phishing attack. This is why you see phishing emails that ask you to confirm your account or password. Do not do this, m'kay?

Here are four things to remember:

  1. EITS will not send you an email asking you to confirm your user name and password.
  2. UGA will never ask for your password in an email.
  3. Any MyID password change, refresh or update will always take place on the MyID Tools and Information webpage.
  4. If you are ever in doubt about what may be a potential phishing email, call the EITS Help Desk at (706) 542-3106 or forward the email with its headers to abuse@uga.edu.

This is a good place to point out that phishing is not limited to email. Phone and text phishing happens too.

So be careful out there. Take time to think before you react to any email, phone call or text that asks for your personal information or login credentials, threatens to take away a service, or makes outrageous claims. Paying attention can help you avoid getting schooled.

Phishers gonna phish.

 

Meeting Notification

Reported on June 15, 2018

Okay, Phish Spotters!

You are making a big splash reporting the current phish that's making waves.It’s a good thing, too. This phish is posing as a University-wide meeting invite and going out to a lot of inboxes.

Let’s fillet this phish:

  • “Dear Faculty/Staffs/Students” – so, about 50,000 people are informed of a meeting…
  • Generic greetings like “Dear Faculty/Staffs/Students” are a red flag.*
  • “This is to notify all of an important meeting which is scheduled to hold 15th June 2018.” - And they want EVERYBODY to attend. Today. That's a time limit - and a red flag.
  • But the meeting is not important enough to tell you when or where. Or what it's about. That's phishy: lack of details can also be a red flag.
  • Then the phishers include a “Click here” link “for details” – to send you to a fake CAS login page.  (Using “Click here” as a link is another red flag!)

This fake CAS page is identical to the real one with two exceptions –

  1. There is no secure page lock icon in the browser address bar
  2. The web address is completely wrong.

If you enter your MyID and Password, you are redirected to the real CAS page. It looks like you made a mistake and got dropped back to try again.

But don’t be fooled! Your credentials have been stolen.

It’s time to change your UGA password.

From: User Name (username[at]uga.edu)
Sent: Friday, June 15, 2018 1:06 PM
Subject: Meeting Notification

Dear Faculty/Staffs/Students,

This is to notify all of an important meeting which is scheduled to hold 15th June 2018.
Click here <link to a bogus CAS login page removed> for details.

Thank you.
University of Georgia.

* Red flags are warning signs, they are indicators of a possible phishing attack. To learn more about red flags in shishing, visit the EITS Phish Tank.

Nikita Mexia has shared OneDrive Important files with you

Reported June 13/2018

Sweet whole wheat biscuits!

This sort of phishing message is one of the last things any of us need, all y'all.

It's generic enough to catch a lot of people off guard, especially if they are:

  • students getting ready for midterms or gearing up for a class project
  • attending a conference or training (if you read statement as "bill")
  • collaborating with others on creating a new online class
  • paying bills on business accounts (once again - statement can be a bill)

or expecting a file in OneDrive and not reading carefully.

Fresh Phish expects that students may be a bit more inclined to click on this one. Why? How many of y'all out there know the names of every other person in class with your right now?

Remember, phishers know y'all are busy. They probably know y'all use Office 365. And they can guess that "OneDrive" is going to tempt y'all into clicking.

There aren't many red flags in this one:

  1. The sender's email is a University of Leeds account in the UK.
  2. The recipient is not addressed by name.
  3. If you hover over "here" or the document link you can see the link goes to a ".za" address (that's South Africa).
  4. The unexpected .pdf could hide malicious software or direct y'all to a web form that would prompt for your user name and password
  5. And of course, if y'all can't open the document, there's no telling where that reply to email address may really take you.

From: Nikitia Mexia <N.Mexia[at]leeds.ac.uk>
Sent: Wednesday, June 13, 2018 2:20 PM
Subject: Nikita Mexia has shared OneDrive Important files with you

Nikita Mexia has shared OneDrive Important files with you. To view them, click here (the link to a doc hosted in South Africa has been removed) or the link below.
 
Course_statement.pdf (The link to a doc hosted in South Africa has been removed.)

This file is for your attention, let me know if you have problem opening it.

Be careful out there, y'all. We all know phishers gonna phish.

Email Update (Important)

Reported June 11, 2018

ATTENTION. ATTENTION. This is the Fresh Phish Phishing Alert System.

If you receive the message in the example below delete it immediately. This email is a phish.

Repeat: This email is a phish. An online criminal has launched a phishing attack against inboxes that are part of the University of Georgia's UGAMail Service.

Delete phishing immediately or report any suspicious email messages to abuse@uga.edu for investigation.

Someone at Fresh Phish is showing their age. But that doesn't stop them from knowing that the email in our example is bogus. You can too. How?

Do a sense check. Read the email slowly and ask yourself if the message makes sense. If you do, you'll notice that:

  1. There is no Infotech Help Desk at UGA
  2. Official UGA communications do not come from gmail email addresses
  3. It's full of techy jargon to misdirect you from its harmful intent.
  4. It asks for your username and password
  5. It threatens loss of folders and access to make you react without thinking.
  6. It's full of random capitalization, punctuation errors, run-on sentences odd word choices and more.
  7. The signature is definitely not a professional sign off: There is no contact information in the signature.

A big shout out for M. P. for reporting this phish. Thanks, M. P.!

From: Infotech Help Desk (infotech.uniservice[at]gmail.com)
Sent: Friday, 6/10/2018 1:53 AM
Subject: Email Update (Important)

We are upgrading our database Server from our Old Server (No420134x) to a New Server (No521093x), this is and extreme measure to check against frequent email hack and to link all email account to the school data base directory fo easy accountability, validity and better services.

Please you are require to provide the Help Desk Centre with following information at Technical.uniservice[at]gmail.com (dangerous email link removed).

  1. your email I.D.
  2. your email password

NB: Unverified email will lose information in email folders and will not have access to full features and information in the university database.

All your details is strictly confidential and is not to be disclosed.

Uga.edu Web Admin
©Support Administrator All rights Reserve

Phishing Phonecalls? Say What!?!

Reported May 31, 2018

Yep. Fresh Phish usually focuses on email messages, but phishing happens in other ways too. It's pretty common for the Bad Guys to go phishing on social media, in text messages and on the phone.

Recently there have been a few reports of phone phishing on UGA phones. Thanks to Expert Phish Spotters M.D. and D. L. G. - you deserve a big shout out for reporting the problem. Thank you. - we have a chance to get ahead of the Bad Guys.

So how does phone phishing work?

Your phone rings.

You pick up and someone on the other end says they are calling from Microsoft. (They are not. Microsoft does not make unsolicited support calls to fix our computer.)

They say, "We got a report that your computer has a virus, and is sending out a lot of information over the internet." (It is not.)

The fake Microsoft tech the offers to:

  • fix it for you
  • sell you an antivirus solution
  • or access your computer remotely so they can repair it

All of these choices are scams.

Choose the fix and the caller will demand your credit card number. Later they will abuse it. Nothing will get fixed, because there was nothing wrong to begin with. If they send you something to install, it's likely to be malware.

Same thing for the antivirus solution. Wave bye-bye to your credit card number and say hello to malware. You might get directed to a website to download a program to fix your computer. You could end up with a program that gives the caller:

  • remote access without your consent
  • the chance to drop a spy program
  • any personal and/or financial information on your computer

Giving an random caller remote access to your computer is just a really bad idea. So don't do it, M'kay?

What should you do if you get a call like this?

  1. Write down the phone number from your caller ID.
  2. Make note of the caller's name.
  3. Hang up. You can thank the caller if you want, but avoid sharing any information about your system.
  4. Report the call to your friendly departmental IT person. They need to know about the scam in case others start getting the same call.

This is an old scam: The Bad Guys keep using it because it works.

Tl;dr - Fake Microsoft techs are cold calling UGA offices. They claim your computer has a virus. It's a scam. Don't fall for it.

Hi There

Reported on 5/17/2018

Don't you just hate it when phishers prey on vulnerable students? Oh, wait. They do that all the time.

It doesn't make it any better when the bad guys pose as a legit office like Financial Aid and offer fake job opportunities. And they had the nerve to use the UGA logo trick you into thinking the email is real.

First: This email is a phish. Do not be fooled. It's designed to steal personal information. Once the phishers hook you with the promise of money, they will work to get even more information out of you. After all, your employer needs your Social Security number, right?

You are expected to fill in an online application form. What a great opportunity for the bad guys to get even more information they can use to take out loans and credit in your name.

Second: Think about the numbers. If this email goes out to everyone who may receive financial aid, that would be thousands, if not tens of thousands, of job applications in response. Not many companies could cope with that number of applications coming in.

But the online crooks would love that high response rate. Hundreds of thousands of identities they could use? You betcha. Just think of the credit fraud they could perpetrate before they are caught! If they are caught. And it could take years for the victims to notice.

Third: There are red flags in this message.

The biggest red flags are:

  • The subject line is generic. It's designed to make you read further.
  • You are not addressed by name. Shouldn't the sender know who you are?
  • Business titles are included, but no actual names ("Director, Financial Aid." and "Recruitment Team Retail Shopper Express LLC ©2018").
  • Poor use of punctuation and strange phrasing (missing pronouns and odd verb tenses, such as "Evaluation agent are").
  • The offer is just too good to be true.

A big shout out to Expert Phish Spotters T.P. and D.M. who were early reporters. And to everyone else who either sent this email to abuse@uga.edu  or hit the Delete key to give phishing the finger.

Phishers gonna phish.

From: User Name (username[@uga.edu])
Sent: Friday, May18 2018 2:52 PM
Subject: Hi There

Office of Financial Aid 220 Holmes/Hunter Academic Building. Athens, GA 30602-6114.Phone: (706) 538-5647.

 ugalogo

Job Opportunity!

See below flexible evaluation agent job opportunity which should be of great benefit to you and could be part of with a good pay as well.

Thank you,

Director, Financial Aid.

 

What does an evaluation agent do?

An evaluation agent visit specific stores like like Walmart, Argos, Western Union, restaurants, shopping store etc,And businesses anonymously for the purpose of observing and reporting on the quality of customer service delivered. The answers submitted by our evaluation agent enable clients to make employment decisions, reward staff for excellent performance, redirect staff who perform poorly and evaluate adherence to company service standards.The evaluation agent process begins with on-line training, depending on the job assignment. After completing initial education our evaluation agent are able to select assignments, complete jobs by visiting a site or performing a telephone evaluation and finally entering job data into the online database.

 

Why should I become an evaluation agent?

Being an evaluation agent is well suited to anyone who would benefit from:

    * Receiving free products and/or services (on certain assignments).

    * Highly flexible hours.

    * Contributing to a higher level of customer service.

    * Having a diverse number of shopping experiences.

    * You'll be able to participate in educational sessions via online training;You do not pay for this.

 

How much does an evaluation agent get paid ?

Evaluation agent are independent contractors who receive rewards in the form of gift vouchers,or bank deposits. In addition, on many assignments, free goods and/or services are also available. The amount you will get paid varies by the type of assignment you complete. Payments generally range between $300 to $400 per assignment.

 

Do evaluation agent work part-time or full-time ?

Evaluation agent should be considered part-time or casual work.

 

Do I need previous experience as an evaluation agent?

NO, previous experience is not necessary.Agents are recruited based on the information provided in their online application form, their aptitude and ability to meet assignment requirements.We offers extensive online training which will broaden your understanding of the job,And assist you in becoming a highly effective agent.

Remember, NO APPLICATION FEES,It does not cost you anything to get started.Send a reply to Unkownperson@anon-UGAwebsite (link removed) with your information if you are interested.

Full Name:

Mobile Phone Number:

Full Address:

Gender & Age:

Occupation:

Personal email address:

 

Sincerely,

Recruitment Team Retail Shopper Express LLC ©2018

Tl;dr - Never trust unsolicited job offers. A logo does not make an email legit. And remember, if something seems too good to be true? It's likely to be fake.

UGAAlert Revisted: The Phone Version

Reported on 4/11/2018

We are sending a special shout out to BWS and SF for getting a screen shot of the mobile version of the infamous UGAAlert phishing message to us!

Why are we so excited?

Messages can look totally different depending on how they are displayed. It's possible to respond to a message on one device that you would never click on in another. (Compare this mobile version of the phish with the text version reported on 3/7/2018.)

Plus we tend to respond more quickly on our phones while we check them on the go.

Here is a quick run through of the red flags, okay?

  • The Sender
    • The EITS Help Desk rarely sends email from a single individual
    • The Subject
    • The terminology is wrong - We use UGA Alert for a specific reason
  • The Body
    • The entire message is run together - it's one big sentence.
    • Take a look at all those random capitalizations - they are all over the place.
    • The language is off - "wait for respond from our Help-desk Service Team".
    • EITS won't ask you to verify / validate your account in an email.
    • EITS won't threaten you with account closure.
    • EITS won't tell you to provide your credentials and then fur us to contact you.
  • The Links
    • EITS will spell out all links and not use CLICK HERE or similar link language.
    • EITS Help Desk's email does not have a hyphen in it.

Be careful out there.

 Mobilephishing message

 

UGAAlert

Reported on 3/7/2018

Is this email "legit"? Nope. Not one eentsy bit.
 
  • The entire message is run together - it's one big sentence.
  • Take a look at all those random capitlizations - they are all over the place.
  • The language is off - "wait for respond from our Help-desk Service Team".
  • The terminology is wrong - We use UGA Alert for a specific reason and we our Help-desk is not hyphenated.
  • EITS won't ask you to verify / validate your account.
  • EITS won't threaten you with account closure.
  • Plus - take a look at the last phish we posted. It is almost identical to this one.

    From: User Name
    Sent: Wednesday, March 7, 2018 4:22 PM
    Subject: UGAAlert

    Dear UGA User our database shows that Your Account was recently signed in from a unknown Location, please Click Here <we removed the link to a bogus page> for verification to avoid account closure, wait for respond from our Help-desk Service Team.



    Thank you,

    Enterprise Information Technology Services (EITS)
    University of Georgia
    help-desk[@]uga.edu <mailto:help-desk[@]uga.edu>

A big thank you to all the amazing Phish Spotters who sent this message in to abuse@uga.edu so we could get the word out to the rest of campus! You're the best.

 

Administrator Team

Reported on 2/26 - 27/2018

Sweet whole wheat biscuits! Our Expert Phish Spotters were all over this message.

Y'all have done Fresh Phish proud. Keep up the good work. Each time one of you reports a phish, you help keep UGA systems and accounts - yours included - safer.

Let's take a good look at a copy of the actual message. It's a classic phish with the top 6 red flags:
 
  1. "Dear UGA User" (You are not addressed by name.)
  2. Strange run-on sentences.
  3. A deadline (implied as right now or we will close your account.)

  4. Implied account closure.

  5. A 'hidden link' behind "Click Here" (EITS uses full link text that you cannot click.)

  6. No contact information for EITS.

 

From: User Name
Sent: Tuesday, February 27, 2018 2:25 PM
Subject: Administrator Team

Dear Uga User,

Dear UGA User our database shows that Your Account was recently signed in from a unknown Location, please Click Here <We removed the link to a fake page at a webhosting> for verification to avoid account closure, wait for respond from our Helpdesk Service Team.


Warm Regards,
Helpdesk Administrator.

Now, just for fun, let's translate this message into Phisher-speak:

 

Hey you. Yeah, we don't know your name and we don't care,

We are lying to you to try to convince you that someone else signed in to your account from... someplace. We can't be bothered to make up a place. So, just trust us and click the link, m'kay?

Then you can give us your credentials. We will lie to you again, to make you panic by threatening to close your account.

Then you can wait for us to get back to you. As if.

Warm Regards,

The Bad Guys

Those bad guys are soooo disrespectful. Phishers gonna phish.

 

Account Payable Share A File With You

Reported 2/27/2018

Okay. so you get an email that says "Account Payable" has shared a document with you (just like our example.) What is the first thing you would do?
 
An Expert Phish Spotter would take one look at this email and delete it without a second thought. Why?
 
  1. First, the title of the attachment. It is poorly written. And unless you are expecting something from Accounts Payable at UGA, the attachment is clearly a lure
  2. And many Expert Phish Spotters know that ".msg" files as attachments often hide malicious software.
  3. Next, the sender (we removed his name to protect the mostly innocent) is at another university. Why would a UGA business office send you something through another university email system?
  4. Uh-oh. You are not directly addressed by name. "Dear Uga User" could be anyone. Plus the "Uga" part is all wrong.
  5. The language used in the body of the email is just plain wrong.
  6. Mousing over the View Document link would reveal OneDrive file link.
  7. And what about that signature? Don't get us started on the unprofessional sign-off!

Be careful out there.

Account payable email attachment 

From: User Name (username[@]adifferent.edu)
Sent: Tuesday, February 27, 2018 10:44 AM
Subject: Account Payable Share A File With You

 

Dear Uga User,

Account Payable sent you an Important and Secured document

View Document <We removed a link to a treacherous OneDrive file.>

 

Enjoy!

  The Office Doc’ Team

 

© 2018 Office doc

Verification

Reported 2/13/2018

Wow. Y'all are amazing! So many Expert Phish Spotters reported this email that Fresh Phish could hardly keep up. A shout out goes to the first Phish Spotter, JS, who reported this attempt Tuesday night - Way to go!

If anyone out there recognizes the bogus webpage with the big blue cloud as a place they filled in their info, please change your MyID password as soon as you can.

Here is a quick review of the major red flags in the message:

  • "Dear UGA Account Owner" (You are not addressed by name.)
  • Strange grammar and punctuation (...you must fill our verification form...)
  • A deadline (...immediately.)
  • Implied loss of service (if you don't fill out the form accurately, your contacts and documents won't be saved.)
  • A 'hidden link' behind "CLICK HERE" (EITS uses full link text that you cannot click.)
  • No contact information for EITS (The UGA Internet Access? Really?)

Let's take a look at the red flags on the bogus webpage, too:

  • The University of Georgia logo is obviously pasted on
  • The site is powered by Weebly - you won't see that on official EITS pages
  • The form fields are poorly labeled (Re-password especially)
  • "Simply fill these form" in the upper right corner

Phishers gonna phish.

From: User Name
Sent: Tuesday, February 13, 2018 7:39 PM
Subject: Verification

Dear UGA Account Owner,

To complete your Account- UGA Webmail email account settings, you must fill our verification form immediately and provide the information requested. To SAVE your contacts and documents in your Mailbox, you are requested to fill in the verification accurately,

********************************************************************
Click on the link below and follow procedures as advised bellow
To Upgrade Your UGA Internet Access Settings! CLICK HERE<link to a bogus page at a webhost has been removed>!
Thank you for your Co-operation.
Copyright ©2018 The UGA Internet Access


Support Privacy
Terms of Service
© 2018 UGA

 

Form on phishing site 

Tax Fraud Season - Warning! Long Post Ahead

Tax fraud is big business. Criminals steal your Social Security number, make fake W2s and file a tax return while claiming to be you. Even if you don't expect a refund you can still be a victim of ID theft and tax fraud.

File your taxes as soon as you can. Beat the bad guys. If you don't you may end up being the one who has to prove who you are. It can take several months, if not longer to get your refund back if you get caught up by a scam.

Last year was a rough one - the IRS lost a lot of taxpayer information and Equifax got hit hard in a data breach that affected millions.

2018 Dates to know:

Filing Deadline -  In 2018 the official tax deadline is Tuesday, April 17th. (April 15th falls on a Sunday and the 16th is Emancipation Day in Washington D.C.)

Possible Delays - You should also be aware that refunds that claim Earned Income Credit or Additional Child credit are likely to be delayed this year. It seems that criminals love to use those credits for tax fraud, which means more work for the IRS to confirm the credits are legit.

Popular scams to lookout for in 2018:

Tax relief scams - These don't seem to be as big this year, but if someone offers to reduce your taxes be alert to scams. Especially if money needs to be paid up front (the scammers will take it and run). If you need to use a tax relief business, check them out thoroughly first.

Federal Student Tax – Did you receive a bill for the Federal Student Tax this year? No? Good, because it doesn’t exist. Be prepared. You may be contacted by scammers if you are a student or the parent of a student.

Phishy Tax Preparers - Criminals may claim to be Tax Preparers to trick you into giving away your personal information. If you get an unsolicited email from a tax preparer, avoid clicking on links or opening attachments. Just delete the message.  Also, if any tax preparer asks you to pay cash for part of all of your taxes, that's a huge red “it’s-a-scam” flag.

Fake IRS Agents

Every year criminals posing as IRS agents call and attempt to scare you into complying with their demands.  Don’t be fooled! If there is a problem, the IRS almost always makes first contact by sending a letter through the US mail.

Have you gotten a call from a bogus IRS agent? Scammers like to use common names like John Jackson, Mike Smith or Anne Jones when posing as IRS agents. If they give you a badge number, they’ll often say it too fast for you to jot down. How do you tell the real agents from the fake ones?

Real IRS agents will not:

  • leave a phone message demanding immediate payment
  • use intimidation or threaten to have you jailed, deported or otherwise detained
  • ask for a specific type of payment (cashier's check, cash, money order, bank transfer, prepaid debit card, wire transfer, gift card etc.)
  • ask you to pay over the phone with a credit card or debit card
  • call you to verify tax information or personal details
  • ask for your social security number in an email, text or phone call
  • ask for your bank account number in an email, text or on the phone
  • call to let you know you are eligible for a huge refund
  • email you telling to update your e-file account
  • direct you to a webpage that begins with anything other than https://www/irs.gov or https://www.irs.gov/ (be alert to bogus sites like irsgov.com, irs.com. irs.net or irs.gov.com )
  • send you a tax transcript you did not request (getting one may indicate you're an ID theft victim)

Criminals often spoof phone numbers so your caller ID might display the correct IRS phone number or ID when a scammer calls. Bogus IRS calls happen so frequently that the IRS has an "IRS Impersonation Scam Reporting" website.

Talk to older family members about fake IRS calls. Criminals won't hesitate to bully older familiy members into complying with their demands.

Filing Online - Be super careful when filing your taxes online. Only do it on a secure computer connected to a secure network. Unencrypted connections can easily be intercepted by crooks who are watching for them. The crooks insert themselves into your transaction and grab your personal information without alerting you to the attack. So, no filing your taxes at the local coffee shop, even if you really need the caffeine.

Tips for avoiding tax time scams:

File your taxes early! Get your refund in before the criminals do. Even if you owe taxes this year, the criminals can file a fake return that may launch an IRS investigation. Protect yourself.

Be alert to the fact that successful early filing does not guarantee that your personal information is safe.

Use the "Where's my Refund?" tool at the IRS site to track the status of your refund.

Consider getting an Identity Protection PIN (IPPIN) from the IRS if you qualify. Use your IPPIN along with your Social Security Number to make filing your taxes more secure.

Know your rights as a taxpayer. Didn't know you had any? Check out the Taxpayer Bill of Rights for more information.

Stay informed. The IRS has a page about Tax Scams and Consumer Alerts and a Google search will get you a lot of information.

Other actions:

Get a phishy email? - If you get an email claiming to be from the IRS you can forward it to phishing@irs.gov

Think you're a victim of ID Theft? - Tell the IRS right away! File a form 14039 to report the theft of your identity. The IRS will send you a letter with follow up instructions (it can take a while.)

Phony IRS Agents? -  Report the call to the Treasury Inspector General for Tax Administration (TIGTA) via their IRS Impersonation Scam Reporting web page or call (800) 366-4484.

Let the Federal Trade Commission (FTC) know via their FTC Complaint Assistant. Include "IRS Telephone Scam" in the notes to let the FTC know what’s up.

Tl;dr -Protect your identity and your refund this tax season. Don't fall for scams or fake IRS agents and file your taxes as soon as you can.

 

Something went wrong : update your payment method

Reported February 3, 2018

Let's start with a shout out to LJ, who was the first person to report this email. Thank you, LJ!

Netflix scams are pretty common. This particular one is similar to one that has made the rounds at least once before.

A close look at this message should set off your phishing alarms. Starting at the top:

  • The message is from Service at a site called prime-excel  - not from Netflix
  • Don't you think it's strange that they want your money, but don't know your name? - "Dear Customer" is a tip off that the message is a phish.
  • Read the body of the email carefully:  The writing is a bit wonky, don't you think?
  • "visit [the URL] to Netflix ..." -  Does that seem like something a real company would write? - Clicking the link will take you to a fake login page where the phishers will collect your user name and password and pass you to a form where you can give away your credit card information too.
  • That 1-888 phone number is not the Netflix Help Center number. - the phishers are counting on you just calling the number. They will pretend to be Netflix if anyone calls.

If you are worried about the email, open a new window in your browser, type Netflix.com in the search bar and log in as normal.

Or you could just Google "Netflix scam" and find out all about this email and others like it.

From: Service [mailto:service[@]prime-excel.com]
Sent: Saturday, February 3, 2018 7:03 PM
To: User Namer <usernamer[@]uga.edu>
Subject: Something went wrong : update your payment method

NETFLIX Team Service
Please update your payment method


Dear Customer,


Sorry for the interruption, We were unable to bill your membership for the current month. To ensure that the service will not be interrupted, visit www.netflix.com/update-accountpayment  [We removed the shortened link that pointed to a bogus page designed to steal your payment info] to Netflix then you will be prompted to update your payment method.


Need help ? Were here if you need it. Visit the Help Center or contact us now.


Your friends at Netflix


Questions? Call 1-888-811-9842


This account email has been sent to you as part of your Netflix membership. We may also send email about enhancements to the Netflix service, tips for getting the most out of your Netflix membership, and special offers. To change your email preferences at any time, please visit the Communication Settings page for your account. Please do not reply to this email, as we are unable to respond from this email address. If you need help or would like to contact us, please visit our Help Center at help.netflix.com. This message was mailed to you by Netflix. SRC: 12618_7786_1_en_CA Use of the Netflix service and website is subject to our Terms of Use and Privacy Statement. 100 Winchester Circle, Los Gatos, CA 95032, U.S.A. https://help.netflix.com/help

 Tl;dr - The phishers are at it again, and they are targeting your Netflix account username, password and credit card information. The phish is recycled, but it is still catching some people off guard.

Phishers gonna phish.

Fresh Phish PSA: Unsolicited Job Offers in Your Inbox

Spring is in the air and graduation is coming up fast; so are bogus job offers. Phishers love to offer bogus jobs at routine times of the year.

Around Christmas we see a lot of Secret Shopper offers. And work from home jobs.

In the spring the bad guys try to tempt soon-to-be grads with prestigious sounding internships or summer work.

How do you spot these scams? Here are a few tips:

  • The phishers reach out to you; sometimes they claim to have found your resume online, or that their attention was caught by your profile on LinkedIn.
  • The money / salary on offer seems just too good to be true.
  • The job description tends to be vague or the message does not state requirements for education or experience level.
  • The reply to email address seems odd; it may be for a yahoo or gmail address.
  • Just remember, no company is going offer you a job out of the blue, not even knowing who you are.
  • If the so-called company asks for any personal information or asks for money as a consideration walk away.
  • Use caution when considering jobs that come across social media sites: Scammers are known to prowl social media sites.
  • Google is your friend. You may save yourself a world of hurt just running a simple search to check out a job offer.

Be careful out there.

Follow Up & URGENT: You have a secure message

Reported January 4 - 5, 2018

Welcome to the new year and new phishing attacks.

In the last couple of days Fresh Phish has seen some incredibly shiny lures in our inboxes. The two that follow really made us sit up and take notice.

The first message really is a first: The first Docusign phishing message we have seen.

For those who are not familiar with Docusign, it's a service that lets you exchange and sign documents with digital signatures. So if you have a document that needs to be signed by someone in another city, state, or even another country, you can use digital signatures to complete your business electronically.

The Docusign phish (Message 1) looks legit. If you commonly do business online, it may very well fool you. It is clean, professional and extremely tempting to click the button to "Review Document". In fact, it is among the best phishes we have ever seen.

Expert Phish Spotters were slow to report this message, which leads us here at Fresh Phish to believe it may have been very tightly targeted. So how did our experts catch this phish before it caught them?

Their carefully honed phishing radar was set off when by noticing that the sender and recipient were the same person.

Plus they didn't have any investment business transactions to complete. Yep. That last line was the clincher. Why would anyone send an investment document for your signature if you had no investments to review and sign off on?

The "One Drive" phish (Message 2) is far from well done. It offers a lot of red flags useful in spotting a phish:

  • It comes from One Drive - a service naming error - rather than OneDrive
  • The One Drive service email address is at another university
  • It has been sent to a uga email address rather than a specific person
  • The language used in the body of the message is designed to sound official
  • The link points to a hotel site (likely compromised or bogus)
  • Getting a secure message from One Drive and not an encrypted email via Office 365 should be enough to cause a head tilt

Message 1

Docusign phishing message

Message 2

From: One Drive <onedrivemsg[@]anotheruniversity.edu
Sent: Thursday, January 4, 2018
To: username
Subject: URGENT: You have a secure message
 

(Official looking OneDrive logo here)

 Dear username[@]uga.edu

You have a message waiting for you within the one drive communications area.

Click here (Link to a hotel site removed for your convenience) to view message     

               

One Drive Cloud © 2018 . All rights reserved.

Tl;dr -Some of the recent phishing messages in our inboxes have been highly professional. Take time to really look at your messages before responding: Resist the urge to follow the link or click on the button. We know it's hard. Curiosity is a very human trait. But applying a bit of attention and critical thought can save you from the headache of compromised credentials.


Additional Resources