As part of our phishing awareness campaign, Fresh Phish features recent phishing attempts directed at the UGA campus. These emails have been reported by UGA faculty, staff and students who are alert to the dangers of scams and phishing attacks.
Messages are listed by subject line and date reported. A brief critique of each message is included to help you spot the red flags - the features found in most phishing emails - and the common patterns that can alert you to the potential dangers in your inbox.
Every once in a while you will notice that the name of the sender has been changed in an example. Why? It was a real person. And there's no reason to be mean or point fingers. Just imagine your name in place of "User Name" and you will understand why we chose to make the switch.
Hey, All Y'all!
Seems DoorDash got hit by a data breach.
A third party service provider was the actual target. That means a company/ group/ contractor hired by DoorDash was the one that got breached. It still affects peeps who use DoorDash.
Fresh Phish highly recommends that you change your application password if you are a DoorDash user.
DoorDash reports that 4.9 million users - Dashers, merchants and customers - are affected by the breach. They say it concerns users who joined before April 2018, but better safe than sorry, right?
Go on. Go change your password. Be safe. We'll wait right here.
You back? Good.
Why change your password if the data breach already happened? 'Cause the Bad Guys likely snagged your profile information.
Worse, they may have gotten away with your credit card info - or at least enough of it that you’ll want to check your statements for funky charges.
If you work as a Dasher (or were a Dasher previously) the bad guys may have gotten your drivers' license number, too.
Those three types of information are a powerful combo, but it may not be enough to cause a lot of grief. Stay alert anyway, m'kay?
At the very least, you can expect some phishing email at the address you used to register your account.
You can read more on the DoorDash blog. Or just Google 'DoorDash breach' for more info.
Reported August 6, 2019
Great. Thanks, Fresh Phish. What does that mean exactly?
Sextortion emails are phishing emails that use fear and shame as an attack.
An Online Criminal (the Bad Guy) claims to have taken control of your web camera. They claim to have recorded some very compromising activity or caught you going to adult sites. Then the Bad Guy threatens to expose you and your habits to everyone you know.
Unless, of course, you pay them not to.
Sextortion emails can be very scary. The Bad Guys use real information they find online to seem like they are legitimately able to cause you harm. They might have one of your old usernames or an old password from an online data dump. They might even have current information.
How do they get your personal information? Online Criminals create victim lists after data breaches. They then share, trade and sell the personal information they stole with other Bad Guys.
So what should you do if you get a sextorion email?
Never use your UGA MyID as a username on a non-UGA account. Never use your UGA MyID password to access another account.
Special thanks to OODA Loop and Cofense Phishing Defense whose articles got us talking about Sextortion emails.
Reported July 11, 2019
Y'all know that phishing emails are designed to trick you into replying to them with personal information. Sometimes they provide a link to a web page or form where you can give away your contact information and more. Or, in this case, all the information you would provide when applying for a job - name, address, birthday and social security number.
That is also the same information the Bad Guys need to steal your identity and ruin your life.
So what's wrong with this email message?
All of the items listed here are indicators of a phishing message.
From: Sender Name
Sent: Thursday, July 11, 2019 11:37 AM
Subject: Summer Opening Available
Hello, Hope your summer is off to a great start.
I am a staff here in Uga, there is an opening available to all student and personals to work with UNICEF to render Personal Assistance Service.
Apply Here (link removed)
Phishers gonna phish, y'all.
Reported May 28, 2019
Okay, All Y'all. This clever little email is a real nasty piece of work.
It plays on our sense of connection to a someone we feel we should be able to trust - someone who says they are a student here at UGA.
Once we are all relaxed ans ready to help out a fellow Dawg, is offers a summer job that is just too good to be true. Who wouldn't want to hang out with a dog for a couple of hours a day? the hours are even nice - go in the morning and you're done for the day! And $350 a week for 10 hours of work?!? That's $35 an hour - more than four times what some professional dog sitters make.
Wait. That does sound too good to be true. If you click the link to contact the person offering the dog walking, you will later get a phishing email with a link to a file share.
If you follow that link, you will give the Bad Guys access to your email.
How? The phish bounces you to an Outlook365 login before allowing you to access the fake file. The Baddies steal your login cookie. close your session and use your cookie on thier own computer to log in to your account.
We know they will send phishing messages to all your contacts. They may also go through your messages to find information they can stael and use or resell.
Sent: Monday, May 27, 2019 2:34 PM
Subject: Dog Walker / Dog sitter Job
Note :- EMAIL NameofPerson[at]gmail.com (link removed)
Hello, my name is Sender Name,I am a student here in University of Georgia. My Aunt is moving to the school area and needs someone who can pet sit her dog for 2 hours daily within 9am - 11pm.Pay is $350 weekly.kindly email her for more info NameofPerson[at]gmail.com (link removed). You are to email her with your personal email NOT school email so she can receive your email because most times I email her with my school email she hardly receive my emails.
Note :- EMAIL NameofPerson[at]gmail.com (link removed)
As always, you can report suspicious looking email to firstname.lastname@example.org . If you suspect that your email account may have been compromised, you should change your password.
Here is a good reason why you may want to stop doing that.
A lot of services use the "Login with Facebook" (and other social media services) method to grant access to their websites. Basically, you use your Facebook credentials to provide the new service with the information it needs to set up your shiny new account. It makes it faster and easier and it's usually "okay" to do if the new service is legit.
How is it supposed to work? When you opt to login with Facebook, you either get redirected to the Facebook site or facebook.com provides its own popup window so you can login with your credentials.
Now there is a new phishing attack that uses the familiar "Login with Facebook" popup window to steal your credentials.
Just think of all the information they will have access to if they take control of your account.
This stuff looks and feels real, y'all. The malicious popups have all the bells and whistles of the real thing - URLs with secure site lock icons, logos, buttons, you name it. The bad guys have upped their game so much that according to Antoine Vincent Jebara, the CEO of Myki password managing software, "...even the most vigilant users could fall for" this attack.
Jabara also reports that the only way to tell these popups are fake is to try dragging it off screen. If you can't move the popup far enough to make part of it disappear from your browser window it's almost certainly fake.
Use extreme caution when you login using Facebook to any third-party services. In fact, you should use caution when signing in to any third-party service with any social media account. That includes Google.
To find out more about this new phishing attack, you can search online for "Facebook popup phishing".
Phisher gonna phish. Don't get caught.
Reported February 4, 2019There is a doozy of a phish surfacing in some University System of Georgia (USG) institutions.
From: IT _Support <IThelpdesk[at]usg.edu>
Sent: Monday, February 2, 2019 2:15 PM
Subject: Outlook Support
(USG logo here)
All Staff are expected to migrate to the New 2019 Microsoft Web Portal to enable access to the below, Click Microsoft-Outlook (link removed) to migrate immediately.
Important notice: All staffs are expected to migrate within 24 hours to avoid delay on mail delivery.
Administrator Service System
UNIVERSITY SYSTEM OF GEORGIA
©Copyright 2019. All Rights Reserved
The red flags in this message are a bit hard to spot, but they are there:
Phishers gonna phish. Don't get caught!
Reported on January 23, 2019
Imagine you are Sue. You are sitting at your desk and it's late in the day, just before 5PM. An email pops up in your inbox. It's from your boss. They write, "Sue, are you in the office? I'm in a meeting and can't easily use my email account. What's your cell phone number?"
You check out a few things like the sender's name and email address, and you were greeted by name: It seems legit. So you quickly reply with your cell number, "Of course! My number is (706) 555-9876."
A few minutes after five, you get a text from a caller at (706) 555-1234. It's your boss. They ask for you to acknowledge you got the text.
Then your boss asks you to buy some gift cards. Don't worry, you will be reimbursed. If you're willing, let them know and they will tell you what to buy.
What do you do next?
If you buy the gift cards, your boss will ask you to text the activation numbers to them. You'll never be reimbursed. It's not your boss.
With luck, you never got beyond the initial email. You deleted it and went home at five without a second thought. You recognized the "Are you there?" email as a phish. Well done.
The Bad Guys are taking this sort of gift card fraud out of your email and into your phone. What starts as a phishing email can invade you phone and your life. Once they have your number, you are likely to get text message phishing attempts ('smishing messages') and phone calls until you sprain 'your block caller and report spam' finger.
Phishers gonna phish.
From: User Name <sender.name.uga.edu[at]outlook.com>
Sent: Monday, January 7, 2019 9:13 AM
To: Recipient Name
Happy New Year, Are You There?
College of Something at UGA
Reported on October 2, 2018 and October 3, 2018
Today, we've got a pair of phishes that are very similar to others we have seen before. Many of you reported Message 1; Message 2 seems a bit more targeted toward UGA departments. Sadly the first message seems to have caught one of our own and used an UGAMail address to send out more phishes.
The red flags are flying high in both these emails. Let's tackle them one at a time.
Message 1 has the following red flags:
Message 2 is a bit more complex, but the red flags are:
From: User Name <user.name[at]uga.edu>
Date: October 3, 2018 at 1:31:23 AM EDT
Subject: You have 1 new message
[Official UGA Logo Here]
This is to notify you of an important meeting.
Click here for details (The link was removed - it pointed to a bogus website.)
University of Georgia.
From: OutlookOffice365 <abadguy[at]email.net>
Sent: Tuesday, October 2, 2018 1:42 PM
To: Username <usrname[at]uga.edu>
Subject: Action Needed : 22 Undelivered Emails
Message is from trusted source.
Your Incoming messages has been blocked
Hi user[at]uga.edu ,
Most of your recently sent emails couldn't be delivered.
When the sender tried to send messages to you, the receiving email server reported an error.
Kindly follow the instruction below to manage your  Undelivered Messages as of the 1st of October 2018.
To import the blocked messages click here to FIX ERRORS (We removed the link to a Russian website.)
To delete the blocked messages click here to DELETE (We removed another link to the same Russian website.)
To save in archive click here to ARCHIVE (We removed yet another link to that Russian website.)
Microsoft IT Administrator
Microsoft Corporation | One Microsoft Way Redmond, WA 98052-6399
This message was sent from an unmonitored email address. Please do not reply to this message.
Thanks to all our Expert Phish Spotters, who reported toady's messaages to email@example.com and avoided getting caught.
Reported September 30, 2018
This phish is a bit different from others we have seen recently. It's a real attention grabber. How many of us might look at this message and think, "Oh my. Somebody's in trouble. I know it's not me. I wonder what's going on?" And then open the attachment?
Curiosity isn't just for cats, and heck, inquiring minds want to know, right?
Y'all know phishers know how to play us against ourselves. The bad guys are master manipulators. They know we'll be curious about who got in trouble and what the "incident" mentioned in the message was. The bad guys know there s a very good chance that a few of us will open that attachment. (It probably contains so sort of malware.)If you take the time to read carefully, however, you'll catch the red flags:
From: HR DEPARTMENT <noreply[at]hrdepartment.non-ugasite>
Sent: Friday, September 28, 2018 4:46 PM
Due to reported incident between few employees, there’s need to review and remind us the existing code of conduct expected of all employees.
Read and click on I AGREE TO THESE TERMS AND COMPLY.
Please NOTE THAT EVERYONE MUST READ THROUGH AND AGREE TO THE TERMS.
let me know if you have any questions.
This e-mail contains information intended only for the individual or entity to which it is addressed and may contain confidential material. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, publication, copying, transmission, distribution or other use of, or taking of any action in reliance upon, this e-mail is strictly prohibited. bears no responsibility for any loss, disruption or damage to your data, computer or network system that may occur while using data contained in, or transmitted with, this e-mail or its attachments. If you have received this e-mail in error, please immediately notify by return e-mail and delete the material from any computer or electronic media. All customer services contained in or referred to in this e-mail, are subject to terms, conditions and approvals set by, and documentation acceptable.
Just a quick heads up to alert y'all to use caution when you contribute to any disaster relief effort. Unfortunately, scammers are willing to abuse our trust and take money meant for victims of disasters.
Disaster relief scams may start with a phone call, an email, a text, a social media post or an online ad. You may even be approached in person.
We hate to think of anyone being cruel enough to take advantage of people who are stepping up to help others affected by Hurricane Florence. But it happens. And there are a few things you can do to make sure your donations go where they are supposed to go.
First and foremost is to concentrate on legitimate, established charities that are set up to help those affected by Florence and others. How do you know which charities are legit? That can be tough, but we suggest the following:
If you get a bogus charity solicitation, or think you may have fallen for a disaster relief scam, you can report it. How?
Reported September 20, 2018
This is a quick and dirty little phish that has the potential to cause some trouble. Fortunately, it was reported quickly! Thanks to K P for being first to report this phish.
Let's take a quick look at the message. The red flags are as follows:
Don't be fooled by logos in phishing emails. It's a cinch to copy and paste a logo. The bad guys do it all the time.
From: EmailSupport <Sndr.Name[at}nonugasite.com>
Sent: Thursday, September 20, 2018 7:23 AM
To: User Name <username[at]uga.edu,>
Subject: you have 8 delayed messages
[OFFICE 365 logo]
We detected that you have 8 delayed messages which didn't get to you. This was caused due to a system error. Rectify below:
Release delayed messages <This linked to a bogus form designed to steal your login credentials.>
You control the e-mail you get from Microsoft: Unlist <This also linked to a bogus form designed to steal your login credentials.>
Getting too much email from Microsoft? You can unsubscribe
Reported August 28, 2018
Ok, Expert Phish Spotters! Thank you for bringing this phishing attempt to our attention. It took some skill to identify this one. So a shout out is due to M.A., K.W. and T.P. for reporting it. Thank you! You are amazing.
What makes this email a challenge? It’s a different from the other phishing emails we see:
This email is the start of a pretexting attack. It's a type of phishing, but it differs form the run-of-the-mill request to take action, because the criminal is attempting to start a dialog with the intended victim / recipient. It is potentially an exchange that could result in the recipient becoming the victim of a scam.
The next step in this pretexting attack would probably be the criminal asking the recipient to send important sensitive or restricted files or purchase goods online (like gift cards).
What are the clues that likely tipped off our Expert Phish Spotters? The most likely are:
It's also possible that the Director would not contact the recipient directly, or that the recipient was easily able to ask the Director if the email was legitimate.
From: Named Director <dir.name[@]gmail.com>
Sent: Tuesday, August 28, 2018 2:21:47 PM
To: User Name
Good Day User,
Are you in the office ? I have an assignment i need you to do for me.I am in a meeting and i won't be able to pick a call.
Phishers gonna phish. Keep your eyes open out there.
August 14, 2018
Hey, All Y’all – there are a lot of phishing scams going around claiming the sender took over one of your devices and recorded you “having fun” while visiting adult video (porn) sites.
Each scam is a tad bit different – and the Bad Guys are making money hand over fist. In fact, they demand $1000.00 from each victim. And they are getting it.
So here’s the deal. Somewhere, sometime, someone (a Bad Guy) got hold of a database that had some personal information, some old passwords, an email address or two and some partial phone numbers. There’s no way to be sure where this information came from. Honestly, it hardly matters: Given all the big data breaches that happen, it’s a sure thing your information is out there on the web somewhere.
Okay. Where were we? Oh, yeah. Any information in that database is more or less phish food.
All the Bad Guys have to do is drop some of that information into a threatening email, send it to everyone on their list, then sit back and wait. The money rolls in with no real effort on their part. In fact, one scam got over $50,000.00 in a single week.
Fresh Phish already talked about one of these emails, back on July 19, 2018, that used old passwords. This email uses partial telephone numbers. The darned things just keep coming. Guess you can’t keep a good scam down.
Now you gotta ask yourself (Fresh Phish is not judging):
Have you been visiting adult video (porn) sites?
From: A Bad Guy <weBvilns[@]badgusy.com>
Subject: (Part num your Hacked phone +XX XXXXXX5555)
It seems that, +XX XXXXXX5555, is your phone.
You may not know me and you are probably wondering why you are getting this e mail, right? actually, I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean).
While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) having a keylogger which gave me accessibility to your screen and web cam. after that, my software program obtained all of your contacts from your Messenger, FB, as well as email.
What did I do? I backuped phone. All photo, video and contacts. I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam. exactly what should you do?
Well, in my opinion, $1000 is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).
BTC Address: 1GYNGZLEUGkkQjHo19dHDnGE87WsAiGLLB
(It is cAsE sensitive, so copy and paste it)
Important: You have 48 hour in order to make the payment. (I've a unique pixel in this e mail, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment, I'll destroy the video immidiately. If you need evidence, reply with "Yes!" and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.
Special thanks to Lawrence Abrams, creator and owner of BleepingComputer.com, who was the source for the example phishing email text.
Reported August 9, 2018
Every once in a while phishers go for the big targets - directors and others who are highly placed enough to be ideal victims of phishing attacks. The more highly placed a person is in an organization, the greater the possibility of a big data or monetary score exists for the phishers.
Most of us don;t get to see these sorts of attacks, so it's important that this message gets shared. As usual, you can open a bigger version of the image. (It won't work well on smartphones because the file is very large.)
The red box, arrows and blue highlighting are all indicators of red flags:
Notice that the recipient is also encouraged to share this message.
You can read the text of this message a bit further down the page.
From: Jere W. Morehead <notpresm[@]agerman.site>
Subject: ***ATTENTION REQUIRED***-from president Jere W. Morehead to all employees on August 09, 2018 !
(UGA logo here)
Dear University Of Gerorgia Employees,
It's of high importance all Employees read through on what improves the welfare of our institution,including a few organizational changes which require all Employees prompt attention.
complete the following new updated 45 seconds survey which is important to all University of Gerorgia staffs to access attach today.
Note: The message is sent out of high importance to all employees to access attach and share.
Jere W. Morehead
University of Gerorgia
Reported July 31, 2018
Phish Spotters unite! This is a very nasty scam. And it comes at a very bad time for incoming students who do not yet know that EITS will never ask them to update their accounts.
This email is a FAKE. (Phish Spotters say it loud and say it proud!)
The audacious use of the UGA logo adds a hint of authenticity to the email - but do not be fooled. Anyone who can copy and paste can steal an image off the internet.
Let's run through the red flags - warning signs that a message is a phish - shall we?
If you get a suspicious looking email and you think it might be a phish, send it to firstname.lastname@example.org or contact the EITS Help Desk at 706-542-3106.
If you know that an email is a phish, you can use your delete key - it's a great tool in the fight against phishing.
From: User Name <username[@]uga.edu>
Sent: Tuesday, July 31, 2018 10:58 AM
To: Same User Name <username[@]uga.edu>
Subject: URGENT Please read
Dear University of Georgia User
Our record indicates your email account is not updated, which may lead to the close down of your email account.
Please visit the link h--ps://www.uga.edu/ (we removed the link. It actually pointed to a site that had nothing to do with UGA) to avoid the close down of your account and keep enjoying our services
University of Georgia Team
Copyright © University of Georgia, Athens, GA 30602
Reported July 26, 2018
Wow. This phish came across the staff list serve and our Expert Phish Spotters were all over it! Y'all are amazing! Fresh Phish feels kinda unnecessary right now - but there are plenty of people who don't follow the staff list, so here we go.
So, y'all remember "Hover to Discover"?
Hover to Discover was the fastest way to figure out if this email was legit or not. If you did, this is what you saw:
The link pointed to a URL that had nothing to do with Dropbox. (You can view a bigger picture of the revealed link if you need to. It will open in this window.)
We know you are curious, so here is a look at the fake Dropbox page -which is a fake OneDrive page (Say what?):
Do not try this yourself!
Fresh Phish uses security tools to click through safely so we can see what's up. And know how to take steps to protect others from being bait for a phish; like blocking the link on campus (so you can't reach the dangerous page.)
Need a bigger image of the fake Dropbox/OneDrive page for a closer look? It will open in this window and it's not sized for viewing on phones - it's just too big for that to be useful. (BTW: the red bar at the top of the image is a built in Firefox feature.)
The message itself looks pretty legit. That means it is very dangerous! Many of us use Dropbox, so it would be tempting to click evenif we do not know the sender. Not may would notice that the link to a Dropbox page actually went to a OneDrive page.
About the only red flags for this phish are:
From: User Name
Sent: Thursday, July 26, 2018 10:00 AM
Subject: ACTION REQUIRED: I just shared a file with you via Dropbox
(username[@]uga.edu) invited you to view a file via Dropbox.
(We removed the) Go to folder (link to a fake Dropbox page.)
The Dropbox team
Tl;dr - the phishers are sending more and more dangerous emails. You need to stay alert to a lot of tricks to catch messages like this one. It definitely illustrates the fact that the criminals are trying to catch us off guard and take advantage of our trust. Pay attention. Stay off the hook.
Reported on July 25, 2018
Okay, Phish Spotters, this is the third time we have had a "Meeting Notice" phish this month.
It is also the third time one of our own has become a victim of this type of phish. We need to step up our phish spotting game.
This Meeting Notice is, unfortunately, more dangerous than any of the others we have seen before. It uses a fake CAS page to gather UGA credentials before allowing access to a webpage.
We've seen that before, but:
If you noticed that the URL is not for a UGA site, you have gone above and beyond. Few people will check the URL when presented with an authentic-seeming CAS page and a green lock icon. This is a very high quality phish!
Let's take a look at the two pages.
Now let's look at the message. Can you spot the red flags? We'll list them under the example.
From: User Name <username[@]uga.edu>
Sent: Wednesday, July 25, 2018 5:55 AM
To: Another User <nothrusr[@]uga.edu>
Subject: Meeting Notice
This is to notify all of an important meeting which is scheduled to hold 26th July 2018.
Click here for details <We removed a link to a phishing site behind a fake CAS login page designed to steal your credentials.>
University of Georgia
The red flags are:
Phishers gonna phish - it's up to us to avoid getting caught.
Reported on July 19, 2018
If you get today's fresh phish, please respond as follows:
Blackmail and extortion scams are popping up in inboxes across campus.
Always ugly, this particular type of scam uses threats and intimidation to make you react. The phishers want your money. They are willing to scare you into giving it to them.
Worried about this message?
Any time there is a data breach, user names and passwords are gathered up and sold on the internet. Hundreds of criminals could have your MyID and an old password. As long as you don't use that password anywhere else, you should be fine. If you do use that password elsewhere - go change it now.
If you look for the red flags you will find them, too.
From: Online Criminal <ima.criminal[at]outlook.com>
Sent: Thursday, July 19, 2018 3:55 AM
To:User Name <username[at]uga.edu>
Subject: re: jdoe3390 – loveU2
This is your badluck. I know that loveU2 is your password. More importantly, I know your secret and I have evidence of this. You do not know me personally and no one employed me to examine you.
It's just your hard luck that I stumbled across your blunder. Let me tell you, I placed a malware on the adult vids (porn material) and you visited this site to experience fun (you know what I mean). While you were busy watching video clips, your web browser started operating as a Rdp (Remote control desktop) that has a key logger which provided me with access to your screen and web camera. Right after that, my software program gathered every one of your contacts from your messenger, facebook, and email.
After that I put in much more time than I probably should have looking into your life and generated a double-screen video. First part displays the recording you were viewing and other part shows the recording from your web cam (its you doing inappropriate things).
Frankly, I am willing to forget all information about you and allow you to get on with your regular life. And I am about to present you 2 options that will achieve that. The above choices to either ignore this letter, or simply just pay me $ 3600. Let's understand those 2 options in details.
First Option is to ignore this email. Let me tell you what is going to happen if you select this path. I will send your video recording to all your contacts including family members, colleagues, and many others. It won't help you avoid the humiliation your household will face when family and friends uncover your unpleasant videos from me.
Second Option is to make the payment of $ 3600. We will call this my "confidentiality tip". Now let me tell you what will happen if you pick this choice. Your secret will remain your secret. I will erase the recording immediately. You keep your life as if none of this ever happened.
Now you must be thinking, "I'm going to report to the cops". Let me tell you, I have covered my steps to ensure this email message can't be tracked back to me also it will not stay away from the evidence from destroying your health. I'm not looking to steal all your savings. I just want to be paid for efforts and time I place into investigating you. Let's assume you decide to make all this go away and pay me the confidentiality fee. You'll make the payment via Bitcoins (if you don't know how, search "how to buy bitcoins" on search engine)
Transfer Amount: $ 3600
Send To This Bitcoin Address: 19diopb5QpYyURWZWXf9sWWCwNLjkHRGmH
(It is CASE sensitive, so you should copy and paste it)
Share with no person what will you be transferring the Bitcoins for or they will often not give it to you. The task to get bitcoins usually takes a few days so do not wait.
I have a unique pixel within this email, and right now I know that you've read through this e mail. You have one day in order to make the payment. If I don't receive the Bitcoin, I will send your video recording to all your contacts including members of your family, coworkers, etc. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I will erase the video immediately. It's a non negotiable offer, thus kindly do not waste my time and yours. The clock is ticking.
Reported on July 16, 2018
Long post ahead.
Did you get one of these Meeting Notification phishing messages in you inbox? Fresh Phish did. And so did many others if the reports to email@example.com is anything to go on.
This is actually the second time this phish has gone the rounds on campus this month. It's an oldie but a badie, and common as dirt.
Phishing is a type of social engineering. The bad guys send out a message in order to use your trust and desire to be included to trick you into reponding. The goal is almost always to get your personal information or your login credentials for a system or site.
How can you spot a phish? In many cases there are a set of "red flags" - common features that should alert you to the danger. Phishing is dangerous - never doubt that - and almost every big data breach has started with a phish.
Red flags in this message:
From: User Name <username[@]uga>
Sent: Monday, July 16, 2018 8:55 AM
Subject: Meeting notification
There would be an urgent meeting tomorrow, 17th July 2018.
Kindly clickhere (we removed the link to a phishing site) for more details.
University of Georgia.
Tl;dr - Expect phishing to ramp up as the academic year does. We expect to see many repeat messages and variations on them. Stay alert. use your delete key to give phishing the finger.
Reported on July 13, 2018
This phish a typical "vlaidate your account" type of phish.
Fresh Phish is happy to point out that it is highly unlikely that your email box is 98.9% full. Fresh Phish polled a few Outlook users and most have plenty of space left, even after being at UGA for several years. (You can find out how to check your UGAMail usage after the UGAAlert phish example.)
Let's take a quick look at the red flags in this message:
From: User Name
Sent: Thursday, July 12, 2018 6:04 PM
To: Same User Name
Cc: Same User Name Again
Dear UGA User
You have used 98.9% of the total data space allocated to your mailbox. To avoid placing your incoming messages on hold or lose them permanently ,we require you to validate your mailbox to expand your data allocation size.
Kindly click VALIDATE (we removed the link to a bogus page) to update your mailbox
We apologies for any inconveniences this might have caused you
How can you find out how much space you have in your email inbox?
In Office 365 do the following:
In the Outlook on the desktop:
Phishers gonna phish. Don't get caught!
Reported on July 10, 2018
This phish poses as a Microsoft Account alert - but it's definitely a phishing message.
The red flags are as follows:
From: Microsoft Office account <notification[at]outlook.postmater.cat>
Sent: Tuesday, July 10, 2018 1:31 PM
To: User Name <username[at]uga.edu>
Subject: Your message has not been delivered to the following recipients:
Message is from Microsoft trusted source.
Error Delivering Message to Inbox.
This is a system notification for Error Email Delivery.
There are many Undelivered messages for your Microsoft Office account [username[at]uga.edu]. This messages will expire and will be deleted from our main Server if not Deliver in less than 24hrs
Please follow action below to correct Email Delivery Error.
Release Pending Message (we removed the link to a bogus site in vietnam)
Microsoft Office account
To stop receiving notifications about your Email delivery?, go to Options (link points to Google) and turn them off.
This system notification isn't an email message and you can't reply to it.
From: User Name (username[at]uga.edu)
Sent: Monday, July 9, 2018 12:01:16 PM
To: A Specific Set of Supervisors
Subject: MESSAGE FROM HR DEPARTMENT
You have a new message. open with outlook app (shortened link removed) to view your message
UGA Department | Administrative Position
University of Georgia
Additional contact information
Reported July 5, 2018
Out of the sea of "final notice", "meeting notification", and "mailbox quota exceeded" emails rises a spear phish - a phishing email targeting an entire department or group.
Like a hungry shark it tries to take a bite out of an Expert Phish Spotter! And fails.
Whew. Good thing our Expert Phish Spotter was easily able to reel in this spear phish and report it. It's a very phishy message, but in the wrong mailbox it might have caused some financial havoc. What makes it so dangerous?
It has only a few of the red flags associated with a phish.
Important Director, I am so tied up this moment, Can you buy an iTunes gift card 5pieces
- $100 each? I need you to enable me to scratch the silver board at the back and help
me take a reasonable photo of the card including the 16 digits code and send it on
here, I would repay you when am through, Let me know how you would need the installment
back, either with check or cash, likewise I would have liked to call you however can't
get or call right now with my line, I might want you to assist me with it ASAP.
UGA Department Head
sent from iPhone
A special thank to P.T. for catching the REQUEST spear phish and alerting the abuse team.
Phishing email can teach anyone a lesson the hard way.
Phishing is designed to trick you into giving away information that online criminals find desirable and useful in committing crimes. We are talking crimes like identity theft or fraud, credit fraud, income tax fraud and computer fraud. Fraud is definitely a theme in online crime.
So what do all those mean?
Identity theft or fraud - Identity theft or fraud is what happens when one person steals another person's personal information and uses it without authorization. It is usually used to commit a crime (like one of the following!) The goal of identity theft or fraud is most frequently economic gain. Yep. It's all about the money.
Credit fraud - It's kind of a wide-reaching term, but at its core credit fraud often involves stealing someones identity to get credit, use it, and not pay the bills. Credit fraud involves all kinds of credit, including credit cards and loans. So yeah, getting caught by a phish could leave you on the hook for hundreds of thousands of dollars in debt. And you may not know it.
Income tax fraud - This is another broad category. What we are talking about here is someone stealing your personal info to file faked tax returns in your name. They criminals get a hefty tax return and you have to prove it wasn't really you. It could take months for you to get your legitimate tax return. Are you sensing a pattern?
On a related note, at tax time there is commonly a rash of fake IRS phone calls. Someone claiming to be from the IRS says you owe them money. They might threaten to send local law enforcement around to arrest you if you don't pay right then and there. (You can find out more about IRS scams in an earlier post.)
Computer fraud - Is using a computer to steal or change electronic data, or to gain unlawful use of a computer or system.
Most major information security breaches start with a phishing attack. This is why
you see phishing emails that ask you to confirm your account or password. Do not do
Here are four things to remember:
This is a good place to point out that phishing is not limited to email. Phone and text phishing happens too.
So be careful out there. Take time to think before you react to any email, phone call or text that asks for your personal information or login credentials, threatens to take away a service, or makes outrageous claims. Paying attention can help you avoid getting schooled.
Phishers gonna phish.
Reported on June 15, 2018
Okay, Phish Spotters!
You are making a big splash reporting the current phish that's making waves.It’s a good thing, too. This phish is posing as a University-wide meeting invite and going out to a lot of inboxes.
Let’s fillet this phish:
This fake CAS page is identical to the real one with two exceptions –
If you enter your MyID and Password, you are redirected to the real CAS page. It looks like you made a mistake and got dropped back to try again.
But don’t be fooled! Your credentials have been stolen.
It’s time to change your UGA password.
From: User Name (username[at]uga.edu)
Sent: Friday, June 15, 2018 1:06 PM
Subject: Meeting Notification
This is to notify all of an important meeting which is scheduled to hold 15th June 2018.
Click here <link to a bogus CAS login page removed> for details.
University of Georgia.
* Red flags are warning signs, they are indicators of a possible phishing attack. To learn more about red flags in shishing, visit the EITS Phish Tank.
Reported June 13/2018
Sweet whole wheat biscuits!
This sort of phishing message is one of the last things any of us need, all y'all.
It's generic enough to catch a lot of people off guard, especially if they are:
or expecting a file in OneDrive and not reading carefully.
Fresh Phish expects that students may be a bit more inclined to click on this one. Why? How many of y'all out there know the names of every other person in class with your right now?
Remember, phishers know y'all are busy. They probably know y'all use Office 365. And they can guess that "OneDrive" is going to tempt y'all into clicking.
There aren't many red flags in this one:
From: Nikitia Mexia <N.Mexia[at]leeds.ac.uk>
Sent: Wednesday, June 13, 2018 2:20 PM
Subject: Nikita Mexia has shared OneDrive Important files with you
|Course_statement.pdf (The link to a doc hosted in South Africa has been removed.)|
Be careful out there, y'all. We all know phishers gonna phish.
Reported June 11, 2018
ATTENTION. ATTENTION. This is the Fresh Phish Phishing Alert System.
If you receive the message in the example below delete it immediately. This email is a phish.
Repeat: This email is a phish. An online criminal has launched a phishing attack against inboxes that are part of the University of Georgia's UGAMail Service.
Delete phishing immediately or report any suspicious email messages to firstname.lastname@example.org for investigation.
Someone at Fresh Phish is showing their age. But that doesn't stop them from knowing that the email in our example is bogus. You can too. How?
Do a sense check. Read the email slowly and ask yourself if the message makes sense. If you do, you'll notice that:
A big shout out for M. P. for reporting this phish. Thanks, M. P.!
From: Infotech Help Desk (infotech.uniservice[at]gmail.com)
Sent: Friday, 6/10/2018 1:53 AM
Subject: Email Update (Important)
We are upgrading our database Server from our Old Server (No420134x) to a New Server (No521093x), this is and extreme measure to check against frequent email hack and to link all email account to the school data base directory fo easy accountability, validity and better services.
Please you are require to provide the Help Desk Centre with following information at Technical.uniservice[at]gmail.com (dangerous email link removed).
NB: Unverified email will lose information in email folders and will not have access to full features and information in the university database.
All your details is strictly confidential and is not to be disclosed.
Uga.edu Web Admin
©Support Administrator All rights Reserve
Reported May 31, 2018
Yep. Fresh Phish usually focuses on email messages, but phishing happens in other ways too. It's pretty common for the Bad Guys to go phishing on social media, in text messages and on the phone.
Recently there have been a few reports of phone phishing on UGA phones. Thanks to Expert Phish Spotters M.D. and D. L. G. - you deserve a big shout out for reporting the problem. Thank you. - we have a chance to get ahead of the Bad Guys.
So how does phone phishing work?
Your phone rings.
You pick up and someone on the other end says they are calling from Microsoft. (They are not. Microsoft does not make unsolicited support calls to fix our computer.)
They say, "We got a report that your computer has a virus, and is sending out a lot of information over the internet." (It is not.)
The fake Microsoft tech the offers to:
All of these choices are scams.
Choose the fix and the caller will demand your credit card number. Later they will abuse it. Nothing will get fixed, because there was nothing wrong to begin with. If they send you something to install, it's likely to be malware.
Same thing for the antivirus solution. Wave bye-bye to your credit card number and say hello to malware. You might get directed to a website to download a program to fix your computer. You could end up with a program that gives the caller:
Giving an random caller remote access to your computer is just a really bad idea. So don't do it, M'kay?
What should you do if you get a call like this?
This is an old scam: The Bad Guys keep using it because it works.
Tl;dr - Fake Microsoft techs are cold calling UGA offices. They claim your computer has a virus. It's a scam. Don't fall for it.
Reported on 5/17/2018
Don't you just hate it when phishers prey on vulnerable students? Oh, wait. They do that all the time.
It doesn't make it any better when the bad guys pose as a legit office like Financial Aid and offer fake job opportunities. And they had the nerve to use the UGA logo trick you into thinking the email is real.
First: This email is a phish. Do not be fooled. It's designed to steal personal information. Once the phishers hook you with the promise of money, they will work to get even more information out of you. After all, your employer needs your Social Security number, right?
You are expected to fill in an online application form. What a great opportunity for the bad guys to get even more information they can use to take out loans and credit in your name.
Second: Think about the numbers. If this email goes out to everyone who may receive financial aid, that would be thousands, if not tens of thousands, of job applications in response. Not many companies could cope with that number of applications coming in.
But the online crooks would love that high response rate. Hundreds of thousands of identities they could use? You betcha. Just think of the credit fraud they could perpetrate before they are caught! If they are caught. And it could take years for the victims to notice.
Third: There are red flags in this message.
The biggest red flags are:
A big shout out to Expert Phish Spotters T.P. and D.M. who were early reporters. And to everyone else who either sent this email to email@example.com or hit the Delete key to give phishing the finger.
Phishers gonna phish.
From: User Name (username[@uga.edu])
Sent: Friday, May18 2018 2:52 PM
Subject: Hi There
Office of Financial Aid 220 Holmes/Hunter Academic Building. Athens, GA 30602-6114.Phone: (706) 538-5647.
See below flexible evaluation agent job opportunity which should be of great benefit to you and could be part of with a good pay as well.
Director, Financial Aid.
What does an evaluation agent do?
An evaluation agent visit specific stores like like Walmart, Argos, Western Union, restaurants, shopping store etc,And businesses anonymously for the purpose of observing and reporting on the quality of customer service delivered. The answers submitted by our evaluation agent enable clients to make employment decisions, reward staff for excellent performance, redirect staff who perform poorly and evaluate adherence to company service standards.The evaluation agent process begins with on-line training, depending on the job assignment. After completing initial education our evaluation agent are able to select assignments, complete jobs by visiting a site or performing a telephone evaluation and finally entering job data into the online database.
Why should I become an evaluation agent?
Being an evaluation agent is well suited to anyone who would benefit from:
* Receiving free products and/or services (on certain assignments).
* Highly flexible hours.
* Contributing to a higher level of customer service.
* Having a diverse number of shopping experiences.
* You'll be able to participate in educational sessions via online training;You do not pay for this.
How much does an evaluation agent get paid ?
Evaluation agent are independent contractors who receive rewards in the form of gift vouchers,or bank deposits. In addition, on many assignments, free goods and/or services are also available. The amount you will get paid varies by the type of assignment you complete. Payments generally range between $300 to $400 per assignment.
Do evaluation agent work part-time or full-time ?
Evaluation agent should be considered part-time or casual work.
Do I need previous experience as an evaluation agent?
NO, previous experience is not necessary.Agents are recruited based on the information provided in their online application form, their aptitude and ability to meet assignment requirements.We offers extensive online training which will broaden your understanding of the job,And assist you in becoming a highly effective agent.
Remember, NO APPLICATION FEES,It does not cost you anything to get started.Send a reply to Unkownperson@anon-UGAwebsite (link removed) with your information if you are interested.
Mobile Phone Number:
Gender & Age:
Personal email address:
Recruitment Team Retail Shopper Express LLC ©2018
Tl;dr - Never trust unsolicited job offers. A logo does not make an email legit. And remember, if something seems too good to be true? It's likely to be fake.
Reported on 4/11/2018
We are sending a special shout out to BWS and SF for getting a screen shot of the mobile version of the infamous UGAAlert phishing message to us!
Why are we so excited?
Messages can look totally different depending on how they are displayed. It's possible to respond to a message on one device that you would never click on in another. (Compare this mobile version of the phish with the text version reported on 3/7/2018.)
Plus we tend to respond more quickly on our phones while we check them on the go.
Here is a quick run through of the red flags, okay?
Be careful out there.
Reported on 3/7/2018
From: User Name
Sent: Wednesday, March 7, 2018 4:22 PM
Dear UGA User our database shows that Your Account was recently signed in from a unknown Location, please Click Here <we removed the link to a bogus page> for verification to avoid account closure, wait for respond from our Help-desk Service Team.
Enterprise Information Technology Services (EITS)
University of Georgia
A big thank you to all the amazing Phish Spotters who sent this message in to firstname.lastname@example.org so we could get the word out to the rest of campus! You're the best.
Reported on 2/26 - 27/2018
Sweet whole wheat biscuits! Our Expert Phish Spotters were all over this message.
Y'all have done Fresh Phish proud. Keep up the good work. Each time one of you reports a phish, you help keep UGA systems and accounts - yours included - safer.Let's take a good look at a copy of the actual message. It's a classic phish with the top 6 red flags:
A deadline (implied as right now or we will close your account.)
Implied account closure.
A 'hidden link' behind "Click Here" (EITS uses full link text that you cannot click.)
No contact information for EITS.
From: User Name
Sent: Tuesday, February 27, 2018 2:25 PM
Subject: Administrator Team
Dear Uga User,
Dear UGA User our database shows that Your Account was recently signed in from a unknown Location, please Click Here <We removed the link to a fake page at a webhosting> for verification to avoid account closure, wait for respond from our Helpdesk Service Team.
Now, just for fun, let's translate this message into Phisher-speak:
Hey you. Yeah, we don't know your name and we don't care,
We are lying to you to try to convince you that someone else signed in to your account from... someplace. We can't be bothered to make up a place. So, just trust us and click the link, m'kay?
Then you can give us your credentials. We will lie to you again, to make you panic by threatening to close your account.
Then you can wait for us to get back to you. As if.
The Bad Guys
Those bad guys are soooo disrespectful. Phishers gonna phish.
Be careful out there.
From: User Name (username[@]adifferent.edu)
Sent: Tuesday, February 27, 2018 10:44 AM
Subject: Account Payable Share A File With You
Dear Uga User,
Account Payable sent you an Important and Secured document
View Document <We removed a link to a treacherous OneDrive file.>
The Office Doc’ Team
© 2018 Office doc
Wow. Y'all are amazing! So many Expert Phish Spotters reported this email that Fresh Phish could hardly keep up. A shout out goes to the first Phish Spotter, JS, who reported this attempt Tuesday night - Way to go!
If anyone out there recognizes the bogus webpage with the big blue cloud as a place they filled in their info, please change your MyID password as soon as you can.
Here is a quick review of the major red flags in the message:
Let's take a look at the red flags on the bogus webpage, too:
Phishers gonna phish.
From: User Name
Sent: Tuesday, February 13, 2018 7:39 PM
Dear UGA Account Owner,
To complete your Account- UGA Webmail email account settings, you must fill our verification form immediately and provide the information requested. To SAVE your contacts and documents in your Mailbox, you are requested to fill in the verification accurately,
Click on the link below and follow procedures as advised bellow
To Upgrade Your UGA Internet Access Settings! CLICK HERE<link to a bogus page at a webhost has been removed>!
Thank you for your Co-operation.
Copyright ©2018 The UGA Internet Access
Terms of Service
© 2018 UGA
Tax fraud is big business. Criminals steal your Social Security number, make fake
W2s and file a tax return while claiming to be you. Even if you don't expect a refund
you can still be a victim of ID theft and tax fraud.
File your taxes as soon as you can. Beat the bad guys. If you don't you may end up being the one who has to prove who you are. It can take several months, if not longer to get your refund back if you get caught up by a scam.
Last year was a rough one - the IRS lost a lot of taxpayer information and Equifax got hit hard in a data breach that affected millions.
2018 Dates to know:
Filing Deadline - In 2018 the official tax deadline is Tuesday, April 17th. (April
15th falls on a Sunday and the 16th is Emancipation Day in Washington D.C.)
Possible Delays - You should also be aware that refunds that claim Earned Income Credit or Additional Child credit are likely to be delayed this year. It seems that criminals love to use those credits for tax fraud, which means more work for the IRS to confirm the credits are legit.
Popular scams to lookout for in 2018:
Tax relief scams - These don't seem to be as big this year, but if someone offers
to reduce your taxes be alert to scams. Especially if money needs to be paid up front
(the scammers will take it and run). If you need to use a tax relief business, check
them out thoroughly first.
Federal Student Tax – Did you receive a bill for the Federal Student Tax this year? No? Good, because it doesn’t exist. Be prepared. You may be contacted by scammers if you are a student or the parent of a student.
Phishy Tax Preparers - Criminals may claim to be Tax Preparers to trick you into giving away your personal information. If you get an unsolicited email from a tax preparer, avoid clicking on links or opening attachments. Just delete the message. Also, if any tax preparer asks you to pay cash for part of all of your taxes, that's a huge red “it’s-a-scam” flag.
Fake IRS Agents
Every year criminals posing as IRS agents call and attempt to scare you into complying
with their demands. Don’t be fooled! If there is a problem, the IRS almost always
makes first contact by sending a letter through the US mail.
Have you gotten a call from a bogus IRS agent? Scammers like to use common names like John Jackson, Mike Smith or Anne Jones when posing as IRS agents. If they give you a badge number, they’ll often say it too fast for you to jot down. How do you tell the real agents from the fake ones?
Real IRS agents will not:
Criminals often spoof phone numbers so your caller ID might display the correct IRS phone number or ID when a scammer calls. Bogus IRS calls happen so frequently that the IRS has an "IRS Impersonation Scam Reporting" website.
Talk to older family members about fake IRS calls. Criminals won't hesitate to bully
older familiy members into complying with their demands.
Filing Online - Be super careful when filing your taxes online. Only do it on a secure computer connected to a secure network. Unencrypted connections can easily be intercepted by crooks who are watching for them. The crooks insert themselves into your transaction and grab your personal information without alerting you to the attack. So, no filing your taxes at the local coffee shop, even if you really need the caffeine.
Tips for avoiding tax time scams:
File your taxes early! Get your refund in before the criminals do. Even if you owe taxes this year, the criminals can file a fake return that may launch an IRS investigation. Protect yourself.
Be alert to the fact that successful early filing does not guarantee that your personal information is safe.
Use the "Where's my Refund?" tool at the IRS site to track the status of your refund.
Consider getting an Identity Protection PIN (IPPIN) from the IRS if you qualify. Use your IPPIN along with your Social Security Number to make filing your taxes more secure.
Know your rights as a taxpayer. Didn't know you had any? Check out the Taxpayer Bill of Rights for more information.
Stay informed. The IRS has a page about Tax Scams and Consumer Alerts and a Google search will get you a lot of information.
Get a phishy email? - If you get an email claiming to be from the IRS you can forward it to email@example.com
Think you're a victim of ID Theft? - Tell the IRS right away! File a form 14039 to report the theft of your identity. The IRS will send you a letter with follow up instructions (it can take a while.)
Phony IRS Agents? - Report the call to the Treasury Inspector General for Tax Administration (TIGTA) via their IRS Impersonation Scam Reporting web page or call (800) 366-4484.
Let the Federal Trade Commission (FTC) know via their FTC Complaint Assistant. Include "IRS Telephone Scam" in the notes to let the FTC know what’s up.
Tl;dr -Protect your identity and your refund this tax season. Don't fall for scams or fake IRS agents and file your taxes as soon as you can.
Reported February 3, 2018
Let's start with a shout out to LJ, who was the first person to report this email. Thank you, LJ!
Netflix scams are pretty common. This particular one is similar to one that has made the rounds at least once before.
A close look at this message should set off your phishing alarms. Starting at the top:
If you are worried about the email, open a new window in your browser, type Netflix.com in the search bar and log in as normal.
Or you could just Google "Netflix scam" and find out all about this email and others like it.
From: Service [mailto:service[@]prime-excel.com]
Sent: Saturday, February 3, 2018 7:03 PM
To: User Namer <usernamer[@]uga.edu>
Subject: Something went wrong : update your payment method
NETFLIX Team Service
Please update your payment method
Sorry for the interruption, We were unable to bill your membership for the current month. To ensure that the service will not be interrupted, visit www.netflix.com/update-accountpayment [We removed the shortened link that pointed to a bogus page designed to steal your payment info] to Netflix then you will be prompted to update your payment method.
Need help ? Were here if you need it. Visit the Help Center or contact us now.
Your friends at Netflix
Questions? Call 1-888-811-9842
Tl;dr - The phishers are at it again, and they are targeting your Netflix account username, password and credit card information. The phish is recycled, but it is still catching some people off guard.
Phishers gonna phish.
Spring is in the air and graduation is coming up fast; so are bogus job offers. Phishers love to offer bogus jobs at routine times of the year.
Around Christmas we see a lot of Secret Shopper offers. And work from home jobs.
In the spring the bad guys try to tempt soon-to-be grads with prestigious sounding internships or summer work.
How do you spot these scams? Here are a few tips:
Be careful out there.
Reported January 4 - 5, 2018
Welcome to the new year and new phishing attacks.
In the last couple of days Fresh Phish has seen some incredibly shiny lures in our inboxes. The two that follow really made us sit up and take notice.
The first message really is a first: The first Docusign phishing message we have seen.
For those who are not familiar with Docusign, it's a service that lets you exchange and sign documents with digital signatures. So if you have a document that needs to be signed by someone in another city, state, or even another country, you can use digital signatures to complete your business electronically.
The Docusign phish (Message 1) looks legit. If you commonly do business online, it may very well fool you. It is clean, professional and extremely tempting to click the button to "Review Document". In fact, it is among the best phishes we have ever seen.
Expert Phish Spotters were slow to report this message, which leads us here at Fresh Phish to believe it may have been very tightly targeted. So how did our experts catch this phish before it caught them?
Their carefully honed phishing radar was set off when by noticing that the sender and recipient were the same person.
Plus they didn't have any investment business transactions to complete. Yep. That last line was the clincher. Why would anyone send an investment document for your signature if you had no investments to review and sign off on?
The "One Drive" phish (Message 2) is far from well done. It offers a lot of red flags useful in spotting a phish:
Message 2From: One Drive <onedrivemsg[@]anotheruniversity.edu Sent: Thursday, January 4, 2018 To: username Subject: URGENT: You have a secure message
(Official looking OneDrive logo here)
You have a message waiting for you within the one drive communications area.
Click here (Link to a hotel site removed for your convenience) to view message
One Drive Cloud © 2018 . All rights reserved.
Tl;dr -Some of the recent phishing messages in our inboxes have been highly professional. Take time to really look at your messages before responding: Resist the urge to follow the link or click on the button. We know it's hard. Curiosity is a very human trait. But applying a bit of attention and critical thought can save you from the headache of compromised credentials.