Skip to Main Content

Fresh Phish

As part of our phishing awareness campaign, Fresh Phish features recent phishing attempts directed at the UGA campus.  These emails have been reported by UGA faculty, staff and students who are alert to the dangers of scams and phishing attacks.

Messages are listed by subject line and date reported. A brief critique of each message is included to help you spot the red flags - the features found in most phishing emails - and the common patterns that can alert you to the potential dangers in your inbox.

Every once in a while you will notice that the name of the sender has been changed in an example. Why? It was a real person. And there's no reason to be mean or point fingers. Just imagine your name in place of "User Name" and you will understand why we chose to make the switch.

For some not-so-Fresh Phish, visit the Fresh Phish Archive for 2016 or 2017 where we have older examples of phishing email so you can see how phishing attacks get re-used.

Economic Impact Payment Scams

Reported April 16, 2020

Okay All Ya'll. Our economic impact payments are prime pickings for scam vultures.

Wait. Did you forget that the official term for the check we're all anticipating is "economic impact payment"?

We've all been referring to our "stimulus payment" or "stimulus check" for so long we've gotten comfortable with those terms. Scammers are comfortable with them too.

Why is that important?

You're right!

If someone contacts you about your "stimulus payment" or "stimulus check" that is a red flag!

Scammers may still contact you about your economic impact payment, so you have to stay alert. That can be challenging, especially when we are all distracted by the current situation. But we have covered that before: The IRS will not contact you by phone, email, social media or text message. Got it?

Do not be a victim of low life scammers.

Here are some examples of things to watch out for:

  • Phone calls or other contacts from fake IRS agents who ask for your banking information for direct deposit. (Scam!)
  • Anyone who contacts you and asks you to verify personal information like name, birthday, social security number. (Scam!)
  • Someone contacting you to tell you your check is delayed but they can speed things up. (Scam!)
  • Scammers sending a fake check with phishy instructions on how to cash it like verifying information online at a website or calling in to talk to an agent. (Scam!)
  • Scammers sending out a check for more than the expected amount then contacting you to send back the difference in cash, or gift cards, or a money transfer. (Scam!)

You gotta ask yourself: Why would the Treasury Department or the IRS want gift cards?

If you don't have a bank account and are expecting a paper check, keep an eye on the news and know when to expect it. And don't forget to keep an eye on your mail- scammers can, and do, steal physical checks.

If you remember only one thing from this post it should be this - repeat after Fresh Phish - The IRS will not contact you by phone, email, social media or text message.

Now. Do Fresh Phish a favor. Reach out to others you know who might be vulnerable to scams like these.

Contact those who might not use the Internet much, people who don't usually file taxes (like retired parents or grandparents), or who may be likely to trust a fake phone call from the IRS.

Tell them that no one from the IRS will contact them asking for any kind of information to complete their economic impact payment. Encourage them to stay safe. And you do the same.


Covid 19 and Business Email Compromise - a PSA

Reported April 16,2020

Hey. How are you doing?

Fresh Phish knows you have enough on your mind that we hate to add something else, but ya'll need to know about this.

This post is for everyone, but especially for those who are handling administrative functions as they work from home (WFH).

Business email compromise (BEC)is always a threat: It's an even bigger threat now.

Let's take a moment to define BEC. The FBI does it really well:

Business email compromise (BEC) is a scam that targets anyone who performs legitimate funds transfers...

In a typical BEC scheme, the victim receives an email they believe is from a company they normally conduct business with, but this specific email requests funds be sent to a new account or otherwise alters the standard payment practices.

In addition, the FBI advises you be on the lookout for the following red flags:

  • Unexplained urgency
  • Last minute changes in wire instructions or recipient account information
  • Last minute changes in established communication platforms or email account addresses
  • Communications only in email and refusal to communicate via telephone or online voice or video platforms
  • Requests for advanced payment of services when not previously required
  • Requests from employees to change direct deposit information

As always,

  • Be sure the email address for the sender makes sense - verify the address if at all possible
  • Contact the sender to verify any requested change using contact information you have on file - do not reply to the email or call phone numbers included in it
  • Official UGA business should be conducted using official addresses (example: that email from your boss asking for payroll information should not come from a Gmail address)
  • Do not click any links in an email that might be fraudulent - doing so could lead to compromising your computer or other device
  • Pay attention to any part of the email that does not feel right - trust your instincts
  • Stay skeptical - would your boss really ask you to use your own money to buy something expensive?
  • Use the business processes your department/unit has in place - don't be fooled by requests that require you to act without following protocols

These are crazy times. Scammers really are out to get us. Stay safe.


Warning: Coronavirus, Covid19 and Scammers Are Vicious

Reported April 1, 2020

Heads up, People! It’s time to be on high alert for scams and malicious software in attachments and bogus web sites - especially related to the Coronavirus and Covid19.

We all know that online criminals work hard to take advantage of uncertain times. They jump in with both feet to take advantage of our worry and our fear.  There has already been a big increase in scams about the Coronavirus and the Covid19 pandemic. 

Every time we open our browsers there is a chance that we will see offers for counterfeit goods like surgical masks, hand sanitizer and test kits. A message might contain links to websites or apps that track the Coronavirus: These are designed to infect your computer.

There have been emails offering Covid19 cures. Others solicit donations to bogus research foundations that are working on vaccines or charities that do not exist.

Scams can come at you hard and fast from multiple directions:

  • email
  • social networks
  • phone calls
  • text messages
  • fake sites online

Remember, online criminals want to make you panic. If you react without thinking, they win. They will do awful things to trick you into doing what they want.

In fact, there are scammers out there right now pretending to represent local hospitals. They send emails that claim you have been exposed to the Coronavirus and need to be tested.

Others will tell you one of your colleagues or someone else you know has tested positive. They will include an attachment or a link to a form for you to fill out, print and bring to the local emergency room. Do this and you run the risk of infecting your computer with malware or losing control of your personal information. (Not to mention potentially tying up emergency room resources and perhaps endangering your health.) Stay safe.

  • Do not download attachments from unknown senders
  • Do not follow links in unexpected email

If you are concerned, look up the number for your local hospital and let them know about the email you received. Telling the hospital will alert them to the scam.

There are already plenty of reports of phishing attempts by online criminals pretending to represent the Center for Disease Control and Prevention (CDC) and the World Health Organization (WHO). Know your sites! The correct ones are:

  • The CDC:
  • WHO:

If there is anything else stuck in between the /www. and the / don’t trust the link!

As the Coronavirus Relief Package becomes a reality you can expect scammers who are after your financial information to try contacting you through several different communication channels, especially email and phone.


Phishing and Your Coronavirus Relief Dollars - This in No Joke!

Reported April 1, 2020

The Bad Guys are at it again. There are already warnings from the FBI that scammers are trying to grab your banking information through phishing email. They are using your economic stimulus check as bait. They want your money.

How are the Bad Guys doing it?

One of the ways is to send out email that pretends to be from the Federal Government (the IRS is common). There is often an attached form requesting your banking details or other personal information so you can be sure to get your stimulus check. Some of the scammers will use links to fake websites where you are asked to provide information.

  • Do not open the attachment.
  • Do not follow the links.
  • Do not be a victim.

Government agencies are NOT going to send an unsolicited email asking for your personal details so they can send you money.

Need more information? Check out this Public Service Announcement from the FBI.

Do you know someone who might be vulnerable to a scam like this? Take a minute to share this awareness with others who may not know about the dangers of phishing, online scams or scam calls.

Remind them that they should never provide sensitive information like user credentials, social security numbers, or financial data when asked over email or as part of a telephone call.


Working from Home 101 - A few Suggestions

Reported March 31, 2020

Well, All Ya’ll. We are living in some strange times. Who would have ever thought we would be hunkering down, sheltering in place and working from home (WFH)? I know not all of us are, so before I go any further, I want to give a big shout out to all the Essential Employees who may not have the opportunity to WFH.

Fresh Phish knows that some of ya’ll are using their own devices to WFH: Some of ya’ll have access to, and are using, UGA owned devices.

A gentle reminder to ya’ll who are WFH on a UGA-owned device - UGA –owned devices should not be shared with anyone else. Ya’ll know why. You still need to follow the University's policies and procedures. Enough said.

Now that we have that outta the way, let’s go over a few things that will make WFH a bit more secure.

Don't leave your computer screen unlocked when you step away from your WFH space. Nobody else needs to be up in UGA business.

Most of this is gonna sound familiar. Take it for what it is; a gentle reminder that something is still normal: something remains the same in spite of change.

  • Use a strong MyID password
    • Do not share your MyID password with anyone
    • Do not use your MyID password on any other website
  • Connect to the UGA VPN as appropriate when working and using UGA resources
    • Disconnect from the VPN when you are done working for the day
  • Be ready to use ArchPass powered by Duo whenever you are prompted
    • Have the device you use to authenticate handy
  • Always use caution when evaluating your Office 365 / Outlook account email (or any other email for that matter!)
    • Use caution when responding to messages marked "External Sender – Proceed Cautiously"
    • Think before you click any link in an email

Make sure that any device ya'll are using to WFH has appropriate antivirus and that you keep your software up to date!


Online Criminals Love a Pandemic - a Fresh Phish PSA

Reported on 3/19/2020

Online criminals just love a good disaster. They come out in droves during hurricanes, tornadoes, earthquakes, pandemics and just about every other event that can cause anxiety and distress.

When people are worried, frightened, uncertain and liable to act without thinking things through the Bad Guys can make a lot of money. How do they do it? They use all sorts of tools like the following:

  • phishing emails with links to what look like valid news sources or offer tips on new ways to protect yourself from the virus
  • fake Covid19 tracking apps with malicious software embedded
  • bogus websites – that can look very real – that ask for donations or funding for relief or vaccine research or load malicious software on your computer
  • ads on social media that offer much needed supplies and counterfeit items for your safety and survival
  • text alerts with links to fake sites; texts often pretend to come from authorities
  • malicious software designed to attack or infect poorly secured devices when you follow links or download malicious content

It’s likely that these sorts of attacks will persist for the foreseeable future. So what can we do? We can take steps to prevent the Bad Guys from getting the upper hand:

  • Think before you click. Slow down. Don’t click. Go directly to a reputable website to access content.
  • Lock down your login. Create long and unique passphrases for all accounts and use multi-factor authentication.
  • Keep devices with you at all times or store them in a secure location when not in use. Set auto log-out if you walk away from your computer and forget to log out.
  • Limit access to the device you use for work. Only the approved user should use the device (family and friends should not use a work-issued device).
  • Update your software. Updates include important changes that improve the performance and security of your devices.

Some reputable websites for coronavirus / covid 19 information are:

Filing Taxes on a Smartphone or Mobile Device

Reported 2/25/2020

Thinking about filing your taxes on your smartphone or other mobile device? You probably already do your banking, bill paying and other financial stuff on your phone and tablet.

Many of the well-known tax products (think turbo-Tax, H&R Block, Intuit, etc.) have easy-to-use tax apps for filing simple returns. You can take a photo of your W2 and the app fills in everything on your tax return for you. Super fast! But, is it safe?


It depends.

Nothing is ever 100% risk free. But, if you can be safer than many others if you are cautious and keep to the following good habits:

  • Keep your smartphone or mobile device up to date
  • Stick to trusted Wi-Fi networks – like your home network or PAWS Secure
  • Use a VPN to encrypt your data – you can’t be too safe with your SSN
  • Secure your phone – use a strong password, hard to guess PIN, fingerprint, or facial recognition
  • Be sure to delete the photo of your W2 from your phone - and any cloud account it may back up to
  • Consider installing malware or virus protection, especially on your Android phone. Like any app you install, make sure it is trusted: Take time to research the app before you install.

Remember: If your phone or other mobile device is lost or stolen and not secured, others will /potentially have access to everything on it. That may include any stored passwords, account numbers, personal information and photos (like your W2.)


Scam Alert: Some 2020 Tax Season Tips

Reported February 24, 2020

Many of the Tax Scams from recent years are still popular. Scammers still love posing as bogus IRS agents to bully you, threaten you and try to get you to send immediate payment. The Fake Feds love to make you panic and act without thinking things through.

The phoney IRS agent will likely demand payment via wire transfer or maybe even gift cards.

Say what? Gift cards? Yep.

Just remember, the IRS is not going to call you up and demand immediate payment. They especially won’t ask for gift cards. Sadly, these tactics frequently work.

Even with their tried and true scams to fall back on, Scammers are always willing to try something new.

Here are a few new scams to watch out for in 2020:

  • Scammers are issuing fraudulent tax returns. You deposit the check, and, before it clears you get a call from a bogus IRS agent instructing you to “send the refund back.” You transfer the funds (which don’t really exist) or send money to an address the scammer provides. Since the check was bogus, the money you sent the Scammers is your own hard earned cash. Your bank account takes a major hit: You are now out the amount of the refund. And maybe a whole bunch of overdraft fees.
  • You may get a call threatening to cancel or temporarily suspend your Social Security Number until you pay overdue taxes. The Scammer could have enough info on you to make the threat seem credible. Don’t believe it.
  • Fake messages via email, text or social media are common at Tax Time.  It’s easy to fake a phone number, caller ID, email address, website or social media account. The Scammers will use official sounding language and official looking logos to trick you. So, if you get an unexpected communication from the IRS through any of these channels, proceed with extreme caution.

You can report Tax Scams to the IRS at their IRS Impersonation Scam Reporting site.

The IRS has a page about Tax Scams and Consumer Alerts and a Google search will get you a lot of information.

Use the "Where's my Refund?" tool at the IRS site to track the status of your refund.

Dates to know:

Filing Deadline - the 2020 the official tax deadline is Wednesday, April 16th.

Possible Delays - You should also be aware that refunds that claim Earned Income Credit (EIC) are likely to be delayed this year. The IRS wants to make sure all the EIC claims they receive are legit. That doesn’t mean the IRS thinks your claim is false. It seems that criminals love to use those credits for tax fraud.


Avoid Holiday Scams: a Fresh Phish PSA

Reported November 21, 2019

This is going to be a long post, all y'all. We've got lots to cover and it's all important.

As much as we hate to say it, the holiday season means loads of holiday scams.  The Bad Guys will try all sorts of tricks to steal your identity and accounts.

That means it's up to each and every one of us to look out for ourselves and loved ones during this time of year. Let's go into this season with our eyes open, okay?

Here are 12 tips for safer holiday shopping:

Tip #1 - Never, never, never use public WiFi for any shopping or banking. Did we remember to say never?

  • Public WiFi is exactly what it says - public
  • Anybody - especially Scammers and other Bad Guys - can see what you are doing on that public connection
  • Remember: On public WiFi a password means permission, not security

Tip #2 - Always check for the lock icon on every webpage where you enter personal information or financial information.

  • Look up near the address for the page - you know, where it says "https"? That 's' on the end stands for secure
  • Make like Santa and his list: Check twice to be sure the site is nice (and secure!) before entering credit card info
  • Beware! Using your debit card online can be risky: If the Bad Guys get your debit card number, they can drain your bank account. Credit cards give you more fraud protection

Tip #3 - Stick to well-known, reputable websites for safety

  • At this time of year fake websites offering great deals crop up everywhere
  • Even reputable sites can be fakes, so stay alert to scams

Tip #4 - If the price seems too good to be true - it probably is

  • The item may be a counterfeit
  • It's highly likely the website is fake
  • Take some time to check out the website
    • Does it have contact information?
    • Does the site list a physical address? (Google it - does it seem legit?)
    • How about a privacy policy? Most fake sites don't bother with one
  • Check the original manufacturer's site. Do they offer a similar deal?
  • Scammers want to steal your personal details and credit card information
  • Do a gut check - if making a purchase leaves you feeling uneasy, trust yourself

Tip #5 - Check you credit card balances and credit reports for unusual activity

  • Contact your credit card company immediately if you see charges you didn't make

Tip #6 - Be alert for phishing attempts in both your home and work email

  • Be on the lookout for email links, unexpected attachments and unsolicited offers
  • Think before you a click or download an attachment
  • These are a few popular scams:
    • Missed delivery notice
    • Invoice attachment
    • Undeliverable package notice
    • Tracking number attachment
    • Shady order confirmation
    • Fake shipping notices
    • Bogus charities (more about this in Tip# 11)
    • Social media contests, gift cards and sob stories
    • Travel booking scams
On a related note: Letters from Santa scams are a growing concern
  • They use a child's personal information to set up fraudulent credit cards and accounts
  • Why would anyone want to do that? Parents don't check on their kids credit
  • It could take years before the scam is uncovered
Tip #7 - Be especially careful of counterfeit websites or sites that look like legit sites but are not
  • Even well-known sites can be faked
  • Watch out for weird looking website names like or amason. com or even
  • Be especially careful when shopping on your phone where you might not be able to see the whole web address
  • Be alert for these signs of a faked website:
    • Does the site seem pushy?
    • Have a countdown timer on a great deal?
    • Try to keep you on the page?
  • Don't trust a site that pressures you to buy

Tip #8 - Never buy anything from someone who wants you to pay in gift cards unless you are using a company gift card on the company site

Tip #9 - Porch pirates are a real problem: Stealing packages can be profitable

  • Always track packages if you have that option
  • Arrange to have your package delivered to a relative or neighbor or other safe place
  • Take advantage of your doorbell camera if you have one

Tip #10 - Don't leave your holiday purchases in your car where they can be seen.

  • Put them out of sight in the trunk or glove box
  • Don't rely on tinted windows to protect your haul - thieves may be watching as you go to your car

Tip #11 - Be alert for phone scams too!

  • Scammers love to use the phone for bogus charity scams
  • You can check charities out on which is run by the Better Business Bureau
  • If you want to give, do so through the charity's website

Tip #12 - Take your time online and in the store

  • The Bad Guys want you to be distracted and in a hurry
  • You are most vulnerable when you are tired or not paying attention
  • By taking your time and being alert you can save hours and hours spent recovering from being a victim

Now that the scary stuff is out of the way, Fresh Phish wishes each and every one of you safe and happy holidays. Y'all take care now, y'hear?

Thanks to the Center for Internet Security for the term "porch pirates". What a hoot!


DoorDash Security Breach: A Fresh Phish PSA

Reported September 27, 2019

Hey, All Y'all!

Seems DoorDash got hit by a data breach.

A third party service provider was the actual target. That means a company/ group/ contractor hired by DoorDash was the one that got breached. It still affects peeps who use DoorDash.

Fresh Phish highly recommends that you change your application password if you are a DoorDash user.

DoorDash reports that 4.9 million users - Dashers, merchants and customers - are affected by the breach. They say it concerns users who joined before April 2018, but better safe than sorry, right?

Go on. Go change your password. Be safe. We'll wait right here.

You back? Good.

Why change your password if the data breach already happened? 'Cause the Bad Guys likely snagged your profile information.

Worse, they may have gotten away with your credit card info - or at least enough of it that you’ll want to check your statements for funky charges.

If you work as a Dasher (or were a Dasher previously) the bad guys may have gotten your drivers' license number, too.

Those three types of information are a powerful combo, but it may not be enough to cause a lot of grief. Stay alert anyway, m'kay?

At the very least, you can expect some phishing email at the address you used to register your account.

You can read more on the DoorDash blog. Or just Google 'DoorDash breach' for more info.


In the News: Sextortion Emails Are on the Rise

Reported August 6, 2019

Great. Thanks, Fresh Phish. What does that mean exactly?

Sextortion emails are phishing emails that use fear and shame as an attack.

An Online Criminal (the Bad Guy) claims to have taken control of your web camera. They claim to have recorded some very compromising activity or caught you going to adult sites. Then the Bad Guy threatens to expose you and your habits to everyone you know.

Unless, of course, you pay them not to.

Sextortion emails can be very scary. The Bad Guys use real information they find online to seem like they are legitimately able to cause you harm. They might have one of your old usernames or an old password from an online data dump. They might even have current information.

How do they get your personal information? Online Criminals create victim lists after data breaches. They then share, trade and sell the personal information they stole with other Bad Guys.

So what should you do if you get a sextorion email?

  • Do not respond to the email. If you do, the Bad Guy will know they have a legitimate target. You will become a target for all the phishing.
  • Do not pay up! It's not safe and you'll you never get that money back. You could even end up giving away your credit card or payment app information to the Baddie.
  • Do not pay up! It's not safe and you'll you never get that money back. You could even end up giving away your credit card or payment app information to the Baddie.
  • Do not click on any links in the sextortion email. You could install harmful software on your device
  • Do make sure to change the password on the account listed in the email if it is one you use.
  • Do always use a unique password for each online account. Using the same one for multiple accounts makes it easier for the Bad Guys to steal your information and maybe your identity.

Never use your UGA MyID as a username on a non-UGA account. Never use your UGA MyID password to access another account.

Special thanks to OODA Loop and Cofense Phishing Defense whose articles got us talking about Sextortion emails.


Summer Opening Available

Reported July 11, 2019

Y'all know that phishing emails are designed to trick you into replying to them with personal information. Sometimes they provide a link to a web page or form where you can give away your contact information and more. Or, in this case, all the information you would provide when applying for a job - name, address, birthday and social security number.

That is also the same information the Bad Guys need to steal your identity and ruin your life.



So what's wrong with this email message?

  • It doesn't address you by name
  • The sender uses Uga instead of UGA
  • The language is awkward - "I am a staff..."or "all student and personals"
  • The email contains a the name of a well-known charity to seem credible
  • UNICEF does sometimes hire Personal Assistants
  • The "Apply Here" link in the message points to a page other than
  • Official UNICEF business is done at
  • There is no signature or contact information

All of the items listed here are indicators of a phishing message.

From: Sender Name
Sent: Thursday, July 11, 2019 11:37 AM
Subject: Summer Opening Available
Hello, Hope your summer is off to a great start.

I am a staff here in Uga, there is an opening available to all student and personals to work with UNICEF to render Personal Assistance Service.

Apply Here (link removed)


Phishers gonna phish, y'all.


Re: Dog Walker / Dog sitter Job

Reported May 28, 2019

Okay, All Y'all. This clever little email is a real nasty piece of work. 

It plays on our sense of connection to a someone we feel we should be able to trust - someone who says they are a student here at UGA.

Once we are all relaxed ans ready to help out a fellow Dawg, is offers a summer job that is just too good to be true. Who wouldn't want to hang out with a dog for a couple of hours a day?  the hours are even nice - go in the morning and you're done for the day!  And $350 a week for 10 hours of work?!? That's $35 an hour - more than four times what some professional dog sitters make.

Wait. That does sound too good to be true. If you click the link to contact the person offering the dog walking, you will later get a phishing email with a link to a file share.

If you follow that link, you will give the Bad Guys access to your email.

How? The phish bounces you to an Outlook365 login before allowing you to access the fake file. The Baddies steal your login cookie. close your session and use your cookie on thier own computer to log in to your account.

We know they will send phishing messages to all your contacts. They may also go through your messages to find information they can stael and use or resell.

From: SenderName
Sent: Monday, May 27, 2019 2:34 PM
Subject: Dog Walker / Dog sitter Job

Note :- EMAIL NameofPerson[at] (link removed)

Hello, my name is Sender Name,I am a student here in University of Georgia. My Aunt is moving to the school area and needs someone who can pet sit her dog for 2 hours daily within 9am - 11pm.Pay is $350 weekly.kindly email her for more info NameofPerson[at] (link removed). You are to email her with your personal email NOT school email so she can receive your email because most times I email her with my school email she hardly receive my emails.

Note :- EMAIL NameofPerson[at] (link removed)

As always, you can report suspicious looking email to . If you suspect that your email account may have been compromised, you should change your password.


Do You Ever Login to Third-party Sites Using Facebook? - a Fresh Phish PSA

Here is a good reason why you may want to stop doing that.

A lot of services use the "Login with Facebook" (and other social media services) method to grant access to their websites. Basically, you use your Facebook credentials to provide the new service with the information it needs to set up your shiny new account. It makes it faster and easier and it's usually "okay" to do if the new service is legit. 

How is it supposed to work? When you opt to login with Facebook, you either get redirected to the Facebook site or provides its own popup window so you can login with your credentials.

Now there is a new phishing attack that uses the familiar "Login with Facebook" popup window to steal your credentials.

Just think of all the information they will have access to if they take control of your account.

This stuff looks and feels real, y'all. The malicious popups have all the bells and whistles of the real thing - URLs with secure site lock icons, logos, buttons, you name it. The bad guys have upped their game so much that according to Antoine Vincent Jebara, the CEO of Myki password managing software, "...even the most vigilant users could fall for" this attack.

Jabara also reports that the only way to tell these popups are fake is to try dragging it off screen. If you can't move the popup far enough to make part of it disappear from your browser window it's almost certainly fake.

Use extreme caution when you login using Facebook to any third-party services. In fact, you should use caution when signing in to any third-party service with any social media account. That includes Google.

To find out more about this new phishing attack, you can search online for "Facebook popup phishing".

Phisher gonna phish. Don't get caught.


Outlook Support

Reported February 4, 2019

There is a doozy of a phish surfacing in some University System of Georgia (USG) institutions.
If you get this email, please be aware that it is NOT from the USG IT help desk!

From: IT _Support <IThelpdesk[at]>
Sent: Monday, February 2, 2019 2:15 PM
Subject: Outlook Support

(USG logo here)

All Staff are expected to migrate to the New 2019 Microsoft Web Portal to enable access to the below, Click Microsoft-Outlook (link removed) to migrate immediately.

  • Access the new staff directory
  • Access your pay slips and P60s
  • Update your ID photo
  • E-mail and Calendar Flexibility
  • Connect mobile number to e-mail and voice mail

Important notice: All staffs are expected to migrate within 24 hours to avoid delay on mail delivery.

Administrator Service System

©Copyright 2019. All Rights Reserved

The red flags in this message are a bit hard to spot, but they are there:

  • The sender name and address are not correct for USG Support
  • You are not greeted by name
  • An all staff migration should be handled by the institution, not the individual
  • The punctuation and spelling are off in a couple of places
  • Employers in the US do not issue P60s (the UK version of a W2)
  • There is a deadline and a threat of loss of email services
  • There is no contact information for the sender

Phishers gonna phish. Don't get caught!


SMS Gift Card Fraud

Reported on January 23, 2019

Imagine you are Sue. You are sitting at your desk and it's late in the day, just before 5PM. An email pops up in your inbox. It's from your boss. They write, "Sue, are you in the office? I'm in a meeting and can't easily use my email account. What's your cell phone number?"

You check out a few things like the sender's name and email address, and you were greeted by name: It seems legit. So you quickly reply with your cell number, "Of course! My number is (706) 555-9876."

A few minutes after five, you get a text from a caller at (706) 555-1234. It's your boss. They ask for you to acknowledge you got the text.

You do.

Then your boss asks you to buy some gift cards. Don't worry, you will be reimbursed. If you're willing, let them know and they will tell you what to buy.

What do you do next?

If you buy the gift cards, your boss will ask you to text the activation numbers to them. You'll never be reimbursed. It's not your boss.

With luck, you never got beyond the initial email. You deleted it and went home at five without a second thought. You recognized the "Are you there?" email as a phish. Well done.

The Bad Guys are taking this sort of gift card fraud out of your email and into your phone. What starts as a phishing email can invade you phone and your life. Once they have your number, you are likely to get text message phishing attempts ('smishing messages') and phone calls until you sprain 'your block caller and report spam' finger.

Phishers gonna phish. 

SMS phishing message part one.


SMS phishing attack part 2.


Reported on January 7, 2019
Hey all y'all! Fresh Phish hopes you had a safe holiday season and welcomes you to 2019!
Our first phish of the year is heavy on the social engineering side. The Bad Guys want to engage you in a conversation in order to gain your trust. To do this, they pose as someone you might report to at work if you are a staff member: a director, department head or, in this case, a dean.)
As usual, we have substituted "Sender Name" for the actual name of the person who supposedly sent the message. We also changed the recipient's name (feel free to mentally fill your own name in there for effect.)
Let's take a closer look at this phish. It has a few red flags:
  • the sender's email address is off - it's not a uga[dot]edu address
  • it uses a generic subject - "Hello" tells you nothing about what the message discusses
  • the recipient is not addressed by name - there is no greeting in the message at all
  • the message sentence structure is strange - definitely not what you would expect from a dean
  • notice how the email address in the signature block does not match the sender's address?

    From: User Name <[at]>
    Sent: Monday, January 7, 2019 9:13 AM
    To: Recipient Name
    Subject: Hello

    Happy New Year, Are You There?

    Sender Name
    College of Something at UGA
    Phone: 706-54X-XXXX

How does a phish like this succeed?
The next step is for the Bad Guys to respond, telling you they are in a meeting, or too tired and need you to buy them some gift cards. They want to make you feel like this exchange is urgent and your assistance is important.They want you to feel trusted and valued by the supposed sender
The Bad Guys want you to feel like you are helping them: They use your trust against you. If you agree, they will likely tell you what to buy and ask for the gift card numbers. Once they have the gift card numbers, you can say goodbye to the money you spent.

You have 1 new message and Action Needed : 22 Undelivered Emails

Reported on October 2, 2018 and October 3, 2018

Today, we've got a pair of phishes that are very similar to others we have seen before. Many of you reported Message 1; Message 2 seems a bit more targeted toward UGA departments. Sadly the first message seems to have caught one of our own and used an UGAMail address to send out more phishes. 

The red flags are flying high in both these emails. Let's tackle them one at a time.

Message 1 has the following red flags:

  • Generic subject line tells you nothing and does not match the message content.
  • You not addressed by name.
  • The sense of urgency in the "important meeting" is a lure to make you react.
  • You are asked to take action by clicking the link.
  • The signature is generic.

 Message 2 is a bit more complex, but the red flags are:

  • The sender's email address links to a webmail service not Microsoft.
  • You are not named in the first greeting ("Hello ,").
  • The line telling you the message is from a trusted source set our phish sense tingling! Did it alert you too?
  • The line "Your Incoming messages has been blocked" is designed to make you react without thinking. (Don't panic!)
  • The second greeting identifies you by your UGA MyID not by name.
  • Microsoft will not depend on you to FIX ERRORS with your email (it's their job to do that. )
  • The DELETE and ARCHIVE links are a bit odd - the bad guys obviously are intent on getting you to respond in some way.
  • All the links asking you to take action point to the same site designed to steal your credentials.
  • The generic signature is a dead give-away. (No legitimate business correspondence will leave you without some sort of contact information.)
  • The links to the actual Microsoft Privacy Policy and Service Agreement are only there to make the message look more official.

Message 1

From: User Name <[at]>
Date: October 3, 2018 at 1:31:23 AM EDT
Subject: You have 1 new message

[Official UGA Logo Here]

Dear User,

This is to notify you of an important meeting.

Click here for details (The link was removed - it pointed to a bogus website.)

Thank you.
University of Georgia.

Message 2

From: OutlookOffice365 <abadguy[at]>
Sent: Tuesday, October 2, 2018 1:42 PM
To: Username <usrname[at]>
Subject: Action Needed : 22 Undelivered Emails

Hello ,
Message is from trusted source.

Your Incoming messages has been blocked

Hi user[at] ,

Most of your recently sent emails couldn't be delivered.

When the sender tried to send messages to you, the receiving email server reported an error.
Kindly follow the instruction below to manage your [22] Undelivered Messages as of the 1st of October 2018.

To import the blocked messages click here to FIX ERRORS (We removed the link to a Russian website.)
To delete the blocked messages click here to DELETE (We removed another link to the same Russian website.)
To save in archive click here to ARCHIVE (We removed yet another link to that Russian website.)

Microsoft IT Administrator

Microsoft Corporation | One Microsoft Way Redmond, WA 98052-6399
This message was sent from an unmonitored email address. Please do not reply to this message.

Privacy (This link actually went to Microsoft's Privacy Policy.) | Legal (This link pointed to Microsoft's service agreement.)

Thanks to all our Expert Phish Spotters, who reported toady's messaages to and avoided getting caught.



Reported September 30, 2018

This phish is a bit different from others we have seen recently. It's a real attention grabber. How many of us might look at this message and think, "Oh my. Somebody's in trouble. I know it's not me. I wonder what's going on?" And then open the attachment?

Curiosity isn't just for cats, and heck, inquiring minds want to know, right?

Y'all know phishers know how to play us against ourselves. The bad guys are master manipulators. They know we'll be curious about who got in trouble and what the "incident" mentioned in the message was. The bad guys know there s a very good chance that a few of us will open that attachment. (It probably contains so sort of malware.)

If you take the time to read carefully, however, you'll catch the red flags:
  • a non-uga email for the sender
  • an unexpected attachment
  • a generic subject line
  • a generic greeting
  • poor use of language
  • no details on the incident or when it happened
  • the generic sign off (HR Department is one person?)
The official "information intended only for" disclaimer is a nice touch. But it does not make the rest of the message more believable. So why bother?
It's there to distract us and make us question whether the email might - just might - be official. If we question the legitimacy of the message,wequestionourown judgement. And we just might open that attachment.


From: HR DEPARTMENT <noreply[at]hrdepartment.non-ugasite>
Sent: Friday, September 28, 2018 4:46 PM
Subject: HRNotification

[HRNotification.doc.x attachment]

Due to  reported incident between few employees, there’s need to review and remind us the existing code of conduct expected of all employees.
let me know if you have any questions.
HR Department.

This e-mail contains information intended only for the individual or entity to which it is addressed and may contain confidential material. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, publication, copying, transmission, distribution or other use of, or taking of any action in reliance upon, this e-mail is strictly prohibited. bears no responsibility for any loss, disruption or damage to your data, computer or network system that may occur while using data contained in, or transmitted with, this e-mail or its attachments. If you have received this e-mail in error, please immediately notify by return e-mail and delete the material from any computer or electronic media. All customer services contained in or referred to in this e-mail, are subject to terms, conditions and approvals set by, and documentation acceptable.

Disaster Relief Scams: A Fresh Phish PSA

Just a quick heads up to alert y'all to use caution when you contribute to any disaster relief effort. Unfortunately, scammers are willing to abuse our trust and take money meant for victims of disasters.

Disaster relief scams may start with a phone call, an email, a text, a social media post or an online ad. You may even be approached in person.

We hate to think of anyone being cruel enough to take advantage of people who are stepping up to help others affected by Hurricane Florence. But it happens. And there are a few things you can do to make sure your donations go where they are supposed to go.

First and foremost is to concentrate on legitimate, established charities that are set up to help those affected by Florence and others. How do you know which charities are legit? That can be tough, but we suggest the following:

  • Run a search on the charity's name online - use keywords like "scam", "complaint" and "rating".
  • Don't trust your caller ID: Crooks often spoof phone numbers to look legitimate.
  • Be alert to names that seem a little off. Scammers like to use charity names that are close to those of real charities to build trust.
  • Don't be rushed, bullied or guilted into donating. Pressure from a charity is a sign that something is not right.
  • Keep your emotions out of the transaction - scammers will use sentiment against you.
  • Don't hesitate to ask for details on how your donation will be used. Scammers often use vague language when soliciting donations.
  • Pay with your credit card. Using your credit card provides some protection.
  • Do not pay with a debit card. Your debit card gives scammers access to our entire bank account.
  • Scammers often want cash or wire transfers (like Western Union). A request for gift cards should push the needle on your scam-o-meter into the red.
  • If you give, keep track of who you give to, how much and when so you can make sure your donations match your charges.

If you get a bogus charity solicitation, or think you may have fallen for a disaster relief scam, you can report it. How?

  • Visit the Federal Trade Commission's FTC Complaint Assistant webpage and report the call under Scams and Ripoffs.
  • Visit the Georgia Secretary of State's Charities page to submit a complaint. Be sure to provide as much detail about the scam as you can.

you have 8 delayed messages

Reported September 20, 2018

This is a quick and dirty little phish that has the potential to cause some trouble. Fortunately, it was reported quickly! Thanks to K P for being first to report this phish.

Let's take a quick look at the message. The red flags are as follows:

  • The sender email address, EmailSupport is very generic -  It is not connected with Microsoft
  • The actual sender address was clearly not a Microsoft business address
  • The recipient as named in the To: field, but not in the actual email
  • The greeting "Hi email address" is highly unlikely to be used in a legitimate business communication
  • You are asked to take action to "Release delayed messages" (a typical phishing move)
  • If there was a system error, would Microsoft really depend on you to do their job? They should release any delayed messages automatically
  • The "Unlist" link is a clever move. It's a second chance to grab your login info. And it links to the same bogus form the phishers provide for to release your messages
  • Fresh Phish especially likes the nudge to unsubscribe at the bottom of the message. Third time's the charm, right?
  • There is no signature / contact information provided. The lack of contact information is a massive business no-no that indicates the message is a fake

Don't be fooled by logos in phishing emails. It's a cinch to copy and paste a logo. The bad guys do it all the time.

From: EmailSupport <Sndr.Name[at}>
Sent: Thursday, September 20, 2018 7:23 AM
To: User Name <username[at],>
Subject: you have 8 delayed messages

[OFFICE 365 logo]

Hi username[at],

We detected that you have 8 delayed messages which didn't get to you. This was caused due to a system error. Rectify below:

Release delayed messages <This linked to a bogus form designed to steal your login credentials.>

You control the e-mail you get from Microsoft: Unlist <This also linked to a bogus form designed to steal your login credentials.>

Getting too much email from Microsoft? You can unsubscribe



Reported August 28, 2018

Ok, Expert Phish Spotters! Thank you for bringing this phishing attempt to our attention. It took some skill to identify this one. So a shout out is due to M.A., K.W. and T.P. for reporting it. Thank you! You are amazing.

 What makes this email a challenge? It’s a different from the other phishing emails we see:

  • It appears to be sent by an actual Director
  • The recipient is an actual employee of that Director
  • The recipient is addressed by name
  • The message itself is a little odd, but could have come from someone in a meeting and in a hurry to send the email.
  • If the Director is in a meeting, a phone call would not be an option
  • The Director’s first name was used to sign off on the message

This email is the start of a pretexting attack. It's a type of phishing, but it differs form the run-of-the-mill request to take action, because the criminal is attempting to start a dialog with the intended victim / recipient. It is potentially an exchange that could result in the recipient becoming the victim of a scam.

The next step in this pretexting attack would probably be the criminal asking the recipient to send important sensitive or restricted files or purchase goods online (like gift cards).

What are the clues that likely tipped off our Expert Phish Spotters? The most likely are:

  • The Director using a Gmail address instead of a regular UGAMail address
  • The unusual use of "Good Day"
  • The sentence structure of the request. (It seems too lengthy. Why not just "I have an assignment for you"?)
  • The odd phrasing of "i won't be able to pick a call".

It's also possible that the Director would not contact the recipient directly, or that the recipient was easily able to ask the Director if the email was legitimate.

From: Named Director <[@]>
Sent: Tuesday, August 28, 2018 2:21:47 PM
To: User Name
Subject: URGENT


Good Day User,

Are you in the office ? I have an assignment i need you to do for me.I am in a meeting and i won't be able to pick a call.



Phishers gonna phish. Keep your eyes open out there.

Sextortion Scams: Coming to an Inbox Near You

August 14, 2018

Hey, All Y’all – there are a lot of phishing scams going around claiming the sender took over one of your devices and recorded you “having fun” while visiting adult video (porn) sites.

Each scam is a tad bit different – and the Bad Guys are making money hand over fist. In fact, they demand $1000.00 from each victim. And they are getting it.

So here’s the deal. Somewhere, sometime, someone (a Bad Guy) got hold of a database that had some personal information, some old passwords, an email address or two and some partial phone numbers. There’s no way to be sure where this information came from. Honestly, it hardly matters: Given all the big data breaches that happen, it’s a sure thing your information is out there on the web somewhere.

Okay. Where were we? Oh, yeah. Any information in that database is more or less phish food.

All the Bad Guys have to do is drop some of that information into a threatening email, send it to everyone on their list, then sit back and wait. The money rolls in with no real effort on their part. In fact, one scam got over $50,000.00 in a single week.

Fresh Phish already talked about one of these emails, back on July 19, 2018, that used old passwords. This email uses partial telephone numbers. The darned things just keep coming. Guess you can’t keep a good scam down.

Now you gotta ask yourself (Fresh Phish is not judging):

Have you been visiting adult video (porn) sites?

  • Of course not! - You have not downloaded malware from a porn site.
  • Report the message to the Abuse Team (, delete it and move on.
  • Paranoid? Go ahead - update and run your antivirus program if appropriate. It won't hurt anything.
  • Remember, it's unlikely that the Bad Guys have your whole phone number. They would have used it if they did.

From: A Bad Guy <weBvilns[@]>
Subject: (Part num your Hacked phone +XX XXXXXX5555)

It seems that, +XX XXXXXX5555, is your phone.
You may not know me and you are probably wondering why you are getting this e mail, right? actually, I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean).
While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) having a keylogger which gave me accessibility to your screen and web cam. after that, my software program obtained all of your contacts from your Messenger, FB, as well as email.
What did I do? I backuped phone. All photo, video and contacts. I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam. exactly what should you do?
Well, in my opinion, $1000 is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).
(It is cAsE sensitive, so copy and paste it)
Important: You have 48 hour in order to make the payment. (I've a unique pixel in this e mail, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment, I'll destroy the video immidiately. If you need evidence, reply with "Yes!" and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.

Special thanks to Lawrence Abrams, creator and owner of, who was the source for the example phishing email text.


***ATTENTION REQUIRED***-from president Jere W. Morehead to all employees on August 09, 2018 !

Reported August 9, 2018

Every once in a while phishers go for the big targets - directors and others who are highly placed enough to be ideal victims of phishing attacks. The more highly placed a person is in an organization, the greater the possibility of a big data or monetary score exists for the phishers.

Most of us don;t get to see these sorts of attacks, so it's important that this message gets shared. As usual, you can open a bigger version of the image. (It won't work well on smartphones because the file is very large.)

The red box, arrows and blue highlighting are all indicators of red flags:

  • The sender's name and return email address do not match
  • The attached pdf.pdf file is unexpected (and the double .pdf extension may be hiding the true nature of the attachment.)
  • You are not addressed by name in the greeting. (Gerorgia? Puh-leez!)
  • The language in the body of the email is awkward and poorly written.
  • The "access" link is very sketchy: mouse over the link to see it goes to a phishing website in Germany.
  • "President" is not capitalized - and you know it would be.

Notice that the recipient is also encouraged to share this message.

You can read the text of this message a bit further down the page.

Morehead phish

From: Jere W. Morehead <notpresm[@]>
Subject: ***ATTENTION REQUIRED***-from president Jere W. Morehead to all employees on August 09, 2018 !

(UGA logo here)

Dear University Of  Gerorgia Employees,

It's of high importance all Employees read through on what improves the welfare of our institution,including a few organizational changes which require all Employees prompt attention.

complete the following new updated 45 seconds survey which is important to all University of Gerorgia staffs to access attach today.


Note: The  message is sent out of high importance to all employees to access attach and share.

Jere W. Morehead
University of  Gerorgia

(Photo here)

URGENT Please read

Reported July 31, 2018

Phish Spotters unite! This is a very nasty scam. And it comes at a very bad time for incoming students who do not yet know that EITS will never ask them to update their accounts.

This email is a FAKE. (Phish Spotters say it loud and say it proud!)

The audacious use of the UGA logo adds a hint of authenticity to the email - but do not be fooled. Anyone who can copy and paste can steal an image off the internet.

Let's run through the red flags - warning signs that a message is a phish - shall we?

  1. The "From" and "To" fields are the same - that's phishy!
  2. Official email from UGA will address you by name - not as "University of Georgia User"
  3. EITS will not ask you to update your email account - it's all MyID driven.
  4. EITS will not close down your account because you did not update it - refer to the last point.
  5. You do not update anything on the University home page - besides, that link goes to a non-UGA website.
  6. All UGA business should be conducted on an official UGA website.
  7. Correspondence about EITS services will come from EITS - not the ambiguous "University of Georgia Team."
  8. Official business email should include contact information for the department that sends it - and that goes for any business email.
  9. The copyright notice at the bottom is only there to make the email look official - so don't be fooled!

If you get a suspicious looking email and you think it might be a phish, send it to or contact the EITS Help Desk at 706-542-3106.

If you know that an email is a phish, you can use your delete key - it's a great tool in the fight against phishing.

From: User Name <username[@]>
Sent: Tuesday, July 31, 2018 10:58 AM
To: Same User Name <username[@]>
Subject: URGENT Please read

UGA logo

Dear University of Georgia User

Our record indicates your email account is not updated, which may lead to the close down of your email account.

Please visit the link h--ps:// (we removed the link. It actually pointed to a site that had nothing to do with UGA) to avoid the close down of your account and keep enjoying our services

University of Georgia Team

Copyright © University of Georgia, Athens, GA 30602

ACTION REQUIRED: I just shared a file with you via Dropbox

Reported July 26, 2018

Wow. This phish came across the staff list serve and our Expert Phish Spotters were all over it! Y'all are amazing! Fresh Phish feels kinda unnecessary right now - but there are plenty of people who don't follow the staff list, so here we go.

So, y'all remember "Hover to Discover"?

  1. move your mouse pointer over the link
  2. resist the urge to click
  3. the arrow will become a pointing finger
  4. a box will pop up showing the link location

Hover to Discover was the fastest way to figure out if this email was legit or not. If you did, this is what you saw:

Dropbox phishing message

The link pointed to a URL that had nothing to do with Dropbox. (You can view a bigger picture of the revealed link if you need to. It will open in this window.)

We know you are curious, so here is a look at the fake Dropbox page  -which is a fake OneDrive page (Say what?):

Fake Dropbox page

Do not try this yourself!

Fresh Phish uses security tools to click through safely so we can see what's up. And know how to take steps to protect others from being bait for a phish; like blocking the link on campus (so you can't reach the dangerous page.)

Need a bigger image of the fake Dropbox/OneDrive page for a closer look? It will open in this window and it's not sized for viewing on phones - it's just too big for that to be useful. (BTW: the red bar at the top of the image is a built in Firefox feature.)

The message itself looks pretty legit. That means it is very dangerous! Many of us use Dropbox, so it would be tempting to click evenif we do not know the sender. Not may would notice that the link to a Dropbox page actually went to a OneDrive page.

About the only red flags for this phish are:

  1. do you know the sender?
  2. why would the sender have a file to share?
  3. viewing the file as an unexpected attachment

From: User Name
Sent: Thursday, July 26, 2018 10:00 AM
Subject: ACTION REQUIRED: I just shared a file with you via Dropbox

[Dropbox icon]

Hi There,
(username[@] invited you to view a file via Dropbox.

(We removed the)  Go to folder (link to a fake Dropbox page.)

The Dropbox team

Tl;dr - the phishers are sending more and more dangerous emails. You need to stay alert to a lot of tricks to catch messages like this one. It definitely illustrates the fact that the criminals are trying to catch us off guard and take advantage of our trust. Pay attention. Stay off the hook.

Meeting Notice - Warning: Long Post

Reported on July 25, 2018

Okay, Phish Spotters, this is the third time we have had a "Meeting Notice" phish this month.

It is also the third time one of our own has become a victim of this type of phish. We need to step up our phish spotting game.

This Meeting Notice is, unfortunately,  more dangerous than any of the others we have seen before. It uses a fake CAS page to gather UGA credentials before allowing access to a webpage.

We've seen that before, but:

  1. This time the fake CAS page displays the green lock icon, we are used to trusting.
  2. The web address (URL) is an "https://" address we recognize as secure - as in okay to enter our credentials.
  3. It's only when we look at the actual URL that we see it is not a UGA website.

If you noticed that the URL is not for a UGA site, you have gone above and beyond. Few people will check the URL when presented with an authentic-seeming CAS page and a green lock icon. This is a very high quality phish!

Let's take a look at the two pages.

First the real CAS page. It displays a green lock icon and a UGA web address (arrows) and a link to the UGA Privacy Policy (circled). Display a bigger image of the real CAS page

Real CAS page

 This is the fake CAS page. It features a green lock icon and a secure - but non-UGA -  web address (arrows). It is missing a link to the UGA Privacy Policy. We circled the place that should be displayed. This is a small image. See a larger image of the fake CAS page

fake CAS page

Now let's look at the message. Can you spot the red flags? We'll list them under the example.

From: User Name <username[@]>
Sent: Wednesday, July 25, 2018 5:55 AM
To: Another User <nothrusr[@]>
Subject: Meeting Notice

Dear User,

This is to notify all of an important meeting which is scheduled to hold 26th July 2018.

Click here for details <We removed a link to a phishing site behind a fake CAS login page designed to steal your credentials.>

Thank you.
University of Georgia

The red flags are:

  • the sender: is the sender known to you?
  • is the sender someone who should be sending an 'all hands' meeting notice?
  • a generic subject line
  • you are not addressed by name
  • language slightly off ("scheduled to hold")
  • link not in plain text
  • hovering reveals link not to a UGA site or service
  • message signed by "University of Georgia" (not  person or department / unit)
  • no contact details in the signature

Phishers gonna phish - it's up to us to avoid getting caught.


re: jdoe3390 – loveU2 (UGA MyID and password)

Reported on July 19, 2018

If you get today's fresh phish, please respond as follows:

  • Do not panic
  • Do not reply
  • Do not pay up
  • Do not hesitate to report the message to

Blackmail and extortion scams are popping up in inboxes across campus.

Always ugly, this particular type of scam uses threats and intimidation to make you react. The phishers want your money. They are willing to scare you into giving it to them.

Worried about this message?

  • Look at the subject line -
    • Is that your MyID?
      • Quite probably
      • Your MyID is public directory information.
      • Breathe.
    • Is that your current password?
      • No. It's old - Report the message to the Abuse Team, delete it and move on.
      • Yes = Change your UGA password immediately. Call the EITS Help Desk (706-542-3106) if you need help. Then report the message, delete it and move on.

Any time there is a data breach, user names and passwords are gathered up and sold on the internet. Hundreds of criminals could have your MyID and an old password. As long as you don't use that password anywhere else, you should be fine. If you do use that password elsewhere - go change it now.

  • Have you been visiting adult video (porn) sites on your UGA owned computer?
    • No. You have not - You have not downloaded malware from a porn site.
    • Report the message to the Abuse Team (, delete it and move on. 
    • Paranoid? Go ahead -update and run your antivirus program. It won't hurt anything.

If you look for the red flags you will find them, too.

From: Online Criminal <ima.criminal[at]>
Sent: Thursday, July 19, 2018 3:55 AM
To:User Name <username[at]>

Subject: re: jdoe3390 – loveU2

This is your badluck. I know that loveU2 is your password. More importantly, I know your secret and I have evidence of this. You do not know me personally and no one employed me to examine you.

It's just your hard luck that I stumbled across your blunder. Let me tell you, I placed a malware on the adult vids (porn material) and you visited this site to experience fun (you know what I mean). While you were busy watching video clips, your web browser started operating as a Rdp (Remote control desktop) that has a key logger which provided me with access to your screen and web camera. Right after that, my software program gathered every one of your contacts from your messenger, facebook, and email.

After that I put in much more time than I probably should have looking into your life and generated a double-screen video. First part displays the recording you were viewing and other part shows the recording from your web cam (its you doing inappropriate things).

Frankly, I am willing to forget all information about you and allow you to get on with your regular life. And I am about to present you 2 options that will achieve that. The above choices to either ignore this letter, or simply just pay me $ 3600. Let's understand those 2 options in details.

First Option is to ignore this email. Let me tell you what is going to happen if you select this path. I will send your video recording to all your contacts including family members, colleagues, and many others. It won't help you avoid the humiliation your household will face when family and friends uncover your unpleasant videos from me.

Second Option is to make the payment of $ 3600. We will call this my "confidentiality tip". Now let me tell you what will happen if you pick this choice. Your secret will remain your secret. I will erase the recording immediately. You keep your life as if none of this ever happened.

Now you must be thinking, "I'm going to report to the cops". Let me tell you, I have covered my steps to ensure this email message can't be tracked back to me also it will not stay away from the evidence from destroying your health. I'm not looking to steal all your savings. I just want to be paid for efforts and time I place into investigating you. Let's assume you decide to make all this go away and pay me the confidentiality fee. You'll make the payment via Bitcoins (if you don't know how, search "how to buy bitcoins" on search engine)

Transfer Amount: $ 3600
Send To This Bitcoin Address: 19diopb5QpYyURWZWXf9sWWCwNLjkHRGmH
(It is CASE sensitive, so you should copy and paste it)

Share with no person what will you be transferring the Bitcoins for or they will often not give it to you. The task to get bitcoins usually takes a few days so do not wait.
I have a unique pixel within this email, and right now I know that you've read through this e mail. You have one day in order to make the payment. If I don't receive the Bitcoin, I will send your video recording to all your contacts including members of your family, coworkers, etc. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I will erase the video immediately. It's a non negotiable offer, thus kindly do not waste my time and yours. The clock is ticking.

Meeting Notification and Other Phishy Email - A Fresh Phish PSA

Reported on July 16, 2018

Long post ahead.

Did you get one of these Meeting Notification phishing messages in you inbox? Fresh Phish did. And so did many others if the reports to is anything to go on.

This is actually the second time this phish has gone the rounds on campus this month. It's an oldie but a badie, and common as dirt.

Phishing is a type of social engineering. The bad guys send out a message in order to use your trust and desire to be included to trick you into reponding. The goal is almost always to get your personal information or your login credentials for a system or site.

How can you spot a phish? In many cases there are a set of "red flags" - common features that should alert you to the danger. Phishing is dangerous - never doubt that - and almost every big data breach has started with a phish.

Red flags in this message:

  • Do you know who the sender is?
    • Always check the sender's name. Question why they would be sending you this message. (We removed the sender's name because Fresh Phis does not point fingers.)
  • You are not addressed by name.
    • Or is your name "Important Message"? We didn't think so.
  • What is the "urgent meeting" about?
    • The lack of details should set your phishy senses tingling.
  • You are asked to take action to learn more
    • This is where trust comes in.
  • The link to "click here for more details" has no context.
    • The link is hidden behind the words, rather than spelled out.
    • Never trust a hidden link or a shortened link, unless you are sure the message is legitimate.
    • We recommend you distrust the request to "kindly" do anything.
  • An official UGA business email will include an identifiable office or person in the signature.
    • University of Georgia is not a person. It's not an office either.
We will likely see more of these sorts of phishing messages as the academic year rams up. Be alert to them along with variants like "Blackboard Newsfeed" or "New Blackboard Message".  (Do not click the link -log in to eLC directly to see if these messages are real.)
Bug Eyed Phishers want your info. Don't let them have it.

From: User Name <username[@]uga>
Sent: Monday, July 16, 2018 8:55 AM
Subject: Meeting notification

Important Message

There would be an urgent meeting tomorrow, 17th July 2018.

Kindly clickhere (we removed the link to a phishing site) for more details.

Thank you.
University of Georgia.

Tl;dr - Expect phishing to ramp up as the academic year does. We expect to see many repeat messages and variations on them. Stay alert. use your delete key to give phishing the finger.


Reported on July 13, 2018

This phish a typical "vlaidate your account" type of phish.

Fresh Phish is happy to point out that it is highly unlikely that your email box is 98.9% full. Fresh Phish polled a few Outlook users and most have plenty of space left, even after being at UGA for several years. (You can find out how to check your UGAMail usage after the UGAAlert phish example.) 

Let's take a quick look at the red flags in this message:

  1. The Subject line does not tell you anything about the content (it's generic.)
  2. You are reduced to "Dear UGA User": You are not addressed by name.
  3. The message tries to make you react without thinking (panic.)
  4. You are threatened with the loss of a service - your mailbox.
  5. You are instructed to take action.
  6. The language in the body of the email is off: "We apologies for any inconveniences..."
  7. If you hover, you'll discover the VALIDATE link goes to a non-UGA site. Place your mouse pointer over the link - do not click it! - to see where it goes.
  8. The exclamation points in the sign off are just bizarre, not to mention unprofessional.

From: User Name
Sent: Thursday, July 12, 2018 6:04 PM
To: Same User Name
Cc: Same User Name Again
Subject: UGAAlert

Dear UGA User

You have used 98.9% of the total data space allocated to your mailbox. To avoid placing your incoming messages on hold or lose them permanently ,we require you to validate your mailbox to expand your data allocation size.

Kindly click VALIDATE (we removed the link to a bogus page) to update your mailbox

We apologies for any inconveniences this might have caused you

Thank you!

Mail administrator!

How can you find out how much space you have in your email inbox?

In Office 365 do the following:

  • Open Outlook
  • Click on the gear icon near your name
  • Select Options from the drop down menu
  • Select Clean UP Mailbox to view your available space

In the Outlook on the desktop:

  • Select the File tab
  • Select Info to view your Account Information
  • View your mailbox usage under Mailbox Cleanup

Phishers gonna phish. Don't get caught!


Your message has not been delivered to the following recipients:

Reported on July 10, 2018

This phish poses as a Microsoft Account alert - but it's definitely a phishing message.

The red flags are as follows:

  1. Missing pronoun in "Message is Microsoft trusted source"
  2. The message recipient for the fake error is never identified
  3. You are not greeted by name (your email address is not your name, y'all.)
  4. Strange phrasing fo "Error Email Delivery"
  5. Threatens to delete your fake "undelivered" messages "if not Deliver in less than 24hrs"
  6. Requires you to take action to prevent deletion of the fake messages
  7. The link to "Release Pending Message" goes to a site in Vietnam (.vn).
  8. The signature is all wrong - no individual is identified
  9. The stop receiving notifications "Options" link points to Google, not Microsoft, Outlook or Office 365.

From: Microsoft Office account <notification[at]>
Sent: Tuesday, July 10, 2018 1:31 PM
To: User Name <username[at]>
Subject: Your message has not been delivered to the following recipients:

Message is from Microsoft trusted source.

Error Delivering Message to Inbox.

Dear [username[at]],
This is a system notification for Error Email Delivery.

There are many Undelivered messages for your Microsoft Office account [username[at]]. This messages will expire and will be deleted from our main Server if not Deliver in less than 24hrs

Please follow action below to correct Email Delivery Error.

Release Pending Message (we removed the link to a bogus site in vietnam)


Microsoft Office account

To stop receiving notifications about your Email delivery?, go to Options (link points to Google)  and turn them off.
This system notification isn't an email message and you can't reply to it.

Message from HR Department

Reported July 9, 2018
Well gosh. This phish is a doozy. It's short, it's sweet and vicious - in a knife-behind-the-back sort of way.
Where is red flag #1? The subject line: it's in all caps. That should alert you to this message being less than professional. So it's unlikely to be from the UGA HR Department.
Red flag #2 is in the greeting: You are a person, not an email address. The HR Department won't substitute your email address for your name.
Red flag #3: Punctuation - using a comma at the end of a sentence and failure to capitalize the next word. Oh, and no period at the end of the sentence. Not a professional / business communication.
Red flag #4: The use of a hidden / obscured link. If you hovered you mouse over the link it would show as a tiny.url link. This is not a clear link to a UGA site; do not trust it.
Plus, why on earth would HR ask you in an email to open an Outlook app to retrieve a message when you are already in Outlook? Does that seem odd to you? It does to us. Why not just send the message in the email? It's a mystery.
The EITS Office of Information Security has already blocked this link so no one can click through to the hidden site. Unfortunately, it looks someone did before it was reported to as a phish.
Online criminals have no problem pretending to be someone important to trick you into falling for a phish. Stealing credentials is like shooting phish in a barrel for them.
Not sure if a message is legit? If you get a message that seems 'phishy' you can always contact the EITS Help Desk via email or phone (706-542-3106) for confirmation.

From: User Name (username[at]
Sent: Monday, July 9, 2018 12:01:16 PM
To: A Specific Set of Supervisors


Dear username[at]

You have a new message. open with outlook app (shortened link removed) to view your message


User Name
UGA Department | Administrative Position
University of Georgia

Additional contact information
was removed.


Reported July 5, 2018

Out of the sea of "final notice", "meeting notification", and "mailbox quota exceeded" emails rises a spear phish - a phishing email targeting an entire department or group.

Like a hungry shark it tries to take a bite out of an Expert Phish Spotter! And fails.

Whew. Good thing our Expert Phish Spotter was easily able to reel in this spear phish  and report it. It's a very phishy message, but in the wrong mailbox it might have caused some financial havoc. What makes it so dangerous?

  1. It claims to be from an actual UGA Department Head (checking the From address shows it came from a random numbered account at Gmail.)
  2. It was sent to a director in the same department and in this case, the criminals did Thier due diligence. Fresh Phish replaced the Important Director's real name, but the bad guys actually used it in the email.
  3. In addition, the bad guys used the real Department Head's name as a signature.

It has only a few of the red flags associated with a phish.

  • Odd word choices
  • Strange grammar and punctuation
  • Run on sentences
  • Implied sense of urgency
What tipped off our Expert Phish Spotter? The request in the email. Would your boss ask you to:
  • Buy 5 $100 itunes gift cards
  • Scratch off the silver security strip on the back to reveal the numbers
  • Take a picture of the numbers and send them to me
  • And oh, yeah, I'll pay you back - how do you want that?
  • Forgive me for not calling; because fake reasons
  • So just do what I want. Now.

    Subject: Re: REQUEST
    Date: Mon, 2 Jul 2018 18:17:07 +0100
    From: UGA Department Head <random numbered address[at]>
    To: Important Director <idirecto[at]>

    Important Director, I am so tied up this moment, Can you buy an iTunes gift card 5pieces - $100 each? I need you to enable me to scratch the silver board at the back and help me take a reasonable photo of the card including the 16 digits code and send it on here, I would repay you when am through, Let me know how you would need the installment back, either with check or cash, likewise I would have liked to call you however can't get or call right now with my line, I might want you to assist me with it ASAP.

    UGA Department Head

    sent from iPhone

A special thank to P.T. for catching the REQUEST spear phish and alerting the abuse team.

Don't Get Schooled by a Phish

Phishing email can teach anyone a lesson the hard way.

Phishing is designed to trick you into giving away information that online criminals find desirable and useful in committing crimes. We are talking crimes like identity theft or fraud, credit fraud, income tax fraud and computer fraud. Fraud is definitely a theme in online crime.

So what do all those mean?

Identity theft or fraud - Identity theft or fraud is what happens when one person steals another person's personal information and uses it without authorization. It is usually used to commit a crime (like one of the following!) The goal of identity theft or fraud is most frequently economic gain. Yep. It's all about the money.

Credit fraud - It's kind of a wide-reaching term, but at its core credit fraud often involves stealing someones identity to get credit, use it, and not pay the bills. Credit fraud involves all kinds of credit, including credit cards and loans. So yeah, getting caught by a phish could leave you on the hook for hundreds of thousands of dollars in debt. And you may not know it.

Income tax fraud - This is another broad category. What we are talking about here is someone stealing your personal info to file faked tax returns in your name. They criminals get a hefty tax return and you have to prove it wasn't really you. It could take months for you to get your legitimate tax return. Are you sensing a pattern?

On a related note, at tax time there is commonly a rash of fake IRS phone calls. Someone claiming to be from the IRS says you owe them money. They might threaten to send local law enforcement around to arrest you if you don't pay right then and there. (You can find out more about IRS scams in an earlier post.)

Computer fraud - Is using a computer to steal or change electronic data, or to gain unlawful use of a computer or system. Most major information security breaches start with a phishing attack. This is why you see phishing emails that ask you to confirm your account or password. Do not do this, m'kay?

Here are four things to remember:

  1. EITS will not send you an email asking you to confirm your user name and password.
  2. UGA will never ask for your password in an email.
  3. Any MyID password change, refresh or update will always take place on the MyID Tools and Information webpage.
  4. If you are ever in doubt about what may be a potential phishing email, call the EITS Help Desk at (706) 542-3106 or forward the email with its headers to

This is a good place to point out that phishing is not limited to email. Phone and text phishing happens too.

So be careful out there. Take time to think before you react to any email, phone call or text that asks for your personal information or login credentials, threatens to take away a service, or makes outrageous claims. Paying attention can help you avoid getting schooled.

Phishers gonna phish.


Meeting Notification

Reported on June 15, 2018

Okay, Phish Spotters!

You are making a big splash reporting the current phish that's making waves.It’s a good thing, too. This phish is posing as a University-wide meeting invite and going out to a lot of inboxes.

Let’s fillet this phish:

  • “Dear Faculty/Staffs/Students” – so, about 50,000 people are informed of a meeting…
  • Generic greetings like “Dear Faculty/Staffs/Students” are a red flag.*
  • “This is to notify all of an important meeting which is scheduled to hold 15th June 2018.” - And they want EVERYBODY to attend. Today. That's a time limit - and a red flag.
  • But the meeting is not important enough to tell you when or where. Or what it's about. That's phishy: lack of details can also be a red flag.
  • Then the phishers include a “Click here” link “for details” – to send you to a fake CAS login page.  (Using “Click here” as a link is another red flag!)

This fake CAS page is identical to the real one with two exceptions –

  1. There is no secure page lock icon in the browser address bar
  2. The web address is completely wrong.

If you enter your MyID and Password, you are redirected to the real CAS page. It looks like you made a mistake and got dropped back to try again.

But don’t be fooled! Your credentials have been stolen.

It’s time to change your UGA password.

From: User Name (username[at]
Sent: Friday, June 15, 2018 1:06 PM
Subject: Meeting Notification

Dear Faculty/Staffs/Students,

This is to notify all of an important meeting which is scheduled to hold 15th June 2018.
Click here <link to a bogus CAS login page removed> for details.

Thank you.
University of Georgia.

* Red flags are warning signs, they are indicators of a possible phishing attack. To learn more about red flags in shishing, visit the EITS Phish Tank.

Nikita Mexia has shared OneDrive Important files with you

Reported June 13/2018

Sweet whole wheat biscuits!

This sort of phishing message is one of the last things any of us need, all y'all.

It's generic enough to catch a lot of people off guard, especially if they are:

  • students getting ready for midterms or gearing up for a class project
  • attending a conference or training (if you read statement as "bill")
  • collaborating with others on creating a new online class
  • paying bills on business accounts (once again - statement can be a bill)

or expecting a file in OneDrive and not reading carefully.

Fresh Phish expects that students may be a bit more inclined to click on this one. Why? How many of y'all out there know the names of every other person in class with your right now?

Remember, phishers know y'all are busy. They probably know y'all use Office 365. And they can guess that "OneDrive" is going to tempt y'all into clicking.

There aren't many red flags in this one:

  1. The sender's email is a University of Leeds account in the UK.
  2. The recipient is not addressed by name.
  3. If you hover over "here" or the document link you can see the link goes to a ".za" address (that's South Africa).
  4. The unexpected .pdf could hide malicious software or direct y'all to a web form that would prompt for your user name and password
  5. And of course, if y'all can't open the document, there's no telling where that reply to email address may really take you.

From: Nikitia Mexia <N.Mexia[at]>
Sent: Wednesday, June 13, 2018 2:20 PM
Subject: Nikita Mexia has shared OneDrive Important files with you

Nikita Mexia has shared OneDrive Important files with you. To view them, click here (the link to a doc hosted in South Africa has been removed) or the link below.
Course_statement.pdf (The link to a doc hosted in South Africa has been removed.)

This file is for your attention, let me know if you have problem opening it.

Be careful out there, y'all. We all know phishers gonna phish.

Email Update (Important)

Reported June 11, 2018

ATTENTION. ATTENTION. This is the Fresh Phish Phishing Alert System.

If you receive the message in the example below delete it immediately. This email is a phish.

Repeat: This email is a phish. An online criminal has launched a phishing attack against inboxes that are part of the University of Georgia's UGAMail Service.

Delete phishing immediately or report any suspicious email messages to for investigation.

Someone at Fresh Phish is showing their age. But that doesn't stop them from knowing that the email in our example is bogus. You can too. How?

Do a sense check. Read the email slowly and ask yourself if the message makes sense. If you do, you'll notice that:

  1. There is no Infotech Help Desk at UGA
  2. Official UGA communications do not come from gmail email addresses
  3. It's full of techy jargon to misdirect you from its harmful intent.
  4. It asks for your username and password
  5. It threatens loss of folders and access to make you react without thinking.
  6. It's full of random capitalization, punctuation errors, run-on sentences odd word choices and more.
  7. The signature is definitely not a professional sign off: There is no contact information in the signature.

A big shout out for M. P. for reporting this phish. Thanks, M. P.!

From: Infotech Help Desk (infotech.uniservice[at]
Sent: Friday, 6/10/2018 1:53 AM
Subject: Email Update (Important)

We are upgrading our database Server from our Old Server (No420134x) to a New Server (No521093x), this is and extreme measure to check against frequent email hack and to link all email account to the school data base directory fo easy accountability, validity and better services.

Please you are require to provide the Help Desk Centre with following information at Technical.uniservice[at] (dangerous email link removed).

  1. your email I.D.
  2. your email password

NB: Unverified email will lose information in email folders and will not have access to full features and information in the university database.

All your details is strictly confidential and is not to be disclosed. Web Admin
©Support Administrator All rights Reserve

Phishing Phonecalls? Say What!?!

Reported May 31, 2018

Yep. Fresh Phish usually focuses on email messages, but phishing happens in other ways too. It's pretty common for the Bad Guys to go phishing on social media, in text messages and on the phone.

Recently there have been a few reports of phone phishing on UGA phones. Thanks to Expert Phish Spotters M.D. and D. L. G. - you deserve a big shout out for reporting the problem. Thank you. - we have a chance to get ahead of the Bad Guys.

So how does phone phishing work?

Your phone rings.

You pick up and someone on the other end says they are calling from Microsoft. (They are not. Microsoft does not make unsolicited support calls to fix our computer.)

They say, "We got a report that your computer has a virus, and is sending out a lot of information over the internet." (It is not.)

The fake Microsoft tech the offers to:

  • fix it for you
  • sell you an antivirus solution
  • or access your computer remotely so they can repair it

All of these choices are scams.

Choose the fix and the caller will demand your credit card number. Later they will abuse it. Nothing will get fixed, because there was nothing wrong to begin with. If they send you something to install, it's likely to be malware.

Same thing for the antivirus solution. Wave bye-bye to your credit card number and say hello to malware. You might get directed to a website to download a program to fix your computer. You could end up with a program that gives the caller:

  • remote access without your consent
  • the chance to drop a spy program
  • any personal and/or financial information on your computer

Giving an random caller remote access to your computer is just a really bad idea. So don't do it, M'kay?

What should you do if you get a call like this?

  1. Write down the phone number from your caller ID.
  2. Make note of the caller's name.
  3. Hang up. You can thank the caller if you want, but avoid sharing any information about your system.
  4. Report the call to your friendly departmental IT person. They need to know about the scam in case others start getting the same call.

This is an old scam: The Bad Guys keep using it because it works.

Tl;dr - Fake Microsoft techs are cold calling UGA offices. They claim your computer has a virus. It's a scam. Don't fall for it.

Hi There

Reported on 5/17/2018

Don't you just hate it when phishers prey on vulnerable students? Oh, wait. They do that all the time.

It doesn't make it any better when the bad guys pose as a legit office like Financial Aid and offer fake job opportunities. And they had the nerve to use the UGA logo trick you into thinking the email is real.

First: This email is a phish. Do not be fooled. It's designed to steal personal information. Once the phishers hook you with the promise of money, they will work to get even more information out of you. After all, your employer needs your Social Security number, right?

You are expected to fill in an online application form. What a great opportunity for the bad guys to get even more information they can use to take out loans and credit in your name.

Second: Think about the numbers. If this email goes out to everyone who may receive financial aid, that would be thousands, if not tens of thousands, of job applications in response. Not many companies could cope with that number of applications coming in.

But the online crooks would love that high response rate. Hundreds of thousands of identities they could use? You betcha. Just think of the credit fraud they could perpetrate before they are caught! If they are caught. And it could take years for the victims to notice.

Third: There are red flags in this message.

The biggest red flags are:

  • The subject line is generic. It's designed to make you read further.
  • You are not addressed by name. Shouldn't the sender know who you are?
  • Business titles are included, but no actual names ("Director, Financial Aid." and "Recruitment Team Retail Shopper Express LLC ©2018").
  • Poor use of punctuation and strange phrasing (missing pronouns and odd verb tenses, such as "Evaluation agent are").
  • The offer is just too good to be true.

A big shout out to Expert Phish Spotters T.P. and D.M. who were early reporters. And to everyone else who either sent this email to  or hit the Delete key to give phishing the finger.

Phishers gonna phish.

From: User Name (username[])
Sent: Friday, May18 2018 2:52 PM
Subject: Hi There

Office of Financial Aid 220 Holmes/Hunter Academic Building. Athens, GA 30602-6114.Phone: (706) 538-5647.


Job Opportunity!

See below flexible evaluation agent job opportunity which should be of great benefit to you and could be part of with a good pay as well.

Thank you,

Director, Financial Aid.


What does an evaluation agent do?

An evaluation agent visit specific stores like like Walmart, Argos, Western Union, restaurants, shopping store etc,And businesses anonymously for the purpose of observing and reporting on the quality of customer service delivered. The answers submitted by our evaluation agent enable clients to make employment decisions, reward staff for excellent performance, redirect staff who perform poorly and evaluate adherence to company service standards.The evaluation agent process begins with on-line training, depending on the job assignment. After completing initial education our evaluation agent are able to select assignments, complete jobs by visiting a site or performing a telephone evaluation and finally entering job data into the online database.


Why should I become an evaluation agent?

Being an evaluation agent is well suited to anyone who would benefit from:

    * Receiving free products and/or services (on certain assignments).

    * Highly flexible hours.

    * Contributing to a higher level of customer service.

    * Having a diverse number of shopping experiences.

    * You'll be able to participate in educational sessions via online training;You do not pay for this.


How much does an evaluation agent get paid ?

Evaluation agent are independent contractors who receive rewards in the form of gift vouchers,or bank deposits. In addition, on many assignments, free goods and/or services are also available. The amount you will get paid varies by the type of assignment you complete. Payments generally range between $300 to $400 per assignment.


Do evaluation agent work part-time or full-time ?

Evaluation agent should be considered part-time or casual work.


Do I need previous experience as an evaluation agent?

NO, previous experience is not necessary.Agents are recruited based on the information provided in their online application form, their aptitude and ability to meet assignment requirements.We offers extensive online training which will broaden your understanding of the job,And assist you in becoming a highly effective agent.

Remember, NO APPLICATION FEES,It does not cost you anything to get started.Send a reply to Unkownperson@anon-UGAwebsite (link removed) with your information if you are interested.

Full Name:

Mobile Phone Number:

Full Address:

Gender & Age:


Personal email address:



Recruitment Team Retail Shopper Express LLC ©2018

Tl;dr - Never trust unsolicited job offers. A logo does not make an email legit. And remember, if something seems too good to be true? It's likely to be fake.

UGAAlert Revisted: The Phone Version

Reported on 4/11/2018

We are sending a special shout out to BWS and SF for getting a screen shot of the mobile version of the infamous UGAAlert phishing message to us!

Why are we so excited?

Messages can look totally different depending on how they are displayed. It's possible to respond to a message on one device that you would never click on in another. (Compare this mobile version of the phish with the text version reported on 3/7/2018.)

Plus we tend to respond more quickly on our phones while we check them on the go.

Here is a quick run through of the red flags, okay?

  • The Sender
    • The EITS Help Desk rarely sends email from a single individual
    • The Subject
    • The terminology is wrong - We use UGA Alert for a specific reason
  • The Body
    • The entire message is run together - it's one big sentence.
    • Take a look at all those random capitalizations - they are all over the place.
    • The language is off - "wait for respond from our Help-desk Service Team".
    • EITS won't ask you to verify / validate your account in an email.
    • EITS won't threaten you with account closure.
    • EITS won't tell you to provide your credentials and then fur us to contact you.
  • The Links
    • EITS will spell out all links and not use CLICK HERE or similar link language.
    • EITS Help Desk's email does not have a hyphen in it.

Be careful out there.

 Mobilephishing message



Reported on 3/7/2018

Is this email "legit"? Nope. Not one eentsy bit.
  • The entire message is run together - it's one big sentence.
  • Take a look at all those random capitlizations - they are all over the place.
  • The language is off - "wait for respond from our Help-desk Service Team".
  • The terminology is wrong - We use UGA Alert for a specific reason and we our Help-desk is not hyphenated.
  • EITS won't ask you to verify / validate your account.
  • EITS won't threaten you with account closure.
  • Plus - take a look at the last phish we posted. It is almost identical to this one.

    From: User Name
    Sent: Wednesday, March 7, 2018 4:22 PM
    Subject: UGAAlert

    Dear UGA User our database shows that Your Account was recently signed in from a unknown Location, please Click Here <we removed the link to a bogus page> for verification to avoid account closure, wait for respond from our Help-desk Service Team.

    Thank you,

    Enterprise Information Technology Services (EITS)
    University of Georgia
    help-desk[@] <mailto:help-desk[@]>

A big thank you to all the amazing Phish Spotters who sent this message in to so we could get the word out to the rest of campus! You're the best.


Administrator Team

Reported on 2/26 - 27/2018

Sweet whole wheat biscuits! Our Expert Phish Spotters were all over this message.

Y'all have done Fresh Phish proud. Keep up the good work. Each time one of you reports a phish, you help keep UGA systems and accounts - yours included - safer.

Let's take a good look at a copy of the actual message. It's a classic phish with the top 6 red flags:
  1. "Dear UGA User" (You are not addressed by name.)
  2. Strange run-on sentences.
  3. A deadline (implied as right now or we will close your account.)

  4. Implied account closure.

  5. A 'hidden link' behind "Click Here" (EITS uses full link text that you cannot click.)

  6. No contact information for EITS.


From: User Name
Sent: Tuesday, February 27, 2018 2:25 PM
Subject: Administrator Team

Dear Uga User,

Dear UGA User our database shows that Your Account was recently signed in from a unknown Location, please Click Here <We removed the link to a fake page at a webhosting> for verification to avoid account closure, wait for respond from our Helpdesk Service Team.

Warm Regards,
Helpdesk Administrator.

Now, just for fun, let's translate this message into Phisher-speak:


Hey you. Yeah, we don't know your name and we don't care,

We are lying to you to try to convince you that someone else signed in to your account from... someplace. We can't be bothered to make up a place. So, just trust us and click the link, m'kay?

Then you can give us your credentials. We will lie to you again, to make you panic by threatening to close your account.

Then you can wait for us to get back to you. As if.

Warm Regards,

The Bad Guys

Those bad guys are soooo disrespectful. Phishers gonna phish.


Account Payable Share A File With You

Reported 2/27/2018

Okay. so you get an email that says "Account Payable" has shared a document with you (just like our example.) What is the first thing you would do?
An Expert Phish Spotter would take one look at this email and delete it without a second thought. Why?
  1. First, the title of the attachment. It is poorly written. And unless you are expecting something from Accounts Payable at UGA, the attachment is clearly a lure
  2. And many Expert Phish Spotters know that ".msg" files as attachments often hide malicious software.
  3. Next, the sender (we removed his name to protect the mostly innocent) is at another university. Why would a UGA business office send you something through another university email system?
  4. Uh-oh. You are not directly addressed by name. "Dear Uga User" could be anyone. Plus the "Uga" part is all wrong.
  5. The language used in the body of the email is just plain wrong.
  6. Mousing over the View Document link would reveal OneDrive file link.
  7. And what about that signature? Don't get us started on the unprofessional sign-off!

Be careful out there.

Account payable email attachment 

From: User Name (username[@]
Sent: Tuesday, February 27, 2018 10:44 AM
Subject: Account Payable Share A File With You


Dear Uga User,

Account Payable sent you an Important and Secured document

View Document <We removed a link to a treacherous OneDrive file.>



  The Office Doc’ Team


© 2018 Office doc


Reported 2/13/2018

Wow. Y'all are amazing! So many Expert Phish Spotters reported this email that Fresh Phish could hardly keep up. A shout out goes to the first Phish Spotter, JS, who reported this attempt Tuesday night - Way to go!

If anyone out there recognizes the bogus webpage with the big blue cloud as a place they filled in their info, please change your MyID password as soon as you can.

Here is a quick review of the major red flags in the message:

  • "Dear UGA Account Owner" (You are not addressed by name.)
  • Strange grammar and punctuation ( must fill our verification form...)
  • A deadline (...immediately.)
  • Implied loss of service (if you don't fill out the form accurately, your contacts and documents won't be saved.)
  • A 'hidden link' behind "CLICK HERE" (EITS uses full link text that you cannot click.)
  • No contact information for EITS (The UGA Internet Access? Really?)

Let's take a look at the red flags on the bogus webpage, too:

  • The University of Georgia logo is obviously pasted on
  • The site is powered by Weebly - you won't see that on official EITS pages
  • The form fields are poorly labeled (Re-password especially)
  • "Simply fill these form" in the upper right corner

Phishers gonna phish.

From: User Name
Sent: Tuesday, February 13, 2018 7:39 PM
Subject: Verification

Dear UGA Account Owner,

To complete your Account- UGA Webmail email account settings, you must fill our verification form immediately and provide the information requested. To SAVE your contacts and documents in your Mailbox, you are requested to fill in the verification accurately,

Click on the link below and follow procedures as advised bellow
To Upgrade Your UGA Internet Access Settings! CLICK HERE<link to a bogus page at a webhost has been removed>!
Thank you for your Co-operation.
Copyright ©2018 The UGA Internet Access

Support Privacy
Terms of Service
© 2018 UGA


Form on phishing site 

Tax Fraud Season - Warning! Long Post Ahead

Tax fraud is big business. Criminals steal your Social Security number, make fake W2s and file a tax return while claiming to be you. Even if you don't expect a refund you can still be a victim of ID theft and tax fraud.

File your taxes as soon as you can. Beat the bad guys. If you don't you may end up being the one who has to prove who you are. It can take several months, if not longer to get your refund back if you get caught up by a scam.

Last year was a rough one - the IRS lost a lot of taxpayer information and Equifax got hit hard in a data breach that affected millions.

2018 Dates to know:

Filing Deadline -  In 2018 the official tax deadline is Tuesday, April 17th. (April 15th falls on a Sunday and the 16th is Emancipation Day in Washington D.C.)

Possible Delays - You should also be aware that refunds that claim Earned Income Credit or Additional Child credit are likely to be delayed this year. It seems that criminals love to use those credits for tax fraud, which means more work for the IRS to confirm the credits are legit.

Popular scams to lookout for in 2018:

Tax relief scams - These don't seem to be as big this year, but if someone offers to reduce your taxes be alert to scams. Especially if money needs to be paid up front (the scammers will take it and run). If you need to use a tax relief business, check them out thoroughly first.

Federal Student Tax – Did you receive a bill for the Federal Student Tax this year? No? Good, because it doesn’t exist. Be prepared. You may be contacted by scammers if you are a student or the parent of a student.

Phishy Tax Preparers - Criminals may claim to be Tax Preparers to trick you into giving away your personal information. If you get an unsolicited email from a tax preparer, avoid clicking on links or opening attachments. Just delete the message.  Also, if any tax preparer asks you to pay cash for part of all of your taxes, that's a huge red “it’s-a-scam” flag.

Fake IRS Agents

Every year criminals posing as IRS agents call and attempt to scare you into complying with their demands.  Don’t be fooled! If there is a problem, the IRS almost always makes first contact by sending a letter through the US mail.

Have you gotten a call from a bogus IRS agent? Scammers like to use common names like John Jackson, Mike Smith or Anne Jones when posing as IRS agents. If they give you a badge number, they’ll often say it too fast for you to jot down. How do you tell the real agents from the fake ones?

Real IRS agents will not:

  • leave a phone message demanding immediate payment
  • use intimidation or threaten to have you jailed, deported or otherwise detained
  • ask for a specific type of payment (cashier's check, cash, money order, bank transfer, prepaid debit card, wire transfer, gift card etc.)
  • ask you to pay over the phone with a credit card or debit card
  • call you to verify tax information or personal details
  • ask for your social security number in an email, text or phone call
  • ask for your bank account number in an email, text or on the phone
  • call to let you know you are eligible for a huge refund
  • email you telling to update your e-file account
  • direct you to a webpage that begins with anything other than https://www/ or (be alert to bogus sites like, or )
  • send you a tax transcript you did not request (getting one may indicate you're an ID theft victim)

Criminals often spoof phone numbers so your caller ID might display the correct IRS phone number or ID when a scammer calls. Bogus IRS calls happen so frequently that the IRS has an "IRS Impersonation Scam Reporting" website.

Talk to older family members about fake IRS calls. Criminals won't hesitate to bully older familiy members into complying with their demands.

Filing Online - Be super careful when filing your taxes online. Only do it on a secure computer connected to a secure network. Unencrypted connections can easily be intercepted by crooks who are watching for them. The crooks insert themselves into your transaction and grab your personal information without alerting you to the attack. So, no filing your taxes at the local coffee shop, even if you really need the caffeine.

Tips for avoiding tax time scams:

File your taxes early! Get your refund in before the criminals do. Even if you owe taxes this year, the criminals can file a fake return that may launch an IRS investigation. Protect yourself.

Be alert to the fact that successful early filing does not guarantee that your personal information is safe.

Use the "Where's my Refund?" tool at the IRS site to track the status of your refund.

Consider getting an Identity Protection PIN (IPPIN) from the IRS if you qualify. Use your IPPIN along with your Social Security Number to make filing your taxes more secure.

Know your rights as a taxpayer. Didn't know you had any? Check out the Taxpayer Bill of Rights for more information.

Stay informed. The IRS has a page about Tax Scams and Consumer Alerts and a Google search will get you a lot of information.

Other actions:

Get a phishy email? - If you get an email claiming to be from the IRS you can forward it to

Think you're a victim of ID Theft? - Tell the IRS right away! File a form 14039 to report the theft of your identity. The IRS will send you a letter with follow up instructions (it can take a while.)

Phony IRS Agents? -  Report the call to the Treasury Inspector General for Tax Administration (TIGTA) via their IRS Impersonation Scam Reporting web page or call (800) 366-4484.

Let the Federal Trade Commission (FTC) know via their FTC Complaint Assistant. Include "IRS Telephone Scam" in the notes to let the FTC know what’s up.

Tl;dr -Protect your identity and your refund this tax season. Don't fall for scams or fake IRS agents and file your taxes as soon as you can.


Something went wrong : update your payment method

Reported February 3, 2018

Let's start with a shout out to LJ, who was the first person to report this email. Thank you, LJ!

Netflix scams are pretty common. This particular one is similar to one that has made the rounds at least once before.

A close look at this message should set off your phishing alarms. Starting at the top:

  • The message is from Service at a site called prime-excel  - not from Netflix
  • Don't you think it's strange that they want your money, but don't know your name? - "Dear Customer" is a tip off that the message is a phish.
  • Read the body of the email carefully:  The writing is a bit wonky, don't you think?
  • "visit [the URL] to Netflix ..." -  Does that seem like something a real company would write? - Clicking the link will take you to a fake login page where the phishers will collect your user name and password and pass you to a form where you can give away your credit card information too.
  • That 1-888 phone number is not the Netflix Help Center number. - the phishers are counting on you just calling the number. They will pretend to be Netflix if anyone calls.

If you are worried about the email, open a new window in your browser, type in the search bar and log in as normal.

Or you could just Google "Netflix scam" and find out all about this email and others like it.

From: Service [mailto:service[@]]
Sent: Saturday, February 3, 2018 7:03 PM
To: User Namer <usernamer[@]>
Subject: Something went wrong : update your payment method

NETFLIX Team Service
Please update your payment method

Dear Customer,

Sorry for the interruption, We were unable to bill your membership for the current month. To ensure that the service will not be interrupted, visit  [We removed the shortened link that pointed to a bogus page designed to steal your payment info] to Netflix then you will be prompted to update your payment method.

Need help ? Were here if you need it. Visit the Help Center or contact us now.

Your friends at Netflix

Questions? Call 1-888-811-9842

This account email has been sent to you as part of your Netflix membership. We may also send email about enhancements to the Netflix service, tips for getting the most out of your Netflix membership, and special offers. To change your email preferences at any time, please visit the Communication Settings page for your account. Please do not reply to this email, as we are unable to respond from this email address. If you need help or would like to contact us, please visit our Help Center at This message was mailed to you by Netflix. SRC: 12618_7786_1_en_CA Use of the Netflix service and website is subject to our Terms of Use and Privacy Statement. 100 Winchester Circle, Los Gatos, CA 95032, U.S.A.

 Tl;dr - The phishers are at it again, and they are targeting your Netflix account username, password and credit card information. The phish is recycled, but it is still catching some people off guard.

Phishers gonna phish.

Fresh Phish PSA: Unsolicited Job Offers in Your Inbox

Spring is in the air and graduation is coming up fast; so are bogus job offers. Phishers love to offer bogus jobs at routine times of the year.

Around Christmas we see a lot of Secret Shopper offers. And work from home jobs.

In the spring the bad guys try to tempt soon-to-be grads with prestigious sounding internships or summer work.

How do you spot these scams? Here are a few tips:

  • The phishers reach out to you; sometimes they claim to have found your resume online, or that their attention was caught by your profile on LinkedIn.
  • The money / salary on offer seems just too good to be true.
  • The job description tends to be vague or the message does not state requirements for education or experience level.
  • The reply to email address seems odd; it may be for a yahoo or gmail address.
  • Just remember, no company is going offer you a job out of the blue, not even knowing who you are.
  • If the so-called company asks for any personal information or asks for money as a consideration walk away.
  • Use caution when considering jobs that come across social media sites: Scammers are known to prowl social media sites.
  • Google is your friend. You may save yourself a world of hurt just running a simple search to check out a job offer.

Be careful out there.

Follow Up & URGENT: You have a secure message

Reported January 4 - 5, 2018

Welcome to the new year and new phishing attacks.

In the last couple of days Fresh Phish has seen some incredibly shiny lures in our inboxes. The two that follow really made us sit up and take notice.

The first message really is a first: The first Docusign phishing message we have seen.

For those who are not familiar with Docusign, it's a service that lets you exchange and sign documents with digital signatures. So if you have a document that needs to be signed by someone in another city, state, or even another country, you can use digital signatures to complete your business electronically.

The Docusign phish (Message 1) looks legit. If you commonly do business online, it may very well fool you. It is clean, professional and extremely tempting to click the button to "Review Document". In fact, it is among the best phishes we have ever seen.

Expert Phish Spotters were slow to report this message, which leads us here at Fresh Phish to believe it may have been very tightly targeted. So how did our experts catch this phish before it caught them?

Their carefully honed phishing radar was set off when by noticing that the sender and recipient were the same person.

Plus they didn't have any investment business transactions to complete. Yep. That last line was the clincher. Why would anyone send an investment document for your signature if you had no investments to review and sign off on?

The "One Drive" phish (Message 2) is far from well done. It offers a lot of red flags useful in spotting a phish:

  • It comes from One Drive - a service naming error - rather than OneDrive
  • The One Drive service email address is at another university
  • It has been sent to a uga email address rather than a specific person
  • The language used in the body of the message is designed to sound official
  • The link points to a hotel site (likely compromised or bogus)
  • Getting a secure message from One Drive and not an encrypted email via Office 365 should be enough to cause a head tilt

Message 1

Docusign phishing message

Message 2

From: One Drive <onedrivemsg[@]
Sent: Thursday, January 4, 2018
To: username
Subject: URGENT: You have a secure message

(Official looking OneDrive logo here)

 Dear username[@]

You have a message waiting for you within the one drive communications area.

Click here (Link to a hotel site removed for your convenience) to view message     


One Drive Cloud © 2018 . All rights reserved.

Tl;dr -Some of the recent phishing messages in our inboxes have been highly professional. Take time to really look at your messages before responding: Resist the urge to follow the link or click on the button. We know it's hard. Curiosity is a very human trait. But applying a bit of attention and critical thought can save you from the headache of compromised credentials.

Additional Resources