Skip to Page Content
section image picture

Office of Information Security

Fresh Phish

As part of our phishing awareness campaign, Fresh Phish features recent phishing attempts directed at the UGA campus.  These emails have been reported by UGA faculty, staff and students who are alert to the dangers of scams and phishing attacks.

Messages are listed by subject line and date reported. A brief critique of each message is included to help you spot the red flags - the features found in most phishing emails - and the common patterns that can alert you to the potential dangers in your inbox.

Every once in a while you will notice that the name of the sender has been changed in an example. Why? It was a real person. And there's no reason to be mean or point fingers. Just imagine your name in place of "User Name" and you will understand why we chose to make the switch.

For some not-so-Fresh Phish, visit the Fresh Phish Archive for 2015 or 2016 where we have older examples of phishing email so you can see how phishing attacks get re-used.


UGAAlert

Reported on 3/7/2018

Is this email "legit"? Nope. Not one eentsy bit.
 
  • The entire message is run together - it's one big sentence.
  • Take a look at all those random capitlizations - they are all over the place.
  • The language is off - "wait for respond from our Help-desk Service Team".
  • The terminology is wrong - We use UGA Alert for a specific reason and we our Help-desk is not hyphenated.
  • EITS won't ask you to verify / validate your account.
  • EITS won't threaten you with account closure.
  • Plus - take a look at the last phish we posted. It is almost identical to this one.

    From: User Name
    Sent: Wednesday, March 7, 2018 4:22 PM
    Subject: UGAAlert

    Dear UGA User our database shows that Your Account was recently signed in from a unknown Location, please Click Here <we removed the link to a bogus page> for verification to avoid account closure, wait for respond from our Help-desk Service Team.



    Thank you,

    Enterprise Information Technology Services (EITS)
    University of Georgia
    help-desk[@]uga.edu <mailto:help-desk[@]uga.edu>

A big thank you to all the amazing Phish Spotters who sent this message in to abuse@uga.edu so we could get the word out to the rest of campus! You're the best.

 

Administrator Team

Reported on 2/26 - 27/2018

Sweet whole wheat biscuits! Our Expert Phish Spotters were all over this message.

Y'all have done Fresh Phish proud. Keep up the good work. Each time one of you reports a phish, you help keep UGA systems and accounts - yours included - safer.

Let's take a good look at a copy of the actual message. It's a classic phish with the top 6 red flags:
 
  1. "Dear UGA User" (You are not addressed by name.)
  2. Strange run-on sentences.
  3. A deadline (implied as right now or we will close your account.)

  4. Implied account closure.

  5. A 'hidden link' behind "Click Here" (EITS uses full link text that you cannot click.)

  6. No contact information for EITS.

 

From: User Name
Sent: Tuesday, February 27, 2018 2:25 PM
Subject: Administrator Team

Dear Uga User,

Dear UGA User our database shows that Your Account was recently signed in from a unknown Location, please Click Here <We removed the link to a fake page at a webhosting> for verification to avoid account closure, wait for respond from our Helpdesk Service Team.


Warm Regards,
Helpdesk Administrator.

Now, just for fun, let's translate this message into Phisher-speak:

 

Hey you. Yeah, we don't know your name and we don't care,

We are lying to you to try to convince you that someone else signed in to your account from... someplace. We can't be bothered to make up a place. So, just trust us and click the link, m'kay?

Then you can give us your credentials. We will lie to you again, to make you panic by threatening to close your account.

Then you can wait for us to get back to you. As if.

Warm Regards,

The Bad Guys

Those bad guys are soooo disrespectful. Phishers gonna phish.

 

Account Payable Share A File With You

Reported 2/27/2018

Okay. so you get an email that says "Account Payable" has shared a document with you (just like our example.) What is the first thing you would do?
 
An Expert Phish Spotter would take one look at this email and delete it without a second thought. Why?
 
  1. First, the title of the attachment. It is poorly written. And unless you are expecting something from Accounts Payable at UGA, the attachment is clearly a lure
  2. And many Expert Phish Spotters know that ".msg" files as attachments often hide malicious software.
  3. Next, the sender (we removed his name to protect the mostly innocent) is at another university. Why would a UGA business office send you something through another university email system?
  4. Uh-oh. You are not directly addressed by name. "Dear Uga User" could be anyone. Plus the "Uga" part is all wrong.
  5. The language used in the body of the email is just plain wrong.
  6. Mousing over the View Document link would reveal OneDrive file link.
  7. And what about that signature? Don't get us started on the unprofessional sign-off!

Be careful out there.

Account payable email attachment 

From: User Name (username[@]adifferent.edu)
Sent: Tuesday, February 27, 2018 10:44 AM
Subject: Account Payable Share A File With You

 

Dear Uga User,

Account Payable sent you an Important and Secured document

View Document <We removed a link to a treacherous OneDrive file.>

 

Enjoy!

  The Office Doc’ Team

 

© 2018 Office doc

Verification

Reported 2/13/2018

Wow. Y'all are amazing! So many Expert Phish Spotters reported this email that Fresh Phish could hardly keep up. A shout out goes to the first Phish Spotter, JS, who reported this attempt Tuesday night - Way to go!

If anyone out there recognizes the bogus webpage with the big blue cloud as a place they filled in their info, please change your MyID password as soon as you can.

Here is a quick review of the major red flags in the message:

  • "Dear UGA Account Owner" (You are not addressed by name.)
  • Strange grammar and punctuation (...you must fill our verification form...)
  • A deadline (...immediately.)
  • Implied loss of service (if you don't fill out the form accurately, your contacts and documents won't be saved.)
  • A 'hidden link' behind "CLICK HERE" (EITS uses full link text that you cannot click.)
  • No contact information for EITS (The UGA Internet Access? Really?)

Let's take a look at the red flags on the bogus webpage, too:

  • The University of Georgia logo is obviously pasted on
  • The site is powered by Weebly - you won't see that on official EITS pages
  • The form fields are poorly labeled (Re-password especially)
  • "Simply fill these form" in the upper right corner

Phishers gonna phish.

From: User Name
Sent: Tuesday, February 13, 2018 7:39 PM
Subject: Verification

Dear UGA Account Owner,

To complete your Account- UGA Webmail email account settings, you must fill our verification form immediately and provide the information requested. To SAVE your contacts and documents in your Mailbox, you are requested to fill in the verification accurately,

********************************************************************
Click on the link below and follow procedures as advised bellow
To Upgrade Your UGA Internet Access Settings! CLICK HERE<link to a bogus page at a webhost has been removed>!
Thank you for your Co-operation.
Copyright ©2018 The UGA Internet Access


Support Privacy
Terms of Service
© 2018 UGA

 

Form on phishing site 

Tax Fraud Season - Warning! Long Post Ahead

Tax fraud is big business. Criminals steal your Social Security number, make fake W2s and file a tax return while claiming to be you. Even if you don't expect a refund you can still be a victim of ID theft and tax fraud.

File your taxes as soon as you can. Beat the bad guys. If you don't you may end up being the one who has to prove who you are. It can take several months, if not longer to get your refund back if you get caught up by a scam.

Last year was a rough one - the IRS lost a lot of taxpayer information and Equifax got hit hard in a data breach that affected millions.

2018 Dates to know:

Filing Deadline -  In 2018 the official tax deadline is Tuesday, April 17th. (April 15th falls on a Sunday and the 16th is Emancipation Day in Washington D.C.)

Possible Delays - You should also be aware that refunds that claim Earned Income Credit or Additional Child credit are likely to be delayed this year. It seems that criminals love to use those credits for tax fraud, which means more work for the IRS to confirm the credits are legit.

Popular scams to lookout for in 2018:

Tax relief scams - These don't seem to be as big this year, but if someone offers to reduce your taxes be alert to scams. Especially if money needs to be paid up front (the scammers will take it and run). If you need to use a tax relief business, check them out thoroughly first.

Federal Student Tax – Did you receive a bill for the Federal Student Tax this year? No? Good, because it doesn’t exist. Be prepared. You may be contacted by scammers if you are a student or the parent of a student.

Phishy Tax Preparers - Criminals may claim to be Tax Preparers to trick you into giving away your personal information. If you get an unsolicited email from a tax preparer, avoid clicking on links or opening attachments. Just delete the message.  Also, if any tax preparer asks you to pay cash for part of all of your taxes, that's a huge red “it’s-a-scam” flag.

Fake IRS Agents

Every year criminals posing as IRS agents call and attempt to scare you into complying with their demands.  Don’t be fooled! If there is a problem, the IRS almost always makes first contact by sending a letter through the US mail.

Have you gotten a call from a bogus IRS agent? Scammers like to use common names like John Jackson, Mike Smith or Anne Jones when posing as IRS agents. If they give you a badge number, they’ll often say it too fast for you to jot down. How do you tell the real agents from the fake ones?

Real IRS agents will not:

  • leave a phone message demanding immediate payment
  • use intimidation or threaten to have you jailed, deported or otherwise detained
  • ask for a specific type of payment (cashier's check, cash, money order, bank transfer, prepaid debit card, wire transfer, gift card etc.)
  • ask you to pay over the phone with a credit card or debit card
  • call you to verify tax information or personal details
  • ask for your social security number in an email, text or phone call
  • ask for your bank account number in an email, text or on the phone
  • call to let you know you are eligible for a huge refund
  • email you telling to update your e-file account
  • direct you to a webpage that begins with anything other than https://www/irs.gov or https://www.irs.gov/ (be alert to bogus sites like irsgov.com, irs.com. irs.net or irs.gov.com )
  • send you a tax transcript you did not request (getting one may indicate you're an ID theft victim)

Criminals often spoof phone numbers so your caller ID might display the correct IRS phone number or ID when a scammer calls. Bogus IRS calls happen so frequently that the IRS has an "IRS Impersonation Scam Reporting" website.

Talk to older family members about fake IRS calls. Criminals won't hesitate to bully older familiy members into complying with their demands.

Filing Online - Be super careful when filing your taxes online. Only do it on a secure computer connected to a secure network. Unencrypted connections can easily be intercepted by crooks who are watching for them. The crooks insert themselves into your transaction and grab your personal information without alerting you to the attack. So, no filing your taxes at the local coffee shop, even if you really need the caffeine.

Tips for avoiding tax time scams:

File your taxes early! Get your refund in before the criminals do. Even if you owe taxes this year, the criminals can file a fake return that may launch an IRS investigation. Protect yourself.

Be alert to the fact that successful early filing does not guarantee that your personal information is safe.

Use the "Where's my Refund?" tool at the IRS site to track the status of your refund.

Consider getting an Identity Protection PIN (IPPIN) from the IRS if you qualify. Use your IPPIN along with your Social Security Number to make filing your taxes more secure.

Know your rights as a taxpayer. Didn't know you had any? Check out the Taxpayer Bill of Rights for more information.

Stay informed. The IRS has a page about Tax Scams and Consumer Alerts and a Google search will get you a lot of information.

Other actions:

Get a phishy email? - If you get an email claiming to be from the IRS you can forward it to phishing@irs.gov

Think you're a victim of ID Theft? - Tell the IRS right away! File a form 14039 to report the theft of your identity. The IRS will send you a letter with follow up instructions (it can take a while.)

Phony IRS Agents? -  Report the call to the Treasury Inspector General for Tax Administration (TIGTA) via their IRS Impersonation Scam Reporting web page or call (800) 366-4484.

Let the Federal Trade Commission (FTC) know via their FTC Complaint Assistant. Include "IRS Telephone Scam" in the notes to let the FTC know what’s up.

Tl;dr -Protect your identity and your refund this tax season. Don't fall for scams or fake IRS agents and file your taxes as soon as you can.

 

Something went wrong : update your payment method

Reported February 3, 2018

Let's start with a shout out to LJ, who was the first person to report this email. Thank you, LJ!

Netflix scams are pretty common. This particular one is similar to one that has made the rounds at least once before.

A close look at this message should set off your phishing alarms. Starting at the top:

  • The message is from Service at a site called prime-excel  - not from Netflix
  • Don't you think it's strange that they want your money, but don't know your name? - "Dear Customer" is a tip off that the message is a phish.
  • Read the body of the email carefully:  The writing is a bit wonky, don't you think?
  • "visit [the URL] to Netflix ..." -  Does that seem like something a real company would write? - Clicking the link will take you to a fake login page where the phishers will collect your user name and password and pass you to a form where you can give away your credit card information too.
  • That 1-888 phone number is not the Netflix Help Center number. - the phishers are counting on you just calling the number. They will pretend to be Netflix if anyone calls.

If you are worried about the email, open a new window in your browser, type Netflix.com in the search bar and log in as normal.

Or you could just Google "Netflix scam" and find out all about this email and others like it.

From: Service [mailto:service[@]prime-excel.com]
Sent: Saturday, February 3, 2018 7:03 PM
To: User Namer <usernamer[@]uga.edu>
Subject: Something went wrong : update your payment method

NETFLIX Team Service
Please update your payment method


Dear Customer,


Sorry for the interruption, We were unable to bill your membership for the current month. To ensure that the service will not be interrupted, visit www.netflix.com/update-accountpayment  [We removed the shortened link that pointed to a bogus page designed to steal your payment info] to Netflix then you will be prompted to update your payment method.


Need help ? Were here if you need it. Visit the Help Center or contact us now.


Your friends at Netflix


Questions? Call 1-888-811-9842


This account email has been sent to you as part of your Netflix membership. We may also send email about enhancements to the Netflix service, tips for getting the most out of your Netflix membership, and special offers. To change your email preferences at any time, please visit the Communication Settings page for your account. Please do not reply to this email, as we are unable to respond from this email address. If you need help or would like to contact us, please visit our Help Center at help.netflix.com. This message was mailed to you by Netflix. SRC: 12618_7786_1_en_CA Use of the Netflix service and website is subject to our Terms of Use and Privacy Statement. 100 Winchester Circle, Los Gatos, CA 95032, U.S.A. https://help.netflix.com/help

 Tl;dr - The phishers are at it again, and they are targeting your Netflix account username, password and credit card information. The phish is recycled, but it is still catching some people off guard.

Phishers gonna phish.

Fresh Phish PSA: Unsolicited Job Offers in Your Inbox

Spring is in the air and graduation is coming up fast; so are bogus job offers. Phishers love to offer bogus jobs at routine times of the year.

Around Christmas we see a lot of Secret Shopper offers. And work from home jobs.

In the spring the bad guys try to tempt soon-to-be grads with prestigious sounding internships or summer work.

How do you spot these scams? Here are a few tips:

  • The phishers reach out to you; sometimes they claim to have found your resume online, or that their attention was caught by your profile on LinkedIn.
  • The money / salary on offer seems just too good to be true.
  • The job description tends to be vague or the message does not state requirements for education or experience level.
  • The reply to email address seems odd; it may be for a yahoo or gmail address.
  • Just remember, no company is going offer you a job out of the blue, not even knowing who you are.
  • If the so-called company asks for any personal information or asks for money as a consideration walk away.
  • Use caution when considering jobs that come across social media sites: Scammers are known to prowl social media sites.
  • Google is your friend. You may save yourself a world of hurt just running a simple search to check out a job offer.

Be careful out there.

Follow Up & URGENT: You have a secure message

Reported January 4 - 5, 2018

Welcome to the new year and new phishing attacks.

In the last couple of days Fresh Phish has seen some incredibly shiny lures in our inboxes. The two that follow really made us sit up and take notice.

The first message really is a first: The first Docusign phishing message we have seen.

For those who are not familiar with Docusign, it's a service that lets you exchange and sign documents with digital signatures. So if you have a document that needs to be signed by someone in another city, state, or even another country, you can use digital signatures to complete your business electronically.

The Docusign phish (Message 1) looks legit. If you commonly do business online, it may very well fool you. It is clean, professional and extremely tempting to click the button to "Review Document". In fact, it is among the best phishes we have ever seen.

Expert Phish Spotters were slow to report this message, which leads us here at Fresh Phish to believe it may have been very tightly targeted. So how did our experts catch this phish before it caught them?

Their carefully honed phishing radar was set off when by noticing that the sender and recipient were the same person.

Plus they didn't have any investment business transactions to complete. Yep. That last line was the clincher. Why would anyone send an investment document for your signature if you had no investments to review and sign off on?

The "One Drive" phish (Message 2) is far from well done. It offers a lot of red flags useful in spotting a phish:

  • It comes from One Drive - a service naming error - rather than OneDrive
  • The One Drive service email address is at another university
  • It has been sent to a uga email address rather than a specific person
  • The language used in the body of the message is designed to sound official
  • The link points to a hotel site (likely compromised or bogus)
  • Getting a secure message from One Drive and not an encrypted email via Office 365 should be enough to cause a head tilt

Message 1

Docusign phishing message

Message 2

From: One Drive <onedrivemsg[@]anotheruniversity.edu
Sent: Thursday, January 4, 2018
To: username
Subject: URGENT: You have a secure message
 

(Official looking OneDrive logo here)

 Dear username[@]uga.edu

You have a message waiting for you within the one drive communications area.

Click here (Link to a hotel site removed for your convenience) to view message     

               

One Drive Cloud © 2018 . All rights reserved.

Tl;dr -Some of the recent phishing messages in our inboxes have been highly professional. Take time to really look at your messages before responding: Resist the urge to follow the link or click on the button. We know it's hard. Curiosity is a very human trait. But applying a bit of attention and critical thought can save you from the headache of compromised credentials.

A Multi-Phish Situation: RFP 336-01-01427; message from Human Resource and U.S. Department Of The Treasury

Reported November 20 - 27, 2017

Fresh Phish hopes y'all had a good Thanksgiving break!

Welcome back to some real awful phishing - awful dangerous that is. Let's take a look at each message.

Message 1: The bad guys did their research. That Federal Employer Identification Number and Federal School Code are totally legitimate. And a sense of legitimacy is what the phishers are going for. The original message had an attachment that was wither filled with malware or designed to harvest your personal information. (We didn't click to find out.)

What are the big red flags here?

  1. The message appears to be from a personal email address and not a business email address
  2. Sketchy grammar in the body
  3. Recipient not addressed by name
  4. Telephone numbers do not match the UGA Procurement Office contact numbers

Message 2: A message from Human Resources is a pretty strong lure. Any time an unexpected email arrives from HR - and especially this time of year -  we need to give that email a hard look.

This phish has red flags of its own:

  1. The message claims to be from the UGA domain and not an actual business address
  2. The phisher's included a spoofed UGAmail address to fool the system into thinking the phish was legit
  3. Recipient not addressed by name (MyIDs are not generally a substitute for the recipient's name in business email)
  4. The link points to a URL shortening service and a fake page
  5. The copyright notice is included to convince recipients that the message is for real

Message 3: Reality check. Why on earth would the Treasury Department send anyone a random email telling them that they have an ATM card loaded with a quarter of a million dollars waiting to be claimed?

Sure, it would be great. Who doesn't want/need money? But an ATM card? What account number is it linked to? Who owns that account? Oh! so many questions! Okay. Okay. Ignore the questions for now. What are the red flags?

  1. Mr. Fictional Person's email address is at a financial services site
  2. If this were even remotely true, Mr. Fictional Person's email address would be [@]dept.treas.gov or [@]treasury.gov
  3. If Treasury Office had that much money for you, you can bet they would know your address
  4. They are asking for personal information
  5. They are asking for money
  6. The Treasury Office might use a private courier service, but would they refer to the service by two different names (is it DIAMOND EXPRESS COURIER or ROYAL EXPRESS LOGISTICS?)
  7. Mr. Other Fakeperson's email address is owned associated with a web service in China
  8. Where is the rest of Mr. Fictional Person's "U.S. Department Of The Treasury" contact information?

Watch out for scams, y'all! Think things through and be content critical. Don't hesitate to question an email message. It may turn out to be legitimate, but finding that out is better than allowing online criminals to infect your computer or steal your identity.

You're on the hook for online safety. Phishers gonna phish. 

Message 1

From: aperson[@]uga.edu<mailto: aperson[@]uga.edu>
Sent: Monday, November 20, 2017 10:58 AM
Subject: RFP 336-01-01427
(Attachment removed)


Federal Employer Identification Number: 58-6001998
Federal school code (001598)


Hello,


Find the attached RFQ and Tax exemption certificate, have it process and get back to us as soon as possible


University Of Georgia Procurement Dept
A Person in the Procurement Office
Another Person in the Procurement Office
T: (706)-247-7004
F(706)-583-8162
 
Message 2
From: "uga.edu<unsecure uga.edu web link>" <username[@]uga.edu>
Subject: 1 message from Human Resource
Date: November 24, 2017 at 11:20:10 AM EST
To: UserName[@]uga.edu<mailto:username[@]uga.edu>

Dear UserName[@]uga.edu

You have a message from the Human Resources Department.

Click here to view your message [Removed a bogus link to a URL shortening service.]

Copyright © 2017,University Of Georgia| All rights reserved.
 
Message 3

From: Mr. Fictional Person <info[@]afinancialservice.com>
Sent: Monday, November 27, 2017 6:33 PM
Subject: U.S. Department Of The Treasury

U.S. Department Of The Treasury
1500 Pennsylvania Avenue, NW
Washington D.C. 20220 USA.


NOTE: If you received this message in your SPAM/JUNK folder, that is because of the restrictions implemented by your Internet Service Provider.
We urge you to treat it genuine urgency......


This is to bring to your notice that you have a registered ATM CARD of ($2,500,000 usd) available for pickup with DIAMOND EXPRESS COURIER customer service with registration code (2921139396). Please Contact us with your delivery information:


1. Your Full Name................
2. Your Telephone No..........
3. Your Country................
4. Your Home Address........


ROYAL EXPRESS LOGISTICS

Name: Mr. Other Fakeperson
E-mail: diamondexp[@]awebserviceinchina.net


The Insurance & Delivery fee has been completely footed. You are hereby required to ONLY pay a Security Keeping fee of $250 only. Please indicate the registration Number as stated above while providing them with your Address and Phone number for your delivery.


Best Regards
Mr. Fictional Person
U.S. Department Of The Treasury

Tl;dr - End of year business processes, HR notices (especially around tax time) and monetary inducements are all standard lures for phishing. Be careful to always review phone numbers and contact email addresses. If needed, use your internet skills to locate and use independently confirmed contact infomation to make sure any suspicious emails are legit before responding.

 

Payroll Schedule Message.

Reported on November 15, 2017

Well. The phishers are at it again.

In this short but sweet phishing attempt the bad guys are using our payroll money as a lure. Any of us who have worked for the University know that payroll scheduling can be affected by our holiday schedule. That makes this phish a particularly nasty one.

If anyone clicked through - and sadly at least one person did - they would have landed on a page that looked exactly like the CAS login page. The only way to tell the page wasn't legit was to check out the URL. It started with an "https://" but the rest of the web address was totally wrong.

Just imagine how the phishers wanted to make us feel:

Whaddaya mean I have a payroll schedule message?

What the heck does that even mean!?!

Nobody better be messing with my payroll! Thanksgiving is next week and I really need that money to travel / get ready for guests / make dinner!

I've got to click right NOW!

Whew. You can almost feel that panic.

Fortunately our expert phish spotters knew it was a phish before clicking the link. How did they know?

  1. Payroll notices don't come from University of Georgia at an "info" email address
  2. UGA payroll doesn't use links like "View Message Now"
  3. Our phish spotters know where to go to check up on thier payroll (We bet you do, too!)
  4. Payroll messages don't carry the 'University of Georgia' as their signature line

From: University of Georgia, <info[@]uga.edu>
Sent: Wednesday, November 15, 2017 2:31 PM
To: User Name <username[@]uga.edu>
Subject: Payroll schedule message.


You have 1 new Important Schedule message regarding your payroll

View Message Now. (We removed the link that was here. It pointed to a bogus - but legitimate looking CAS sign in page.)

University of Georgia.

Fresh Phish wishes you a happy holiday: Travel safe next week, Y'all. 

EMERGENCY

Reported November 2, 2017

A lot of phishing attempts succeed because people are people. We don't want to be inconvenienced. We get in a hurry and don't think things through. Some people just can't resist the urge to click a link and see where it goes. All people are vulnerable to phishing attempts - some fall victim to simpler ones, others need a really sophisticated phish to fool them. Heck, those of us at Fresh Phish has gotten trapped in the net at least once.

After getting phished, you learn to look at things more closely. Let's look at today's phish from a phisher's point of view :

"We (the bad guys) are trying to fake you out.

We’re lying when we tell you your account is restricted. It’s not. But we really enjoy imagining you in a panic because we fooled you into thinking you were not going to get any more email.  We can just see you giving us your login credentials. And access to all your email, private business in your account and your contacts too.

If you slow down you might notice all the misspellings and how unprofessional the message is. But we know you’re in a hurry. That’s why we send out our phishing messages when you are likely to be busy.

We're betting that you aren’t going to read this message very carefully. In fact we are pretty sure that you'll read the first sentence and then CLICK HERE. Heh, we even 'shouted at you' to get your attention. All caps is so insistent.

Did it work? Ha - ha. Yeah, We totally took advantage of your trust.

Thanks for the access.

Warm regards,

The Bad Guys"

What's the most important point to remember when you receive an email like this one?

EITS will never ask you to verify your credentials in an email message.

From: User Name <username[@]uga.edu>

Sent: Thursday, November 2, 2017 10:17 AM

To: Same User Name <username[@]uga.edu>

Subject: EMERGENCY

Your Email Access have been restricted, An Attempt has been made to sign-In your account from a new computer, If you do not validate your account within 24 Hours, You will not be able to send or receive new mail until you re-validate your mailbox.prior to maintain your INBOX. CLICK HERE (the link pointed to a free website resource so we removed it.) to Verify.

 Warm Regards,

Webmail Administrator

An observation: A lot of email marketing studies have been done on the best time to send email. Turns out that Tuesdays and Thursdays, around 10AM are two of the best times to get someone to open an email message. Not only that, those are two of the best click-through times (for people to follow links.)

The phishers know this stuff too. If you want to learn more, just Google “best time to send emails.”

tl;dr - An unsophisticated phish, doesn't mean an unsophisticated phisher. Phishers often leverage human behavior and marketing techniques to trap us in their nets.

 

Your University of Georgia Email Account Has Been Suspended and Important Security Issues or Lather, Rinse, Re-Phish

Reported October 30, 2017

Okay, all Y'all. Today's phish is a repeat of the one from October 16th - except for a new bogus website hiding behind a legit-looking link to The University of Georgia homepage.

We see these phishes over and over. Why? Because they work!

Busy folks see an official looking email and respond without giving it a good think. Phishing emails that have urgent sounding subject lines or messages are very likely to get a response. They are especially effective if you are tired, busy, in a hurry and liable to be caught off guard. (Sound like anyone you know?)

Unfortunately, at least two of our own were caught in the net and all their contacts are getting the same shiny lure. Don't let the phishers phake you out!

Message 1

From: User Name <user.name[@]uga.edu>
Date: Monday, October 30, 2017 at 8:15 AM
To: User Name <user.name[@]uga.edu>
Subject: Your University of Georgia email account has been suspended


The University of Georgia


Security Alert , Monday, 30 October 2017

Your University of Georgia email account has been suspended. You must verify it immediately or your account will be closed or wouldn't be able to send or receive mail.

click link to verify: http://www.uga.edu (Link to a spoofed site removed for your safety.)


Regards
Copyright © 2017 University of Georgia

Message 2

 

From: User Name <user.name[@]uga.edu>
Sent: Monday, October 30, 2017 7:57 AM
To: User Name <user.name[@]uga.edu>
Subject: Important Security Issues


The University of Georgia Logo

Security Alert , Monday, 30 October 2017

Your University of Georgia email account has been suspended. You must verify it immediately or your account will be closed or wouldn't be able to send or receive mail.

click link to verify: http://www.uga.edu  (Link to a spoofed site removed for your safety.)


Regards
Copyright © 2017 University of Georgia

Fresh Phish has a handy list of the common phishes under our Phish Wrap post from earlier this year. Take a look to familiarize yourself with them.

Many of our Expert Phish Spotters reported these phishing attempts. (Thank you to DC and CR, who were the first to report these two emails.)

 

SUPPORT, an Unusual Login Attempt and more SUPPORT

Reported October 20, 2017

It's phish Phriday! Or at least that's what the phishers think.

Let's take a look at the three messages that are hitting UGAMail boxes hard today.  What do you notice about them?

Right! They are all very similar. The wording varies slightly from message to message, but the intent is the same. Online bad guys are trying to steal your UGA login credentials.

The big things to look at are:

  • Who sent the message? It wasn't the EITS Help Desk.
  • Are the senders affiliated with the EITS Help Desk? Nope. (We looked them up before removing their names, so trust us, okay?)
  • Are you addressed by name in the message? No.
  • Is there an official signature and contact information included at the bottom of the message? Uhn uh.

There are other clues that indicate each of these messages is a phish. Most of them are associated with poor grammar, misspellings and sentence construction. In short, the messages just are not structured like business email.

Message 1

From: User Name <username[@]uga.edu>
Sent: Friday, October 20, 2017 3:41 PM
Subject: SUPPORT

Your e-mail account was LOGIN today by Unknown IP address, Click on the Administrator link below and LOGIN to validate and Verify your e-mail account or your account will be temporary block for sending more messages. CLICK HERE [we removed the link to a truly awful web form] to validate.

Message 2

From: User Name <username[@]uga.edu>
Date: Friday, October 20, 2017 at 1:12 PM
Subject: Unusual Login Attempt

Your e-mail account was LOGIN today by Unknown IP address, click on the Administrator link below to validate your e-mail account or your account will be temporary block for sending more messages.

CLICK HERE [the link to a webform on a free hosting service has been removed. Don't forget: EITS won't hide a link behind words like "CLICK HERE" ]

Message 3

From: "User Name" <username[@]uga.edu>
Date: October 20, 2017 at 3:39:44 PM EDT
Subject: SUPPORT

Your e-mail account was LOGIN today by Unknown IP address, Click on the Administrator link below and LOGIN to validate and Verify your e-mail account or your account will be temporary block for sending more messages. CLICK HERE [yet another bogus link removed for your protection!] to validate.

EITS does send out emails on occassion, but the Help Desk definitely did not send any of the messages used as examples in this entry.

Join the ranks of our Expert Phish Spotters! If you get an email that looks funky you can send the message on to abuse@uga.edu for investigation.

Phishers gonna phish.

 

Your University of Georgia Email Account Has Been Suspended.

Received October 16, 2017

Don't you just hate it when you log in to your email between classes and find out that your account has been suspended? Especially when you have to "verify it immediately or your account will be closed" or locked.

So what should you do when you get an email like that? Report that phish!

That's what it is, after all. EITS will not:

  • abruptly and arbitrarily close your account
  • make you verify your account to keep it open
  • link you to a fake webpage pretending to be a UGA site
  • ask you to click a link to verify
  • fail to address you by name
  • fail to provide EITS Help Desk information

This phish is a pretty good one, all things considered. But it wasn't good enough to fool our Expert Phish Spotters. It made us smile to see pages and pages of this phish being reported.

The link in the message looks legit, but it's not. The only way to tell without clicking through to a potential phish trap is by positioning your mouse over the link to reveal the actual destination. Trust us. It's not a real UGA website.

We have included a screen shot of the body of the phish.

Bogus security alert

It's awfully small, so if you want to take a closer look, we have a link to a much bigger version of the phishing message.

The text of the message follows:

From: User Name
Sent: Monday, October 16, 2017 10:46 AM
To: User Name <user.name@uga.edu>
Subject: Your University of Georgia Email Account Has Been Suspended.


The University of Georgia

Security Alert , Monday, 16 October 2017

Your University of Georgia email account has been suspended. You must verify it immediately or your account will be closed or wouldn't be able to send or receive mail.

click link to verify: Bogus link claiming to be at UGA [Link removed, or course.]

Regards
© 2017 University of Georgia

Fresh phish sends a a shout out to CC, the first the start the flood of reports. Way to go! And way to go for all our other Expert Phish Spotters. I wish we had the space to list you all.

Phish Spotters Assemble!

Reported October 9-10, 2017

Oh. Wait. You already have! Kudos to you all.

Our Expert Phish spotters on kickin' t this morning! We have had nearly 100 reports of the following phish:

Subject: UPDATE YOUR EMAIL ACCOUNT IMMEDIATELY.
Date: Mon, 09 Oct 2017 15:30:13 +0100
From: UGA <username@uga.edu>
To: Recipients <sameusername@uga.edu>


Thank your for being part of THE University Of Georgia webmail Services. We're excited to contact your email!

We are currently updating our University Of Georgia Email services, due to this update we sincerely call your attention to follow below link and reconfirm your University Of Georgia email account details.

The "http" link that was included here looked like a UGA link. It actually pointed to a website that had nothing to do with the university.

Thank You
The University Of Georgia

So what gave it away? It's a five alarm phish.

  • It's nice that they thanked you, but they don't seem to know who you are. (You are not addressed by name. That should start the alarm bells.)
  • Sincerity is great, but saying they, "sincerely call your attention to follow below link" should set off more alarm bells. (Strange syntax and grammar.)
  • EITS knows your email account details. No reminder is needed. (What's that sound? Alarm bells!)
  • Even if EITS needed you to provide some additional information, they wouldn't ask for it in an unsecure way. (That fake URL pointed to an http web address and NOT an https -secure- address. Omigosh, Poe was right. Brazen bells!)
  • That signature line is all kind of wrong. (Those alarm bells should be super loud now!)

Plus EITS will never use all caps to shout at you in a subject line.

Phishers gonna phish, y'all.

Oldies but Baddies: Classic – But Still Dangerous - Phishing Messages

Reported September 18-September 22. 2017

A whole school of phishing messages has come to our attention this week:

  • Did you get an email that told you to “UPDATE YOUR UNIVERSITY OF GEORGIA IMMEDIATELY.”?
  • What about an “Account Notification !!” that told you your mailbox was full?
  • Or that you “Have a new Blackboard message(s)” ?

If you did, an online criminal is trying very hard to phish you.

(A shout out to B.A., L.P. and F.B. for being the first of our Expert Phish Spotters to catch and report these emails.)

Earlier this year we did a Phish Wrap – a review of the most common phishing messages we received in 2016 – dividing phishing messages into types. While the list is not exhaustive, it covers dozens of messages and variants that you can expect to see over and over again.

We are seeing a lot of these messages hit campus again.

Why do the bad guys keep re-using messages like these? Because they work! For every 1000 or so phishing emails, there will be a 100 or more people who click the links, fill out the forms, respond with personal information or download a malware-filled attachment.

So, Fresh Phish recommends you visit our Phish Wrap entry and get a feel for phishing. We invite you to copy and paste the list into a doc, or print it out and keep it handy. At least until you get a good feel for phishing.

Join the ranks of our Expert Phish Spotters!

A Quick PSA: Phishing and Disasters

Phishers like to take advantage of us when we are tired, in a hurry and especially when we are off guard. The bad guys are also experts at using natural disasters, like Hurricane Irma, to profit from our inclination to help others.

Please take time to evaluate any emails or social media posts about Hurricane Irma's aftermath that you receive.

Do your best to make sure that any charities requesting aid are legitimate and well known. Online criminals like to use charity names that sound familiar and are very close to the name of an actual charity, depending on our memories to convince us they are legit.

Be especially careful and on the lookout for website URLs that are almost correct, but on closer inspection don't actually match a charity name. (For example: http://irmarelief vs http://irrnarelief -the second has 3 'r's.)

Here at Fresh Phish we know that scams that prey on our desires to help are heinous and cruel. We also know that, sadly, they are out there every day.

Anyone working in administrative offices should be on the lookout for business emails that ask for money transfers or personal information, especially employee information. Online criminals may use Hurricane Irma as an opportunity to launch a well researched scam.

Mail on Hold and Cancel De-activation

Reported September 4 through September 14, 2017

Kudos to our Expert Phish Spotters for reporting these two phishing attempts! The bad guys really stepped up their game with these messages and our Experts rose to the challenge.

A little critical thinking and observation goes a long way to keep you safe when you get messages like these. Let's take a closer look, shall we?

Message 1 This message (click the Message 1 link to see a larger image) claims to be from Microsoft and it looks official until you take the time to slow down and evaluate the actual content. Let's take a look, shall we?

  • The message is sent to user with a UGAMail address, but the address listed for that user is at KSU. (Why are you getting an email with a ksu.edu address?)
  • It has an official looking logo, but it's easy for the bad guys to steal a logo.
  • The text under the logo says the email contains sensitive information, but it this case, it does not. (That statement is probably there to keep you from alerting the Abuse Team.)
  • If you hover your mouse over the blue button the destination URL that pops up is not a UGA website. (The link has been removed in the example.)

Message 2This phish (view a larger image by clicking the Message 2 link) is big and bold and scary in an in-your-face sort of way. Don't you just love it when online criminals thin that making a button huge and shout at you in all caps will make you respond?

The big things to note in this email are:

  • UGA uses Microsoft for our email service. (Why is this coming from an Email Team at gmail?)
  • If you hovered your mouse over the ginormous blue button you would see that the destination link is not a UGA site. (We removed the link in our example.)

As usual, these messages also contain red flags; trying to make you react without thinking, telling you to take action and attempting to look and sound official.

Message 1

Office 365 phish

Message 2

Cancel de-activation phish

If you are ever in doubt about an email, if it looks suspicious or just seems off - you are probably right. Trust your instincts.

Phishers gonna phish!

Re: Aug 30

Reported on August 30 and 31, 2017

This little beauty uses a pdf attachment as its lure - if you open the attachment, you are likely to get some very nasty malware. In fact, the pdf attachment is a favored method among online criminals for distributing malware.

Our Expert Phish Spotters were fast to alert us to this suspicious email. Which was a good thing - this attack was targeted on a certain set of staff members: the distribution of this phishing message was limited. It's what we sometimes call a spear phish: focused on an individual or a small group of individuals with a specific goal in mind. (Unlike a broadcast phish, were the bad guys throw out a wide net to see what they can get.)

The message is short, relaxed and familiar in tone; it's even a little flattering. In fact, it comes across as a colleague asking for a favor. The body of the email reads simply:

Please find attached my new Project. I would like to hear your opinion afterwards.

Thanks,
Username

We used a screen shot for this phish to give you a feel for the actual email with the attachment. If you want a closer look, you can view the phishing email as a full size image.

phish with attachment

University of Georgia - Anti-Spam;  ; UPGRADE YOUR EMAIL ID

Reported on August 15, 2017

 

Students are back, classes are in session and the phishers are trolling for a good catch. Fresh Phish received dozens of reports of these phishing attempts. We're proud of our Expert Phish spotters. Thanks, Y'all!

In the high pressure atmosphere of the first week of classes broadcast phishing attacks are very common. Expect to see a lot of the following types of messages in your inboxes.

As you get them, remember that:

  • EITS does not... need you to validate your account
  • EITS does not... need you to verify your account
  • EITS does not... send you emails like these
  • EITS does not... hide links behind words like "CLICK HERE" in email (We will give you a full URL to copy and paste.)
  • EITS does not... ask for your login credentials in an email or send you to a form where you can fill them in.

Take a few minutes to learn about the red flags of phishing on our Phish Tank page, which offers examples of common phishing scams. Always be on the lookout for odd emails. If you get an email that seems suspicious, you can pass it on to abuse@uga.edu for investigation.

Message 1

From: “User Name” <username[@]uga.edu>
Date: 8/15/17 12:54 PM (GMT-05:00)
To: lnfo[@]uga.edu
Subject: University of Georgia - Anti-Spam

 

Dear UGA User,

Alert from UGA, Our latest IP Security upgrades discovered an irregular Login attempts on your email account earlier today from unknown location with this IP: 214.20.31.87. We recommend that you validate your account to avoid suspension.

CLICK HERE {Link to a fake site removed.]


Thank You.

ITS - Information Technology Services UGA Admin

Copyright © 2017 Admin All rights reserved.

***********

Message 2

From: “User Name” <username[@]uga.edu>

Date: August 15, 2017 at 11:13:25 AM EDT
Subject: UPGRADE YOUR EMAIL ID

Your email will be shut-down due to several negligence of emails regarding mailbox upgrade. To avoid this please click HERE [Link to a bogus UGA site at a free hosting platform removed ] and verify your mailbox.


Warm Regards,


Help-desk Administrator

Multiple Phishing Attempts: NEW MESSAGE FROM MICROSOFT OFFICE 365 (UPDATE YOUR .EDU ACCOUNT); [??SUSPICIOUS??]Email Security Modifications - Effective Immediately!; and This is your final warning... Validate your email account now...


Reported August 3-4, 2017

 
Yow! The phishers are casting their nets far and wide.
 
A shout out to SS, PW and JA for being the first to report these phishing messages. We declare you Expert Phish Spotters!
 
Fresh Phish natters on about the red flags of phishing. Why? Knowing what they are helps you recognize phishing attempts. You can find out about the red flags at the Phish Tank, our phishing page.
 
The red flag highlights in these three messages are:
 
  • You are not addressed by name (Account User and Dear User don't count.)
  • There is a call to action (You have to do something, like download and attachment or visit a website and give away your user name and password, to prevent a loss of service.)
  • There is no direct contact information offered in case you have questions (Nice try with the Microsoft Offices email. And close, but no cigar with ITS Help Desk.)
  • Unprofessional language, grammar and punctuation. (The first one is poorly written; the second shouts at you and is confusing - what is it? review or update?; and the last one threatens you.)

Pro Tips: EITS won't hide a link behind a phrase. We won't ask you to download an attachment to review your account access. We don't have an Office 365 account validation portal. And we know if your account is valid.

Call the EITS Help Desk at 706-542-3106 if you have suspicions about an email. Or forward the email to abuse@uga.edu to learn if it's bogus or legit.

From: User Name <username@anotheruni.edu>
Date: Thu, Aug 3, 2017 at 3:57 PM
Subject: [??SUSPICIOUS??]Email Security Modifications - Effective Immediately!
To: username[@]uga.edu


Dear Account User,

Your Web App has recently been subjected to security modification due to authentication failed by regular Phishing attempt of an incorrect User name that was entered in your account.


Lets make sure it's you! To keep your account secure we need to re-validate your account by clicking on "Secure My Account" [Link pointing to a bogus UGA login screen in Spain has been removed] to verifying/change your password information on the file below to helps protect your account from unauthorized access.


ITS Help Desk

Information Technology Services

=======

From: Office 365 [mailto:clear@soft.com]
Sent: Thursday, July 27, 2017 8:53 PM
To: User Name <username[@]uga.edu>
Subject: NEW MESSAGE FROM MICROSOFT OFFICE 365 (UPDATE YOUR .EDU ACCOUNT)

[Maleware laden attachment removed for your safety!]

Dear User,

Check Attachment for Review.

Thank you,
Mircosoft Office
One Microsoft Way
Redmond, WA
98052-6399 USA

=======

From: User Name <user.name[@]uga.edu>
Date: August 4, 2017 at 7:16:22 AM EDT
Subject: This is your final warning... Validate your email account now...


All Uga.edu [the phishers used an actual link to the UGA homepage just to fake you out] email accounts holders are advised to validate their email account for upgrade, and advance mailbox features by signing into the Office 365 account validation portal [The link to a fake UGA portal at free web hosting service has been removed].

Click the above link to validate your account now or your will be deactivate.. This is your final warning....

Tl:dr - Here we go again! Be on the lookout for an increased level of phishing attempts, especially those that target your UGAMail service. EITS knows if your account is valid: you do not need to validate your account with us. And don't open attachments unless you are both expecting them and certain they are legitimate.
 

ReadMe From UGA

Reported on July 31, 2017

This is a classic 'validate your account' phish designed to make you react without thinking.

Phish Spotters know that it's pretty hard to fill up a UGAMail inbox. You get about 50 GB of space, and that's quite a bit - especially if you delete stuff on a somewhat regular basis.

Let's take a quick look at the phishing indicators, or red flags:

  • Sent from someone in Uruguay (Why would UGA send you something from an email address in Uruguay?)
  • Subject line doesn't give you any useful info
  • No recipient named
  • No greeting (You should be addressed by name if an email is legit.)
  • Weird punctuation and capitalization
  • Uses jargon or phrases that sound official (In this case, "exceeded the stora​ge limit defined by the administrator".)
  • Has a call to action (It wants you to do something.)
  • Has a deadline (You have to do something by a certain time, or take a certain action before something else happens.)
  • No full text link (EITS won't hide a link behind "Click to Verify" or any other phrase.)
  • No official sign off or contact info

So what can we conclude? This email is totally bogus! Delete it and move on.

Still not sure? Contact the EITS Help Desk at 706-542-3106. They can tell you if an email is legit or not.

From: Gabriela Sierra [mailto:gabriela.sierra[@]asiteinuruguay]
Sent: Tuesday, August 1, 2017 1:15 PM
Subject: ReadMe From UGA

​​Your mailbox has exceeded the stora​ge limit defined by the administrator and can not Send or receive new messages until you validate your email ​

Click the following link to confirm​ your email

Click to Verify uga.edu [Link to a sketchy tripod site removed for your protection.]


Thank you
UGA Web System Administrator



Sent from uga.edu [Yet another bogus web link designed to fake you out.]

We can expect to see more messages like this as the academic year ramps up.

Phishers gonna phish!

All UGA staff and student should validate email account!!!

Reported on July 31, 2017

Welcome to the first wave of phishing for the new academic year. It's good to have you back, Phish Spotters! If the number of reports we got of this phish are any indication, you are off to a great start.

Phishers know about our academic calendar -it's online, after all - and will try to use it to their advantage. With a lot of incoming students and new staff, the Bad Guys will take this opportunity to catch a bunch of shiny new credentials.

This is a fairly standard phishing attempt and it features all the typical things we look for in a phishing message:

  • Wants you to take action (Examples: validate your account immediately, reply at once, upgrade now.)
  • Has a close deadline for acting (Examples: now, immediately, within 24 hours, today. Sometimes the deadline is implied and not actually given.)
  • Features poor grammar and spelling (Examples: All Uga student and staffs, we advice you, we are contact you, until you are approve and validate.)
  • Threatens to remove access to a service (Examples: email, online banking, a social networking site, PayPal)
  • Tries to trigger an emotional response — such as panic — to goad you into responding with the information they request.

Subject: All UGA staff and student should validate email account!!!
Date: Mon, 31 Jul 2017 08:56:11 -0400
From: Fake Username <fakeuser@uga.edu><mailto:fakeuser@uga.edu>



Hello friends..

All Uga student and staffs are advised to validate their email account for upgrade, and advance mailbox features by signing into the Office 365 account validation portal <Link to a fake logon page removed>.

Click the above link to validate your account now or your account will be suspended..

Best..
Fake Username

Remember - if you don't catch the phish, the phish will catch you. Avoid the hook! Become an expert phish spotter today.

Univeristy of Gerogia Announcement

Reported July 5, 2017

Well, Phish Spotters - it's the day after a holiday. We have all been away from campus for a day, or maybe more. It's back to work and a widespread phishing attack.

We have discussed how the online bad guys try to play us in the past. By now we should all expect to see at least one, if not more, phishing messages in our inboxes after a holiday. The phishers try to sneak one past us while we are distracted, in a hurry or just plain not paying as much attention as we should.

The red flags on this one are flying high!

  • "Univeristy of Gerogia"
  • Recipient not named
  • Strange capitalization and punctuation
  • Link not clearly visible
  • Not sent by a specific person
  • No contact information

Some of these messages have "UGA Admin Portal" as the sender while others list an actual person. In either case, it is highly likely that someone on campus has compromised login credentials.

From: User Name <username1[@]uga.edu>
Sent: Wednesday, July 05, 2017 10:47 AM
To: User Name 2 <username2[@]uga.edu>
Subject: Univeristy of Gerogia Announcement.


You have 2 Important messages from your Faculty, view log sheet below;

REVIEW_HERE: (Link removed.)


Regards

Univeristy of Georgia Admin Portal.

Don't forget that you should only provide a username and login on secure sites. Look at the address bar in your browser (URL info may show up in the lower part of your browser window):

  • Does the URL start with 'https'?
  • Is there a lock icon to show the login page/site is secure?
  • Is there an information icon you can click on to view site security info?

If the answer to any of these questions is "no", please be hesitant to provide your credentials. The site is unlikely to be secure and your credentials are likely to be at risk.

If you think your credentials are compromised, you need to change your password immediately.

Google

Reported June 28, 2017

The bad guys are at it again - this time with a Google Sweepstakes win!

This is a relatively well-crafted phishing attempt using recognized logos. So what gives it away? The following points provide clues to the email's bogusness:

  • The sender's address seems off. (A corporate email would have a corporate address - like 'google@gmail.com' - not an obscure sequence of letters and numbers.)
  • Has an attachment. (It is, arguably, supposed to be a surprise win)
  • You (the recipient) are not addressed by name.
  • Language is stilted and just plain odd. (Many Google users will know Google does not 'talk' like this.)
  • It was supposedly sent from Google UK. (Why not the US branch of Google?)
  • There is no contact information (There really should be some, since it is supposed to be a corporate email. Even Publisher's Clearing House provides contact info.)

Does Google even have a sweepstakes? Nope! But they do have a page on how to Avoid and report Google scams.

We included an image of the message with these points highlighted. You can click the image to open it in a new window.

[Google logo]

[Gmail envelope logo] Hello,

Google Inc. wishes to inform you that your e-mail account has been selected and therefore has made you one of our winners in the GOOGLE E-MAIL ONLINE SWEEPSTAKES PROMO.

This comes as a result of your active use of our online and ancillary services.

Check attached PDF FILE for your Official NotificationLetter and Claims Instructions.

Congratulations!!!

Google Sweepstakes Team

Google UK.

Google sweepstakes email

What can you do to investigate scams like this one without endangering your devices? Google it! (Kinda ironic, huh?) Turns out this scam has been cropping up for a couple of years. Phishers gonna phish.

Security Notice on UGAMail Account

Reported June 20, 2017

The phishers have turned thing up another notch! We have gotten reports of the following email that claims to come from the EITS Help Desk. It does not.

The phishers have done Thier homework and know UGA pretty well.The message is well crafted. The red flags may be difficult to spot; but they do exist.

  • The recipient is not addressed by name
  • The complete link is not provided -EITS will not direct you to "click here"
  • The language is odd in a few places: "Kindly click here"; "log on to" a page that "will log you in"; "assist us resolve the spam issue";  "your continuing attention to help desk security notice"
  • There is not official Help Desk contact information in the signature

The page was blocked on campus and the hosting vendor (where the website is) was notified. The hosting site has removed the page.

From: EITS Help Desk <helpdesk[@]uga.edu>
Sent: Tuesday, June 20, 2017 7:58 AM
To: User Name <username[@]uga.edu
Subject: MyID Account Deactivation.

Security Alert

We detected WannaCrypt ransomware spam activities in your UGAMail account. Kindly click here (link to fake CAS authentication site removed) to log on to (this will log you in via the UGA Central Authentication Service portal) to assist us resolve the spam issues on your UGAMail email account.

Taking the proper measures to protect the confidentiality of all UGA accounts, is our collective responsibility as good stewards.

Thank you for your continuing attention to help desk security notice.

EITS Help Desk

Anyone who may have clicked the link before the page was shut down landed on a site that looked 100% legit -  except for the URL (the web address).

The fake page's URL was "cas2ugaedu.atwebpages.com/...". What's wrong with that?

A legit web address for a UGA service should look more like this: "service.uga.edu/".

A UGA website should never end in ".com" or have a .com before the first / (slash.)

===

MyID Account Deactivation.

Reported on June 15, 2017

Many of us received this phishing message Thursday morning.  The phishers stepped up the messaging from Wednesday's attempts even though both phishing messages link to the same URL.  

This message has copied wording from the CAS login page to make it look legit but UGA faculty and staff were not easily fooled and reported it immediately.

Like the phishing attempt Wednesday, EITS has blocked the link in this email from campus just to be safe.

From: User Name
Sent: Thursday, June 15, 2017 7:58 AM
To: Same User Name
Subject: MyID Account Deactivation.

UGA's Single Sign-on for Web Services

CAS provides a common login experience for users accessing UGA web services with their MyID credentials through a one-time login. to avoid deactivation of account see below.

                                         ACTIVATE YOUR ACCOUNT

Copyright © 2005 - 2017 CAS, Inc. All rights reserved.
Powered by University Of Georgia Central Authentication Service 3.5.1

 

New Message For You.

Reported on June 14, 2017

It seems like everyone got a version of this phishing message midday Wednesday.

This one seems like a pretty obvious phishing attempt but EITS blocked the link from campus just in case someone was tempted to click it.

From: User Name
Sent: Wednesday, June 14, 2017 1:54 PM
To: Same User Name
Subject: New Message For You.

You have 2 Important message from your Admin Center.

Sign In

Thank You

Mail Management.

 

Bank of America Alert: Your notice of suspension has been attached

Reported on May 30, 2017

Wow, Phish Spotters! Y'all are on this one. Yesterday we were wondering why the phish front was so quiet and today the boat came in. Several of you caught and reported this phish in quick succession.

The phish is kinda funky - and it's not just the phishy smell - because it combines a classic attempt to make the recipient panic with an obviously bogus message.

There are two honking huge red flags:

  1. No body text
  2. An attachment

Opening the attachment would probably open malicious software to infect your machine. Or direct you to a website where you would be asked to provide account information. (Phishing 101: You should avoid opening attachments unless you are expecting them and are certain they are legitimate.)

Now, banks can, and sometimes do, suspend accounts. They can do so without notice - but they rarely do that unless something very hinky is going on (multiple overdrafts, bounced checks, a suspicious activity report, etc.) If a bank was going to notify you of an account problem, they would typically do so via regular mail. An official notice would include logos, professionally written content, official signatures and contact information.

From: Bank of America <no-reply[@]amailboxatahostingsite.com>
Sent: Tuesday, May 30, 2017 9:28 PM
To: User Name <username[@]uga.edu>
Subject: Bank of America Alert: Your notice of suspension has been attached

There was an attachment, but absolutely nothing in the body of this email.

It's important to remember that your bank will not contact you by text message, Facebook message or email asking you to disclose your personal information. If a sender claiming to be your bank asks for personal information, do not reply. You can always look up your bank's customer service number and call for more information if you need to. 

This is your email administrator

Reported May 18, 2017

Today on Fresh Phish we hear from phishers who have set up a faked site in lovely, tropical Indonesia.

There are 10 things in this email that make us here at Fresh Phish sit up and say, "Nope! Totes a Phish. Absolute chum bucket." (See what we did there?)

Can you spot the 10 red flags that set us off?

From: User Name
Sent: Thursday, May 18, 2017 9:23 AM
To: Same User Name
Subject: This is your email administrator

 ATTENTION!
=========================  

Dear User,

This is your webmail administrator. Please,be informed that the email server has just been upgraded and your email needs to be reset immediately.
This process is to keep The University of Georgia system server updated and protected as always.

CLICK BELOW TO RESET YOUR EMAIL NOW:  

Sign In [Link to a bogus site in Indonesia has been removed.]


Regards,  

University of Georgia.

  1. The sender name - This came from a named person and not from an official EITS communication channel.
  2. EITS won't use all caps to shout at you; it's unprofessional.
  3. The generic "Dear User" greeting.
  4. Informs us that the email comes from our "webmail administrator" -that should be handled in the sign-off.
  5. An action needs to be taken immediately. Talk about a short deadline!
  6. We are called on to take that action.
  7. It is implied that if we don't take action "The University of Georgia system server" won't be protected. Which, in turn, implies that if something goes wrong it's our fault!
  8. The link is not provided as a cut and paste link. EITS will not hide links behind text.
  9. EITS will not ask you to validate your UGA MyID and password in an email. And they will not link you to a page with a form to validate your credentials.
  10. The sign off is not from EITS and it contains no contact information.

Bonus points if you noticed the sender is also named as a recipient for the message. That's a pretty strange thing for a business email to do - which contributes to our not falling for the phish.

How did you do? If you got half or better you're on your way to being an expert phish spotter!

Don't feel bad if you got fewer. Practicing here is safe. And you'll be an expert in no time.

Library Account

Reported May 11, 2017

This phish is the best of the best - a real catch - but it still stinks! What makes it so good?

  • The spelling and grammar are perfect.
  • The language is very business-like.
  • The library email address looks legit (But we discovered that it's faked. The email actual account is in Turkey.)
  • The CAS login URL looks legit. (It's faked too. It goes to a site registered in the Central African Republic that is designed to steal your UGA credentials.)
  • The personal email address of the Library Representative looks legit (but it's another bogus email address.)

This phish is a perfect example of how international phishing is, and how easy it it for the bad guys to fake email addresses and websites and present themselves as someone they are not.

So is there a Red Flag? Yes. It has two. The message threatens to take away a service and you have to act to stop it.

From: Library Services <library[@]lib.uga.edu>
Sent: Thursday, May 11, 2017 10:09 AM
To: User Name
Subject: Library Account

 

Dear Library User,
     
Your access to your library account is expiring soon due to inactivity. To continue to have access to the library services, you must reactivate your account.
     
For this purpose, click the web address below or copy and paste it into your web browser. A successful login will activate your account and you will be redirected to your library profile.

http*://cas.uga.edu/cas/login [The link to a very good but bogus CAS login page in Turkey has been removed.]

If you are not able to login, please contact Library Representative at library.rep[@]uga.edu for immediate assistance.
   
Sincerely,    

Library Representative
University of Georgia Libraries
University of Georgia
Athens, Georgia 30602-1641
Tel: 706.542.3251

These bogus addresses and the fake CAS site have been block on UGA campus. 

A special shout out to JCS who was first to report this library phish and to TP, who brought it to our attention.

Name@uga.edu is no longer active!

Reported May 9, 2017

Tl;dr - This email verification scam uses an altered official message to try to trick you into clicking a validation link. Don't fall for it.

One of the most common phishing scams we see here on campus tries to trick you into verifying  your email address. These scams threaten to take away your email account. If you don't click to validate, the message claims, you will not be able to use your email to send and receive messages.

This particular example is unusual:

  • The banner shape and borders indicate that parts of an original, official, email message have been chopped up to make this phish. (Minced phish! Eeeeeuw.)
  • The phish actually included the correct name in "Dear Name" (before we changed it to protect someone's identity.)
  • The email address used in the body of the message was real and correct (we changed that too.)
  • The 'Validate' link points to a government site in the Philippines which is either spoofed (faked) or hacked.
  • Official seeming language has been included in the footer to reinforce the impact of the phish

Fortunately, there are also red flags in this email: grammatical errors; a call to action; a short deadline; and a threatened loss of service.

From: TeamOffice365 Microsoft <noreply-security[@]kast.com>
Sent: Monday 5/8/ 2017 5:30 PM
To: Name <name@uga.edu>
Subject: name[@]uga.edu is no longer active!

Email verification phish

Remember all y'all - EITS is not going to email you and tell you to validate your UGAMail account. And if they did, they certainly would not claim to be the Azure Active Directory Team.

Widespread Phishing Panic

Reported May 3, 2017

Well, it could have been a panic, but our phish spotters won the day!

A well crafted Google Doc-based phishing attack was received by approximately 1 in 5 mail boxes here on campus. We very proud to say that fewer than 1% of recipients clicked on the link in the message. (That's waaaaaaay below the average response of around 11%.)

Google responded to the attack, shutting down the pages related to the phish quickly and efficiently, but not before the message made its way into several mail providers' systems.

The attack is not 100% undetectable, but the only thing to set off our phishing sonar is the 'To' field. We got blind copied in a huge list, an indicator that there may be a problem.

Fake Google Doc notice

But Fresh Phish, you ask, would you really open a randomly appearing doc? Most people would ignore that, right?

Not if the claimed sharer was one of our actual contacts. Not all recipients got a share notice from someone they knew. Many did. If the person sharing the doc had a name we recognized, we would have been much more likely to click that link.

Think of the ramifications for students - last minute project sharing with that person in class whose last name they can't remember increases the likelihood of a click through. And arriving during finals and commencement time has the potential to make that click far less likely to be remembered down the road.

The phishers know us. They know how to manipulate us. It's up to us to not let the phishers lure us into becoming victims of their scams.

Think before you click, yo. Phishers gonna phish.

Phish + MAC Malware + Tax Season = Big Danger

Tl;dr - Y'all are spoiled. Read the entry. Okay, okay - Several online security and anti-virus sites are reporting a phish email distributing nasty Mac malware called "DOK".

Heads up, Phish Spotters!

There are reports circulating on the Internet of a new piece of malicious software (malware) called "DOK" that affects Mac OS users. You can Google "DOK malware" if you need technical info.

The malware is being distributed as part of a phishing attack. If you fall for the phish, you will download malware that can gain admin privileges on your machine and give phishers access to all your communications - even the the SSL encrypted ones.

A lot of people still think that using a MacOS protects you from malware. But McAfee Labs says attacks on Apples were up by more than 700% in 2016. Trends like that don't go away. So, we are likely to see more Mac malware in the future.  

Mac users are not protected from phishing either. Whether or not someone falls for a phish is all on them. Using the delete key to give phishing email the finger is the only way to avoid getting caught.

Here are the deets on DOK:

  • The malware is distributed as part of a tax-related phishing attack
  • DOK is concealed in an attachment
  • The phish itself claims that there are discrepancies in the recipient's tax return
  • Tax problems can easily make someone react with little thought - panic!
  • Opening the attachment downloads the DOK malware
  • The malware shoots out an OS security message instructing you to "update all"
  • The update triggers the malware, which installs a root certificate
  • Then DOK unistalls itself - making the attack next to impossible to detect
  • Mayhem ensues (Well, maybe not mayhem... but it won't be pretty.)

MAC security alert message

We all know that bad guys like to hit us in the wallet. And they love to prey on us, catching us unawares at tax time. (Want more info on tax season scams?)

The IRS won't contact you via email out of the blue. You can call them if you want confirmation that the email is real. You can also report the email by sending it to phishing@irs.gov 

If you used a tax preparer, you can contact them to make sure the email is legit.

Be careful out there.

Mother's Day Scams - a Fresh Phish PSA

Tl;dr - There's a Lowe's coupon scam going around on social media. You are likely to see similar scams claiming to be offered by other companies (IKEA, Home Depot, etc.) How can you avoid getting caught?  Easy peasy. Don't click to claim the coupon!

We all know that scams are everywhere. Phishers take advantage of us every way they can and they like to appeal to our wallets. Especially around holidays. Mother's Day is no exception - and while everyone is thinking about Mom, the phishers are hitting the social media networks with their tasty lures.

In this particular attempt, the phishers are making us an offer that is hard to refuse. Who wouldn't want a $50 dollar coupon from Lowe's?

Scam offers like this one frequently ask you to prove that you're eligible to get the coupon. That usually means providing a credit card number or other personal information as an 'eligibility check'. The unsuspecting can quickly fall victim to a scam designed to steal your identity while preying on your good intentions. 

If you click the provided link (and we know you won't) it drops you on a very real-looking but bogus page with the Lowe's logo. In this particular case, there is a survey to take in order to claim the discount coupon. Can you guess what sort of info you have to provide about yourself?

So.  How do you know this sort of scam is a scam? Let's look at the biggest of the red flags associated with this sort of too-good-to-be-true offer:

A free $50 coupon for EVERYONE!

Fake Lowe's coupon

Let's do some math.

If each of the 1.5 billion users on Facebook every day (according to zephoria.com) could use the coupon, that would be $75,000,000,000 dollars in discounts. Provided they could all get to Lowe's.

If only Lowe's regular customers took advantage to this "deal" (more that 16 million customers per week according to marketrealist.com), that would be about $800,000,000 in discounts.

The NASDAQ financial data for Lowe's shows that either amount is more than Lowe's annual income. Based on these numbers alone, you can assume this coupon is bogus. No corporation is going to go bankrupt over Mother's Day.

You always have to remember to look beyond the deal when it comes to coupon scams on social media sites. Use Google to see if there is any news; visit Snopes.com to see if a scam has been reported or do the math.

By the way, this scam is big enough to have made it onto several news channels. You probably won't see this scam in your social media feeds because of the exposure.

You may see other similar offers, though. Bogus IKEA, Home Depot and Walmart coupons are popular scams among phishers. they crop up ovr ans over again. Like other forms of identity theft, falling victim to a coupon scam can have long lasting ramifications.

Stay alert and be careful out there in the Net. Phishers gonna phish.

Unusual sign-in activity: A Well Crafted Phishing Email

Reported on March 28, 2017

Welcome to Fresh Phish's first ever guest post.

Douglas Stewart, Senior IT Manager at Griffin, contacted us to share an excellent example of a sophisticated phishing attempt. Doug's comments and advice were so good, we contacted him to get permission to post them here.

"I know most of us get phishing emails and most everyone has learned very well how to spot them.  This morning I was sent one that is a very professional looking email – it is grammatically correct, the email is (supposedly) from Microsoft not UGA, and this email looks very much like genuine emails Microsoft does send out if unusual activity occurs on your account.  Since this email is very different from the typical “UGA Helpdesk Administrator” with poor grammar and obvious bogus links phishing email we usually get I decided to take a screen print and remind folks there are some very polished phishing emails out there as well.  If you open the attached file you can see where the link to get further instructions does not refer back to Microsoft or one of its affiliate sites but instead goes to another website - a definite red flag for an email like this one.

If you do ever get an email like this and you are concerned maybe someone has hacked or accessed your account always go to myid.uga.edu and reset your password there.  Just a general rule of thumb, never click a link to change a password unless you have expressly asked for one to be sent to you.  As always feel free to forward any suspicious emails – I would rather tell 100 people its valid than have 1 person click on a bogus one."

We agree with Doug 100%. The email in question is provided here. We know it's way too small to read - so if you click it, you can open it in a new window for a better look.

Phishing Email

Thank you so much, Douglas for contacting us with this whale of a phish - one that is very targeted and intended to net a big return.

You Have 1 New Message and Important Notice

Reported  March 21. 2017

Tl;dr - We respond to too many phishing messages without thinking. That gives online criminals too much control over us. It's time to pay more attention!

Sometimes the simplest phishes are the best. This one is rather well crafted. It's scary that we have not seen many reports of this phish. That could mean one of two things: Either our expert phish spotters are diligently deleting the email, or people are being tricked into responding.

Why did it work? We can speculate a bit.

  • The message says it comes from a UGA Admin - an important person
  • The tone is urgent
  • A link is right there! Right there!

As social creatures, humans tend to respond to authority. A sense of urgency can spark a stimulus response - think carrot and stick. Plus, we are conditioned to click links and the phishers have provided one that's easy to use.

So, that means the bad guys have pushed our social buttons, emotional buttons and physical buttons. We all need to think and not respond. Do not give the bad guys that much control.

You have to question emails like this one. Get in the habit of asking questions like:

  • Who is the sender?
  • Are they an Admin?
  • What kind of Admin could have sent this message? (Admin of what?!?)
  • Why would I be getting a message from an Admin?
  • Why doesn't the Admin identify themselves?
  • Why am I not addressed by name in the email?
  • If I mouse over that link (without clicking!) where does it go?
  • Why is there a direct lnk in this message and not one I can copy and paste?

Message 1

From: User Name <username@uga.edu>
Sent: Tuesday, March 21, 2017 1:26 PM
To: Same User Name <username@uga.edu>
Subject: You Have 1 New Message


You have 1 Important message from your UGA Admin.

Sign In [Link to a bogus non-UGA site removed.]

Thank You
UGA Admin/Service

 

Message 2

From: User Name <username@uga.edu>
Sent: Monday, March 20, 2017 11:55 AM
To: Same User Name <username@uga.edu>
Subject: Important Notice.

You have 2 New Important messages from your UGA Mail Admin.

 

Sign In [Link to a phishing site in Romania has been removed.]

Thank You
UGA Mail Service.

Did you know that billions of phishing emails get sent by criminals every day? Ugh. No wonder it's a challenge to avoid getting caught.

Keep up the good work, phish spotters!

Back from Break Danger: OUTLOOK UPGRADE, UPGRADE YOUR ACCOUNT and VERIFY

Reported on March 12 - 13, 2017

Here at Fresh Phish, reports of multiple phishing attacks have been rolling in. The volume is especially high. (No pun intended - the phishers are inclinde to 'shout' this week. )

Why so many phishes this week? We're all back from break, relaxed and easily taken unawares.

In the past we've talked about how the scammers and phishers know what's up with us. They know the academic calendar, when we are out, when we are back and when we are most vulnerable. Unfortunately, the baddies also know how to manipulate us with threats and a sense of urgency. We react, we click and we get caught.

Don't let the bad guys win. Slow down. Use the red flags to figure things out, hover your mouse over the links to discover where they go - and never forget: EITS will not ask you to validate your account in an email.

Here's the top three that we have been seeing this week:

Message 1

Subject: OUTLOOK UPGRADE
Date: Mon, 13 Mar 2017 02:16:27 -0700
From: username@uga.edu<mailto:username@uga.edu>
Reply-To: noreply[@]outloo.com<mailto:noreply[@]outloo.com>
To: Recipients <username@uga.edu><mailto:username@uga.edu>

You're receiving this email because you have exceed your storage limit and this may cause your Email Service disrupted. Admin request your immediate action by clicking on the link below and sign into your account to upgrade: Click Here [We removed a link to a super sketchy site in Gambia]

Message 2

From: User Name
Sent: Sunday, March 12, 2017 12:23 PM
Subject: UPGRADE YOUR ACCOUNT


This is an Email Service Alert from Help-desk. This is to inform you that your mailbox has exceeds its storage limit, you will be unable to receive and send emails. To re-set your Account Space on our database, prior to maintain your INBOX from 20G to 20.9G. CLICK HERE [This phisher used a .me domain name - phishing is obvsies all about them!] to Activate

Warm Regards,
Help-desk Administrator.

Message 3

From: User Name
Sent: Monday, March 13, 2017 7:14 PM
To: Same User Name
Cc: Same User Name Again
Subject: VERIFY


We temporarily locked your UGA-MAIL account from sending messages, Our system has detected an unusual virus and sign in attempt into your uga.edu mail box account, We recommend you to CLICK HERE [This bogus link pointed to a free website hosting service.] and verify your uga.edu mail account and always exit your uga.edu account using the Logout button in the upper right corner instead of just closing the tab of your browser. This serves as an additional security measure to prevent unauthorized access to your UGA mail account.



Warm Regards,

Helpdesk Administrator.

Fresh Phish gives a massive shout out to all the expert phish spotters who have kept us jumping this week. Keep up the great work and stay safe out there. Phishers gonna phish.

Super Dangerous UGA Alert Phish

Reported on March 6 and 7, 2017

Tl;dr - A well crafted phishing scheme is making the rounds. It's cleverly constructed and can steal your credentials if you're not paying attention. Neither EITS nor UGA will ask you to validate your UGAMail account in an email.

The official looking link in this email points to a fake CAS page. The CAS page looks genuine. How did the Phishers manage that? It's easy to copy a web page.

Here is how this page works:

  1. You read the email and react to the content
  2. You click the link that appears to be an official UGA link
  3. You are dropped into a CAS page that seems authentic
  4. You provide your credentials (MyID and password)
  5. You hit the login button
  6. You are taken to the real CAS page
  7. You assume you made a mistake with your credentials
  8. You put your MyID and password in the fields and CAS -the real CAS this time - authenticates you.

The real danger here is in step 5. When you hit the login button, your MyID and password are also captured by the phishers.

How to avoid getting caught? Look for the red flags (see the Phish Tank for more information). And remember to use your mouse - hover to discover - to identify the actual web address the link points to.

From: University of Georgia <username@uwec.edu>
Sent: Monday, March 6, 2017 6:31 PM
Subject: UGA Alert

Dear User,

This is to confirm that your email account was randomly selected for verification.

Kindly visit the website below and follow prompt to confirm your profile is active.

https://www.uga.edu [link to a bogus CAS login page has been removed]

Failure to validate your profile within 24hours may result to mailbox termination.

Thank you.
University of Georgia

 A shout out is due to KS and PL for being the first to report the UGA Alert phish. Well done and thank you.

Dear UGA® Email users!

Reported on February 28, 2017

This ole thing? It's a standard 'verify your account' phish. The phishers dressed up a bit.

We really like the use of an extended vocabulary in this one. And the specificity of "two (2)" emails is a nice touch. Two sounds way more dangerous than only one (1) email, doesn't it? And the registered trademark symbol adds a whole new level of official!

But when we take a closer look at the generic subject line - OMG everyone has two (2) Incoming Mails that have resulted in their accounts being suspended - random capitalization, strange punctuation and odd language, we realize the truth.

It's just lipstick on a pig.

From: User Name
Sent: Friday, February 24, 2017 4:12 PM
To: Same User Name <username[@]uga.edu>
Subject: Dear UGA® Email users!

Our web administrator has been notify of some Unwarranted /Unauthorized activities in our Webmail database
For these reason two (2) of your Incoming Mails has been suspend till you verify your mailbox

Kindly Click UGA Account Verification <bogus "ugaverificationdesk" link has been removed> to verify your account.

Thank you for C0-operation
UGA® Web admin.

Tax Time = Scam Time: a Fresh Phish PSA

Tl;dr -  A lot of scams are tied to tax time. Use caution and file as early as possible.

Tax time is scam time and there are several scams to be alert to this year. Fresh Phish did some research online and put together this summary for you.

Dates to know:
Filing Deadline - The tax deadline this year is Tuesday, April 18th (the 15th is a Saturday and Monday the 17th is a holiday in D.C.)
Possible Delays - You should also be aware that to scan for potential fraud, the IRS is issuing refund checks later that usual this year. Some returns will be delayed, but refunds should begin arriving on Wednesday, February 15th. The IRS has more information on the 2017 Tax Filing Season.
Popular scams to lookout for:
Tax relief scams -If someone offers to reduce your taxes be alert to scams. Especially if money needs to be paid up front (the scammers will take it and run). If you need to use a tax relief business, check them out thoroughly first.

Federal Student Tax – Did you receive a bill for the Federal Student Tax this year? No? Good, because it doesn’t exist. Be prepared. You may be contacted by scammers if you are a student or the parent of a student.

Fake Affordable Care Act (ACA) notices - Scammers send a fake notice that is designed to look like an official ACA bill. If you get an ACA bill, be alert to potential fraud. The IRS does not send ACA bills: the IRS sends a notice of adjustment to your taxes.

Phishy Tax Preparers - Criminals may claim to be Tax Preparers to trick you into giving away personal information. If you get an unsolicited email from a tax preparer, avoid clicking on links or opening attachments. Just delete the message.  Also, if any tax preparer asks you to pay cash for part of all of your taxes, that's a huge red “it’s-a-scam” flag.

Fake IRS Agents - Criminals pose as IRS agents who call and attempt to scare you into complying with their demands.  Don’t be fooled! If there is a problem, the IRS almost always makes first contact by sending a letter through the US mail.

Have you gotten a call from a bogus IRS agent? Scammers like to use common names like John Jackson, Mike Smith or Anne Jones when posing as IRS agents. If they give you a badge number, they’ll often say it too fast for you to jot down. How do you tell the real agents from the fake ones?

Real IRS agents will not:

  • leave a phone message demanding immediate payment
  • use intimidation or threaten to have you jailed
  • ask for a specific type of payment (cashier's check, cash, money order, bank transfer, prepaid debit card, etc.)
  • ask you to pay over the phone with a credit card
  • call you to verify tax information or personal details
  • ask for your social security number in an email, text or phone call
  • ask for your bank account number in an email, text or on the phone
  • call to let you know you are eligible for a huge refund (usually a huge one)
  • email you telling to update your e-file account
  • direct you to a webpage that begins with anything other than https://www/irs.gov or https://www.irs.gov/ (be alert to bogus sites like irsgov.com, irs.com. irs.net or irs.gov.com )
  • send you a tax transcript you did not request (getting one may indicate you're an ID theft victim)

Criminals often spoof phone numbers so your caller ID might display the correct IRS phone number or ID when a scammer calls.

Filing Online - Be super careful when filing your taxes online. Only do it on a secure computer connected to a secure network. Unencrypted connections can easily be intercepted by crooks who are watching for them. The crooks insert themselves into your transaction and grab your personal information without alerting you to the attack. So, no filing your taxes at the local coffee shop, even if you really need the caffeine.

Tips for avoiding tax time scams:

  • File your taxes early! Get your refund in before the criminals do. Even if you owe taxes this year, the criminals can file a fake return that may launch an IRS investigation. Protect yourself.
  • Use the "Where's my Refund?" tool at the IRS site to track the status of your refund.
  • Get an Identity Protection PIN (IPPIN)  from the IRS. Use your IPPIN along with your Social Security Number to make filing your taxes more secure.
  • Know your rights as a taxpayer. Didn't know you had any? Check out the Taxpayer Bill of Rights for more information.
  • Stay informed. The IRS has a page about Tax Scams and Consumer Alerts and a Google search will get you a lot of information.

Other actions:

Get a phishy email? - If you get an email claiming to be from the IRS you can forward it to phishing@irs.gov

Think you're a victim of ID Theft? - Tell the IRS right away! File a form 14039 to report the theft of your identity. The IRS will send you a letter with follow up instructions (it can take a while.)

Phony IRS Agents? -  Report the call to the Treasury Inspector General for Tax Administration (TIGTA) via their IRS Impersonation Scam Reporting web page  or call (800) 366-4484.

Let the Federal Trade Commission (FTC) know via their FTC Complaint Assistant. Include "IRS Telephone Scam" in the notes to let the FTC know what’s up.


Phish Wrap - 2016 phishes in review

Tl;dr - Knowing the types of phishing attacks you can expect, and getting a feel for the general topics they contain can help you avoid getting caught. Includes a list.

Here at Fresh Phish, our goal is to provide actual phishing emails that are reported on campus and help you learn how to spot them. We know that phishing mostly falls into a few broad catagories. So, we decided to take a look at the types of phishing email we saw in 2016.

These are classic phishing attempts that get repeated over and over again. Why? Because they work. Over and over again.

What if you get an email that falls into one of these types, or touches on one of these topics? It's probably a phish.

Here it a breakdown of what we saw, arranged by type and topic.

Validate Your Account

  • You have spam in your email - validate your account
  • Your account is about to expire - validate to keep it
  • Your account was logged into from an unknown IP address
  • Negligent emails! - we are shutting down your account
  • You exceeded your mail box quota -  make your mail box bigger
  • Authenticate your account now!
  • Your UGA account certificate has expired
  • Unusual sign in activity - validate your account now
  • Database maintenance - update your account
  • We're backing up the servers - validate your email to get updated

Verify Your Account - a Validate Your Account subtype

  • System update - verify your email account
  • Security Alert - click to verify
  • Account suspended - click to verify
  • Reply to cancel deactivation of UGA services
  • We made your UGA mailbox bigger / more secure
  • We are deleting your UGA Mail account - verify to keep it
  • We made your email service / Microsoft suite faster
  • Our account is on hold, click to contact an administrator
  • We locked your account; click to verify it - with bonus security advice

Unlock / Unblock Your Account - a Verify Your Account subtype

  • Verify your UGAMail account to unblock it
  • Your account temporarily blocked
  • Helpdesk alert - your incoming mail is on hold
  • We noticed a virus so we locked your account

Blackboard-driven Scams

  • Blackboard Newsfeed
  • Blackboard document resubmit request
  • You have messages on Blackboard
  • New message from Blackboard Admin /Faculty Admin
Malware or Phishing Scams with Attachments

  • Court summons
  • Your payment has been processed
  • Confirm a reservation / flight / purchase
  • Shipment could not be delivered
  • Secret Shopper and other scam job offers trying to get all your personal info

Fake Services /Jobs / Websites

  • Sign up for our fake service
  • Important schedule message
  • View the non-existant Campus Bulletin
  • Secret Shopper emails - bogus job offer trying to get all your personal info

Vanity Phish - designed to make you click to find out who searched you

  • Someone searched your profile!
  • I want to join your LinkedIn network

Phishers gonna phish.

Account disables in 48 hours and Mail Closure Warning

Reported on February 6 and February 7, 2017

Boy howdy! The phish are jumpin' today. These two jumped high enough for a pair of expert phish spotters to see.
We're not going to spend too much time on these messages, because the red flags are raised and flying high. (Need info on the red flags? Visit the EITS Phish Tank.)
  1. Check out the senders' mailto addresses: one is in Russia (mail.ru); the other points to a generic looking non-UGA webmail service.
  2. Both messages direct you to update or validate your UGAMail account. EITS will never ask you to validate your account in an email.
  3. Scare tactics are used for motivation: Your account disables or Your mail will be closed.
  4. Both have a close -48 hour deadline - to prod you into responding fast and without much thought.
  5. Neither message is signed with an actual EITS signature. Just who is "Account Team"? And why the confusion from "Request Team.??" They don't seem to know who they are at all.

    Message 1

    From: Account Team ,<mailto:sendername[@]mail.ru.>
    Sent: Monday, February 06, 2017 4:24 PM
    To: account-security <account-security[@]outlookservices.com>
    Subject: Account disables in 48 hours

    Dear User,
    Kindly follow link below to re-validate account. Failure to do so, you will be extricated from accessing your account
    Please visit the link UPDATE NOW [unsecured shortened link to a fake login page removed] to avoid the close down of your account and keep enjoying our services.

    Account Team

    =====

    Message 2

    From: Mail Admin <mailto:Admin[@]webmail.com>
    Sent: Tuesday, February 07, 2017 8:24 AM
    To: Recipient <recipient[@]uga.edu>
    Subject: Mail Closure Warning
    Importance: High

    Dear Recipient <recipient[@]uga.edu>,

    We received authorization from you to close down your mailbox account which is in progress within 48hrs.

    note you will loose all your valuable mails in your Email account, If you will like to continue using your mailbox you have this opportunity to cancel this request.

    CLICK HERE TO CANCEL CLOSURE REQUEST NOW [bogus link to a fake login page ...username=recipient[@]uga.edu has been removed.]

    If you fail to cancel this request before 48hrs you will not have access to you mailbox and it will be close down.

    Thanks for your co-operation.
    Request Team.??

Phishing is serious business, but if you want to read the "Account disables in 48 hours" out lioud, in a bad accent, we'll understand. Fresh Phish is on the lookout for Moose and Squirrel, too.

UGAMail/Validating

Reported February 2 -4, 2017

This set of phishing attacks is coming on strong. Fresh Phish has seen close to 100 reports of this particular phish reported in the past few days. Well done, phish spotters!

We've written about how phishing attacks may look the same on the surface, but be different on the back end. These two examples appear to be the same (except for the dates) until you take a look at the link that is included.

We normally just remove the whole the link, but this time, we left part of the link text in each email so you can see what we mean.

The content of both messages mirror each other word for word: Both of these emails look the same. In fact, the unsecured (http) links pointed to the same free web hosting service. Only the location of the bogus login page was different - and both URLs are designed to trick you into thinking they came from uga.

Example 1:

From: SenderName <sendername[@]uga.edu>
Sent: Thursday, February 02, 2017 1:55 PM
Subject: UGAMail/Validating

University of Georgia we are validating active accounts, if still in use kindly Visit this link [unsecured link to ugamail-activation-page at a free website hosting service removed] to verify account now

Example 2:

From: SenderName <sendername[@]uga.edu>
Sent: Saturday, February 04, 2017 2:15 PM
Subject: UGAMail/Validating

University of Georgia we are validating active accounts, if still in use kindly Visit this link [unsecured link to ugaemail-activationunit at a free website hosting service removed] to verify account now

Remember, you can position your mouse over links -without clicking! - and learn where they will take you. If you hover, you discover. Stay safe out there!

Secure Mail Alert

Reported on February 2, 2017

Happy Groundhog Day, Phish Spotters!

It's funny how this one just sort of poked its head out like Punxsutawney Phil. It certainly could cast a long shadow on someones UGAMail account. Might be hard to winter. Definitely has potential for a chilling effect. Okay. We'll stop now.

Today we have a new twist on an old phish. It plays on curiosity and anticipation - a secure message that you have to sign in to view. The message is designed to make you think the phishers have something important and you have to go to them to get it.

This tactic is made a bit more dangerous by the fact that UGA has a secure message service (SendFiles). The message is clearly written, and grammatically correct; two of the big red flags are absent. These features come together to create message that seems reasonable, believable and easy to fall for.

Any time you get a message like this - or any phishy looking message - you need to ask questions like the following:

  • Why would IT support need to send me a secure message?
  • Why are they calling me a member?
  • Just who the heck is IT Support anyway?
  • Why are they emailing me from a place called wids.com?!?

And reach the conclusion - Obviously NOT from EITS. Delete!

Subject: Secure Mail Alert
Date: Thu, 2 Feb 2017 15:50:20 +0000
From: IT Support <ITsupport@wids.com><mailto:ITsupport@wids.com>



Dear Member,

You have received a secure message from IT Support.

Click here to review the message [link to a bogus site removed].

Note: Your internal messages can only be accessed via your online portal.



IT Support

If you don't know about SendFiles, you should check it out! You can securely send files to anyone. SendFiles also allows you to transfer files up to 2GB in size. Plus, anyone with a UGA MyID can use SendFiles.

Your Profile Name

Reported on February 2, 2017

It's a busy day here at Fresh Phish.  It has been a while since we had two phishing attacks to report in one day! Our expert phish spotters are hard at work, too. They reported this message several times and it's not an easy one to spot.

What makes this message harder to spot than others? Language.  We spend a lot of time going on about bad grammar and poor spelling, but this message is free from either. The big give-aways are the weird mail to address of the sender, the lack of personalization and a signature, and the link that was provided. (It pointed to a non-UGA site.

Take a close look and you'll notice that this is just a basic verify your account phish. The aim of the message is to get you to act without thinking, click the link and give your credentials away. By implying that there is something wrong with your account and they have shut it down until you prove you are who you are, they hope to trick you into responding.

From: System Alert <mailto:systemalert[@]mail.arizona.com>
Sent: Thursday, February 02, 2017 9:22 AM
To: you
Subject: Your Profile Name

*System Alert*

The name registered to this account does not match the name we have on file.

You are required to verify your profile by clicking on the button below:

Verify Profile Now [link to a bogus login page removed. This message has been sanitized for your convenience.]

The name on your profile must match the name registered for this account. Our system will automatically restore your account once completed.

Remember: If you don't click you can't be phished.

UGAMail/Validating

Reported on January 23, 2017

Hello, Phish Spotters! Many of you have reported this phishing email. Thank you.

The phish is short and simple. Unfortunately at least one of our own was caught unawares. Why?

We think it may be because the message is such a nice lure. It's bright, shiny and requires no effort to swallow. Some recipients might even think it's nice that they have a chance to say, "Yes! I still use my UGAMail account. Thank you for asking!"

If only we would all would slow down. Read any email that asks for credentials or personal information out loud. Does it sound legit? Or is the content totally wrong for a business email from the University? (No greeting, no punctuation, weird pronoun usage, links to a non-UGA website and no signature.)

The process of using email has become automatic for many of us: Open, read, click the link, type, close the form and move on. This happens so routinely that we may not even notice what we're doing. It's almost as if we have given mind and body over to the phishers.

Grrrrrr! Arrrrgh! Email zombies!

Time to take back control, y'all.

From: User Name <username[@]uga.edu>
Date: Monday, January 23, 2017 at 1:35 PM
Subject: UGAMail/Validating


University of Georgia we are validating active accounts if still in use kindly Visit this link [link to a fake form at weebly.com has been removed] to verify account now

Mama always said a phishing email's like a rattlesnake. You know it's dangerous, but when somebody gift wraps one and sends it to you, you'll probably open it.

VERIFY

Reported on January 19, 2017

These phishers are using an old reliable phishing attack to see if anyone rises to the bait.

The real email is provided farther down the page.

For now, let's imagine this message in matter-of-fact 'phisher speak':

"We (the phishers) are totally lying to you when we say we locked your UGA-MAIL account so you can't send messages. We want you to believe you have some sort of virus so you'll panic and fall into our trap. Oh, you just have to CLICK HERE and give us your credentials on our bogus webpage. You're supposed to think you are verifying your email account so you can get access back. But, we're crooks, remember? Bwah-ha-ha-ha-ha. Just to sound official we'll warn you to log out of your email account for security. And it might normally help prevent unauthorized access, but right now it won't - because you just gave us your credentials. We totally took advantage of your trust.

Warm Regards,
The Bad Guys"

You would never fall for this phish if it were written in phisher speak. (Obviously not a real dialect / language!) But the real email may be a little more convincing - especially if you are busy or in a rush.

What's the most important point to remember when you receive an email like this one?

EITS will never ask you to verify your credentials in an email message.

From: User Name
Sent: Thursday, January 19, 2017 2:42 PM
To: Same User Name <username[@]uga.edu>
Cc: Same User Name <username[@]uga.edu>
Subject: VERIFY

We temporarily locked your UGA-MAIL account from sending messages, Our system has detected an unusual virus and sign in attempt into your uga.edu mail box account, We recommend you to CLICK HERE [we removed the link to a bogus page on weebly] and verify your uga.edu mail account and always exit your uga.edu account using the Logout button in the upper right corner instead of just closing the tab of your browser. This serves as an additional security measure to prevent unauthorized access to your UGA mail account.

Warm Regards,
Helpdesk Administrator.

Fresh Phish is beginning to think anyone who signs off with "Warm Regards" is not to be trusted. Sorry, Auntie Gladys.

Gmail Phishing Attack Makes the Rounds: A Fresh Phish PSA

Phish Spotter Powers, Activate!

Reports are coming in of a super-clever phishing attack that is targeting Gmail accounts. The attack is catching even expert phish spotters and skilled technical people unawares. Plus, the attack is expected to spread to other services.

Take a few minutes to Google "Gmail phishing attack" to get all the details. There is a lot out there: Fresh Phish recommends the Wordfence article. It has great examples and offers a short, clear lesson on reading URLs. Why the lesson on reading URLs? Because knowing how to read URLs is one of the best ways to avoid getting caught by this scam and many others.

Using two-factor authentication for Gmail will prevent the bad guys from getting very far even if they do manage to grab your username and password.

If you just want the low down:

  • Phishers hijack one or more (Gmail or other) email accounts
  • They create a plausible email message with an attachment
  • They use each account's address book to broadcast more phishing email
  • When you click to preview the attachment, you are taken to a bogus Gmail login page
  • If you log in on the bogus page the crooks quickly take control of your account.

Lather, rinse, repeat.

Remember, even experts are getting caught by this phishing attack. Slow down and think before you click. Learn to spot bogus URLs and you'll have a better chance to avoid getting reeled in by the phishers. And remember, two-factor authentication is your friend.

CC at UAB deserves a loud shout out for bringing this to Fresh Phish's attention. Thanks, CC!

"Bookended" phishing messages - ALERT: Important Newsfeed From Faculty. [And] your email account is temporary deactivated.

Reported on Friday, January 6, 2017 and Monday, January 9, 2017

You know how we here at Fresh Phish keep talking about phishers knowing what we are doing? And how they are especially good at catching us when we are in a hurry or distracted? Well, these two phishing messages are great examples that "bookend" the past weekend.

Message 1 - "ALERT: Important Newsfeed From Faculty." This message arrived at a particularly opportune time for the bad guys. Fresh Phish doesn't think the phishers planned its delivery to coincide with an early release for bad weather. But we are fairly certain some of us clicked the link thinking is was an update on the situation.

Many of the red flags we normally look for are in the email. The biggest is the one that should have had us wondering why we were asked to go to Blackboard if this was a weather / closing update. Those notices come through ArchNews, social media channels or radio communication.

Pro Tip: You can find out more about red flags in phishing email by checking out the bullet points listed under "What is a Phishing Email?" on our Phish Tank page.

Message 2 -"your email account is temporary deactivated." Coming in on Monday morning to a message like this can potentially spark a reaction from anyone who gets it. If you're already feeling behind schedule because of Friday's early closing, this bogus "security issue" might just catch you out.

What's the reddest of red flags in this message?

  • EITS will not send you messages with a unsecured clickable link.
  • EITS will not ask you to follow a link and reconfirm your University of Georgia email account details.

That flag was so red it got two bullet points!

Message 1

From: User Name <username@uga.edu>
Sent: Friday, January 6, 2017 7:24:07 AM
To: Same User Name <sameusername@uga.edu>
Subject: ALERT: Important Newsfeed From Faculty.

To Staffs, Employees & Students,

You have received an Important mail from your Faculty;

Continue_To_Blackboard_Here_To_View: (link removed)

Regards

Blackboard.

==============
Message 2
From: User Name <username@uga.edu>
Sent: Monday, January 9, 2016 6:32 AM
To: Same User Name <sameusername@uga.edu>
Subject: your email account is temporary deactivated.

The University of Georgia

Due to a recent security issue your email account is temporarily deactivated.

You are required to reactivate your University of Georgia email account in less than

24 hours.follow below link and reconfirm your University of Georgia email account details.

[link to a_website_in_Russia (.ru) masquerading_as_the _cas.uga.edu_page. has been removed]

Thank You

© University of Georgia

Fresh Phish gives a shout out to all the expert phish spotters who reported the "your email account is temporary deactivated." message.

When we checked in this morning there were dozens and dozens of people who had drawn our attention to this phish. A whole wall of text that read "Fw: your email account is temporary deactivated." was a glorious thing to see.

It's always good to start the week with a smile - so thanks to all y'all who had us grinning from ear to ear.

Additional Resources