Skip to Page Content
section image picture

Office of Information Security

Fresh Phish Archive: 2015

This archive contains examples of actual phishing emails received at UGA in 2015. The archive starts with the first email recorded for Fresh Phish in July 2015 at the page's inception.

These examples are being archived as a way of demonstrating that the more phishing changes, the more it stays the same. You can also view phishng emails from 2016.

The messages' subjects may shift from time to time, but they tend toward certain types.

And some messages are classics, used again and again, with only minor alterations.


 

Reactivate Your ID

Reported 12/9/2015

It has been fairly quiet here at the Fresh Phish page for a while. Most of the phishing messages we have seen lately have been the kinds that our phish spotters are used to. And they know better than to fall for them. Our phish spotters are among the finest!

We got a real doozy today. Fortunately one of our expert phish spotters was on the ball. Boy howdy! Take a look at this gem! 

The language is very good and the grammar is decent. It uses an effective set of scare tactics guaranteed to terrify any student. There are a few small clues to indicate that this message is a fake, but it takes some closer reading than usual to spot the problems.

If you're paying attention, and are particularly skeptical, you might wonder why the library system is in control of grades, registration and financial aid. If you are panicked, you won't even think about it.

To make things even worse, the original email used the sign off of a highly placed administrator for a little extra terror and authenticity.

The 'activate your ID' link was set up to drop anyone who clicked on it into a fake Central Authentication Service (CAS) web page just like the one you go to to sign in to almost all UGA web services. After providing your MyID and Password, the fake page seamlessly redirected to the real page and made it seem like you had made a mistake entering your credentials. 

Remember, you can position your mouse over a link -without clicking -and see where it will take you. An expert phish spotter, might have noticed that the fake page URL started with 'http' instead of the secure 'https' of the real CAS page.

From: Sender@uga.edu <sender@uga.edu>
Sent: Wednesday, December 9, 2015 6:21 AM
To: Recipient
Subject: Reactivate Your ID


Dear All Students of University of Georgia ,

We are experiencing a problem in our server that all students need to re-activate their ID.This is due to the implementation of a new library system. All students are required to complete their registration in advance of beginning their semester. This will enable us proceed their classes to be started on time. Please visit following page to activate your ID [link removed].

Consequences of Incomplete Activation



* Students will not receive grades for courses attended.
* Once classes begin, students cannot add, late add, or late drop courses for the current semester.
* Students are ineligible to register for future semesters.
* If receiving student loans, the student may enter a repayment status with lender.
* If receiving student aid, some aid sources may be cancelled and unable to be reinstated at a later date.
* If receiving an award, the student cannot be hired.
* The University reserves the right to cancel an incomplete registration for failure to pay tuition and fees.

We recognise that you want to succeed and that your time is a very precious commodity and so through Off-Campus Connection, the website for University off-campus students, you'll be able to find out what you need with a minimum of fuss. We are always looking to improve and update our website, and so welcome your comments and feedback [link removed]. Send them along to us at the Off-Campus Learning Centre.

===============

Official signature of a highly placed administrator

You should only enter your username and password on pages that are secure. Look for the 'https' at the start of a URL and a lock icon in the address bar. In some browsers the name of the security certificate owner is displayed next to the lock. The lock and owner's name may also appear in green text on certain browsers.

UGA MAIL TEAM!!

Reported 10/30/2015

Here is another phishing email very similar to many others we have been seeing lately. As you can see, people are still falling for these scams and giving away their UGA MyID and MyID password.

As a special treat to go with this phishing trick, we have provided a screen shot of the page that the ClickHere link will jump to. You can safely get an idea of what others see right before that fall for the scam and submit their credentials.

From: User Name <user.name@uga.edu<mailto:user.name@uga.edu>>
Date: Friday, October 30, 2015 at 1:42 PM
To: Same User Name <same.user.name@uga.edu>
Subject: UGA MAIL TEAM!!


Secure Mails!
Dear Customer,

It has come to our attention that your email has exceeded limits and require to be validate within 24hours.
ClickHere[link removed] to Update your account.

Regards,
Customer Team
UGA  MAIL

The image below is taken from a screen shot of the page that links from the UGA MAIL TEAM!! phishing email posted on 10/30/2015. This is not an EITS webpage. It is hosted at an Australian website called "dogwalkingandmindingbrunswick" which may have been hacked (or created just for setting up a phish trap.)

Anti Spam phishing page.

The text is a bit hard to read at this size.  The top line reads, "Activate your mail security to avoid deactivation" and the second line reads, "Your email will be disabled after 7 days if anti-spam is not activated" These warnings are followed by a prompt to "Please log in" along with form fields for E-mail address and Password.

EITS uses a Central Authentication Service (CAS) for UGA web services.

You will see a green address bar with University of Georgia and a lock in some web browsers. In others, University of Georgia will appear in green text along with the lock icon. This is an additional security measure to ensure you are visiting the actual UGA CAS website. If you do not see this, do not type your MyID and password.

Information or UGAMail Update

Reported 10/23/2015

All right, phish spotters! We have here a copy of the original phish coming in from off campus and almost identical message being sent out to the contacts of a compromised UGAMail account. We apparently have two phishers using the same message as bait. Unfortunately, one of our own got caught by this scam.

Did any of you question the number of emails set as the limit in this phish? Evidently you are not allowed to have more than 23,432 messages in your account. That's a load of something noxious! Messages vary in size, why would an email system use count, rather than capacity, as a limiter?

These scam messages are aimed at UGA in the millions. Many of them are similar, or at least contain similar types of content:The upgrade your email type messages have been arriving thick and fast lately. Are you starting to see one of the major challenges of fighting phishing?  Yep. The sheer numbers make it easy to catch someone not paying attention. And it only takes one mistake to compromise your account.

By the way, the links we removed pointed to mailupdradgecenter.weebly.com. It looks like the cyber crooks misspelled 'mailupgradecenter' to get past any phishing filters.

From: Gold, Leslie <Leslie.Gold@anoffcampus.org>
Sent: Friday, October 23, 2015 1:17 PM
Subject: Information.

Your UGAMail has exceeded 23,432 mailbox set limit by
Web Service / Post Master

Please update by clicking on the below link and fill in the information
 in order to verify your UGAMail account
Clicking Here [link removed]
My Site

Read more... [link removed]

====

From: User Name <username@uga.edu>
Sent: Friday, October 23, 2015 1:45 PM
Subject: UGAMail Update

Your UGAMail has exceeded 23,432 mailbox set limit by
Web Service / Post Master

Please update by clicking on the below link and fill in the information
 in order to verify your UGAMail account
Clicking Here [link removed]

Did you know that a widely referenced study showed that the most vulnerable population when it came to phishing attacks was 18 to 25 year olds? That encompasses the bulk of UGA's student population - from freshman to graduate student.

Fall 2015 Scholarship for UGA Students - Deadline Extended

Reported 10/16/2015

Hello, phish spotters!  Today's phishing message is particularly heinous — it is designed to prey on perpetually broke students. By promising a chance at scholarship money, the message lures students in need to apply and give away their personal details.

If you think the offer in this email is too good to be true, you are correct. Ask yourself a few questions about this offer:

  • When has applying for several thousand dollars in scholarship money taken less than a few hours? This scam expects us to believe it only takes 5 minutes!
  • And why on earth would Snappy Panda want to give scholarship money to people who have already graduated?
  • What about the offer of more free money if you become a member? We'd be willing to bet that requires a credit card number.
  • Just what sort of scholarships can you win monthly? With no GPA? No recommendations? No work whatsoever?
  • How gullible does Snappy Panda think we are?

Just to be thorough, we Googled the company name and found nothing.  West Byron Street in Chicago does not seem to have a 300 block; 1000 is its lowest address number. 

Even the unsubscribe link in this email looks sketchy. Did you know that in many cases clicking the unsubscribe link just confirms that your email address is valid? That means more spam and phishing messages for you! Instead of clicking the unsubscribe link, right click the message and block the sender. That will send any more mail from Snappy Panda to your Junk Folder and you can delete it from there. Or, you can just delete the message from your inbox.

From: Snappy Panda <students@snappypanda.com>
Subject: Fall 2015 Scholarship for UGA Students - Deadline Extended

All UGA Bulldogs: Important Information Inside!

Current students and recent alumni are eligible to apply for the Fall 2015 $10,000 Scholarship brought to you by Scholarship Points.

Just a simple 5 minute survey and you are done!

Limited number of students accepted. Click below NOW!
scholarship.snappypanda.com/ [link removed]

logo.jpg  [logo and logo link removed]

Join ScholarshipPoints.com and Win Scholarships Monthly

Become a ScholarshipPoints program member for chances to win scholarships every month. There are no GPA requirements, no essays and no letters of recommendation required. Just fun and scholarships.
Read more... [link removed]


Good luck!

Cassie Higgins
Campus Coordinator, University of Georgia
Snappy Panda
303 W Byron St Unit 4A
Chicago, IL 60613

If you wish to unsubscribe, please click here [link removed]

Important UGA Notification; HELP DESK; E-mail account limit quota; Upgrade Your Account; WARNING and For Staff and Students!!!

Reported 10/10/2015 - 10/12/2015

Okay, people. We are trying something new today.  Our number of expert phish spotters are growing. We are spotting and reporting more and more phishing messages as our skills grow. This, unfortunately, means that the phishers have to step up their game to fool us. And that is an entirely different kettle of phish.

Today we are going to look at six messages making the rounds. They have many of the red flags we associate with phishing. (If you need help recognizing the red flags, they are listed on our Phishing page.)

What else do these emails have in common?

  1. They have all been sent from compromised uga.edu email accounts.
  2. They all ask the recipient to take action to make a change to their uga.edu email account.
  3. Each message contains a concealed (you need to mouse over the link to see where it will go) or shortened link for the recipient to click.
  4. Each message claims to be, or implies that it is from, the EITS Help Desk or an EITS Mail Administrator.
  5. NONE of these messages are from EITS, the EITS Help Desk or an EITS Mail Administrator.
  6. Every single one is from a scammer.

EITS will not ask you to confirm your account details in an email.

EITS will not ask you to CLICK HERE to change, activate, update or confirm account information.

EITS will not send you to a non-UGA page to fill in a form with your account information.

Do not give your details to the scammers!

Message 1

From: User Name
Sent: Saturday, October 10, 2015 5:32 PM
To: Same User Name <username@uga.edu>
Subject: Important UGA Notification

Due to database maintenance equipment that is happening in our mail message center. Our message center must be reset. The maintenance of quarantine will help us avoid this dilemma every day and with the new improved software will provides our users with a mail system and new security system from hackers to protect our users from getting their accounts being hacked. To validate your mailbox, kindly CLICK HERE [link removed].

====
Message 2

From: User Name
Sent: Friday, October 9, 2015 6:48 PM
Subject: HELP DESK

This is an Email Service Alert from Helpdesk. This is to inform you that your mailbox has exceeds its storage limit, you will be unable to receive and send emails. To re-set your Account Space on our database, prior to maintain your INBOX from 20G to 20.9G. CLICK[link removed]HERE[link removed] to Activate.

Warm Regards,
Helpdesk Administrator.


====
Message 3

From: User Name
Date: Mon, Oct 12, 2015 at 4:13 AM -0700
Subject: E-mail account limit quota
To: Same User Name <username@uga.edu>


You have exceeded your University E-mail account limit quota of 250MB and you are requested to expand it within 48 hours or else your University E-mail account will be disable from our database. Simply CLICK HERE[link removed] with the complete information requested to expand your E-mail account quota to 2GB.

====
Message 4

From: User Name
Sent: Friday, October 09, 2015 1:14 PM
Subject: Upgrade Your Account

Your mailbox uga edu has exceeded its storage limit to set your e-mail administrator, and you will not be able to receive new mail until you re-validate it.

Click on the link[link removed]
and login your information to re-validate your email account.

Thanks
2015 Webmail Help Desk Administrator.

====
Message 5

From: User Name
Date: October 9, 2015 at 6:05:46 PM EDT
To: Same User Name <username@uga.edu>
Subject: WARNING

This is an Email Service Alert from Helpdesk. This is to inform you that your mailbox has exceeds its storage limit, you will be unable to receive and send emails. To re-set your Account Space on our database, prior to maintain your INBOX from 20G to 20.9G CLICK HERE[link removed] to Activate.
 
Warm Regards,
Helpdesk Administrator

====

Message 6

From: User Name
Date: October 10, 2015 at 10:48 AM EDT
To: Same User Name <username@uga.edu>
Subject: For Staff and Students!!!

We are increasing our security database against spam mails, view link below to Increase your mailbox security.  https://www.cognitoforms.com/NAMEOFFORM [form name altered and link removed).

 

AVAST logo

[removed]

This email has been checked for viruses by Avast antivirus software.
www.avast.com [link removed]

Are you curious to know how much space your UGAMail box has? Check your account info under Mailbox Cleanup to find out. 

Update

Reported on 10/6/2015

It's a busy day for Fresh Phish! Many expert phish spotters have reported this email to the abuse email address. Keep up the good work phish spotters!

Let's take a look at this sparse message. What sorts of questions should you ask yourself when you see a message like this?

It's clear that the sender is someone at UGA, so the email address is legit (that's why it probably did not land in the junk mail folder.) But that 'To' address should be setting off warning bells right away. Why would you be receiving this message?

The subject "Update" is way too generic for comfort. And that link? Strictly to be avoided. Not only is it a dangerous Click Here link, but just what data info are you supposed to be confirming? For what reason? And for who?

Did you remember that you can move your mouse over the link (DO NOT CLICK!) and see where it goes? It links to formlogix.com and includes an indecipherable form name. Definitely not safe — especially when you consider all the other problems with this message.

Sadly, we have another compromised uga.edu email account.

From: User Name <username@uga.edu<mailto:username@uga.edu>>
Date: October 5, 2015 at 8:10:11 PM EDT
To: "Upgarde@account.com<mailto:Upgarde@account.com>" <Upgarde@account.com<mailto:Upgarde@account.com>>
Subject: Update


Please Click Here [link removed] to confirm your data info

Thanks

User Name

Last Warning!!! Upgrade To Secure Your Account

Reported 10/7/2015

Okay, people, we have seen emails like this before several times. This one has been included because of one or two differences.

First, it's hard to tell from the email with the user's name removed (no finger pointing, remember?) but this message came from the user to the user. In other words, the message was mailed from the uga.edu email account to the same account. I am sure we all occassionally send messages to ourselves as reminders — but not this kind of message. It is clear that this account has been compromised.

Second, take a look near the bottom of the message where is reads, "This email has been checked for viruses by Avast antivirus software."  The scammer who designed this phishing message included this tidbit to re-assure whomever got the message that it was safe. Talk about playing on someone's trust.

This is a perfect example of social engineering. Avast is a well known antivirus program. If a message has been scanned by an antivirus program we tend to trust that it is safe. This message is only safe if you delete it. The danger is at the end of the link. That is where the scammer expects you to give away your user name and password and other personal detail. It's also wher the scammer will have the opportunity to infect your computer with malicious software.

That said, it is possible for the most sophisticated phishing attacks to execute hidden code if you open the message. UGA uses Outlook to help prevent automatic running of hidden code, scripts, and files that are executable.

Outlook also has good junk mail filters to help keep messages like this out of our inboxes. Why did the filters not work on this message? It came from a trusted source. The sender, User Name, has a trusted uga.edu email address. If Outlook did not trust email from uga.edu addresses, all our mail from UGA-based senders would end up in the junk mail folder.

From: User Name
Sent: Tuesday, October 06, 2015 5:26 AM
To: Same User Name <username@uga.edu>
Subject: Last Warning!!!Upgrade To Secure Your Account

Your mailbox is almost full and out dated.

1.93GB

2.01GB

This is to inform you that our webmail Admin Server is currently congested, and your Mailbox is out of date. We are currently  deleting all inactive accounts so please confirm that your e-mail account is still active by updating your current and correct details by CLICKING HERE [link to <supportadminportal.0gf.net>removed]

Regards,
Thanks,
Admin Department
©2014-2015 UGA Help Desk, All rights reserved.

________________________________
[Avast logo]<https://www.avast.com/antivirus>


This email has been checked for viruses by Avast antivirus software.
www.avast.com<https://www.avast.com/antivirus>

Admin

Reported 9/25/2015

Well, here is an interesting development. Whoever wrote today's phishing message actually referenced EITS! At least one person's account was compromised because of this somewhat convincing phishing message.

The red flags are there if you take the time to look.  Can you spot the red flags? Read carefully.

Did you spot them? Okay. Let's take it from the top.

  • The 'To' field shows a generic non-UGA recipient
  • The greeting is generic too
  • The grammar in the message is poor - not to mention the punctuation!
  • There is a call to action (Click HELP DESK TO UPGRADE)
  • The message includes a link for you to click (it linked to formlogix.com, a non-UGA website)
  • The message threatens loss of service

The signature on this message is also suspect: Why would EITS add a copyright notice to this email? Using the word 'Copyright', the copyright symbol and an 'All Rights Reserved' statement is an attempt to make the message look official and nothing more.

So you see, if you read and react to this email quickly and without careful thought, you just might become a phishing victim

From: "User Name" <username@uga.edu>
Subject: Admin
Date: September 24, 2015 at 7:34:12 PM EDT
To: "info@accountant.com" <info@accountant.com>

 
Dear UGA User,
 
Due to latest Microsoft account upgrade all UGA mail account users are advice to re-validate his/her account
 
Click HELP DESK TO UPGRADE [link removed]
 
Failure to do this, you may not be able to send or receive mails from your UGA account
 
Sorry for the inconvenience
 
Thanks
EITS - Enterprise Information Technology Services University of Georgia
Copyright © 2015 UGA  All rights reserved.

 Important Course Error Alert®

Reported 9/15/2015

This email is an unusual and interesting phishing attempt. UGA uses Blackboard in eLearning Commons (eLC) and blackboard.com is a legitimate company site. Anyone who has been around campus for a few years may have fallen for this phish if they let their guard down or were not paying attention.

Some of the phishing red flags are present: Generic recipients, generic greeting, a touch of jargon, and an attempt at authority. But overall, the message itself is fairly well crafted. It would probably seem official at first glance. The use of the registered trademark symbol at the end of the subject line and a reference to the Collaborate product in the link are both nice touches.

The link in this example has been removed, of course.  In the email it was possible to hover our mouse over the link -without clicking it - to see the actual link destination: a tinyurl.com link.  What's the big deal, you ask? TinyURL is a link shortening service - it takes a long link and creates a short, renamed link from it. The short link hides the true destination of a click through. That means you have no way of knowing where that link will actually take you. Criminals frequently use shortened links in phishing.

TinyURL was on the ball. By the time our security team investigated this email, the phishing link had already been blocked on tinyurl.com.

From: Blackboard <blackboard.learn@blackboard.com>
Date: Tue 9/15/2015 2:53 PM EDT
To: Recipients
Subject: Important Course Error Alert®

Dear user,

You have received a new message from your University Technology Admin posted to you through the Blackboard Learning System.

http://collaborate.blackboard.com/course/messagecenter%2373523 [link removed]

Regards,
BlackBoard learning.
Admin Management

Dear University of Georgia Email User

Reported on 9/10/2015

Here is a tricky one that comes from an @uga.edu email address. This is a great opportunity to practice questioning the sender's identity. It turns out that the original message did not come from someone who represents either the University or EITS.

We have gotten several reports of this email over the last day or two. Thank you, expert phish spotters!

Let's check the phishing red flags hit list:

  • A suspicious looking sender (does not represent UGA or EITS) - check!
  • A generic recipient, subject line and greeting - check, check and check!
  • Wants you to take action (log in to your account on a separate webpage) - check!
  • Sets a close deadline for compliance - check!
  • Features poor grammar and/or spelling (in this case, punctuation) - check!
  • Threatens loss of service unless you CLICK ON THE LINK BELOW - check!
  • Tries to induce a strong emotion (worry or panic) - check!

And in a red flag bonus round:

  • Uses jargon to sound authoritative - check!
  • The webpage where you are supposed to log in, cognitoforms, is not a UGA web page - check!

Sadly, at least one individual was caught in this phishing attempt. Remember, UGA will never ask for your password in an email. UGA will not ask you to log in to, or re-validate, your account on a non-UGA web page.

From: User Name<username@uga.edu>
Date: 10/09/2015 10:03 AM (GMT-05:00)
To:
Subject: Dear University of Georgia Email User


Dear University of Georgia Email User


This Email is from University of Georgia Administration, We have been monitoring this account through our server's log file and have noticed that this account is been accessed from different distinct location simultaneously and also been used to send out spam messages as against the University of Georgia policy, for security purpose we will be shutting down your Account  unless you  CLICK ON THE LINK BELOW and log into your account in order for us to re-validate your mailbox automatically . Or copy the link and open in a new window


https://www.cognitoforms.com/WebmailProvider1/UGA [link removed]


Failure to update this account after three days of receiving this warning will be tantamount to losing this account permanently.


Thank you for using our email.


Copyright ©2015 University of Georgia Administration

Upgrade Your Account

Reported on 9/4/2015

If you think this email looks familiar, you are correct! Many expert phish spotters have reported this to abuse@uge.edu already today. Well done!

This is the same phishy wool that some scammers tried to pull over our eyes in mid-August. They upped their game by adding "official seeming" uga.edu references to make it look more serious. We know it's just a phishing message, don't we? The message comes from an @uga.edu email address, but it still features a generic greeting. It promises us big improvements and more secure UGAMmail if we click the link.  Sadly, it looks like someone's UGAMail account has been compromised.  This just goes to remind us that phishers gonna phish. If this shows up in your inbox, please delete it.

From: User Name <username@uga.edu>
Date: September 3, 2015 at 7:48:31 PM EDT
Subject: Upgrade Your Account

ATTN: UGA ACCOUNT USER,

Due to our database maintenance equipment that is happening in our uga.edu<http://uga.edu> mail message center, This maintenance of quarantine will help us avoid this dilemma every day and with the new improved software it will provide our users with a new security system to protect our users from getting their accounts hacked.

We recommend that you update your uga.edu<http://uga.edu> account now to avoid termination or account de-activation.

UPDATE CLICK HERE [link removed]

As always, your privacy and security are of utmost importance to us. We apologize if you have experienced any difficulties due to this situation, and please know that our technical staffs are working to solve the problem.

Thanks for your anticipated co-operation,
uga.edu<http://uga.edu> Webmaster.

NOTICE

Reported on 8/24/2015

This variation on the 'Support' phishing email reported on 8/18/2015 is a perfect illustration of how phishing attempts get recycled. But this message has a dangerous twist. A quick scan might not catch the poor grammar in this short message and the link provided might look authentic at first glance. UGA does use Office 365, but that URL is totally wrong. It links to a site called 16mb.com and has nothing to do with Microsoft or Office 365.  The only other red flag on this message is the mailto address for the sender. Nearly two dozen phish spotters have reported this email to abuse@uga.edu today. Well done!

From: "ADMIN" [mailto:ctencuentro@speedy.com.ar]
Sent: Monday, August 24, 2015 12:37 PM
Subject: NOTICE

Your e-mail account was LOGIN today by Unknown IP address,click on the Administrator link below to validate your e-mail account or your account will be temporary block for sending more messages.


Click or copy and paste in your browser; http://365weboffice.16mb.com [link removed - do not copy and paste in your browser]

Warning

Reported on 8/18/2015

This email message is not as tricky as it seems at first glance if you are an expert phish spotter.  If you are just getting started, though, it may be a bit challenging. There have been a few variations on this theme cropping up around campus. Even though the sender and the recipient are associated with uga.edu addresses suspicious looking. Once you begin reading the email, punctuation and grammar mistakes are obvious. Responding to this email will not prevent your account from being hacked. In fact, you will be giving away information that will allow your account to be hacked. The message is also confusing, hacking, termination, or deactivation are all used as threats. These criminals really want you to panic! Don't fall for this scam - you are smarter than they are.

From: noreplyy@uga.edu
Date: August 17, 2015 at 18:34:28 EDT
To: iinfo1@uga.edu
Subject:WARNING

Uga.edu Update.


Due to our database maintenance equipment that is happening in our Uga.edu mail message center, This maintenance of quarantine will help us avoid this dilemma every day and with the new improved software it will provide our users with a new security system to protect you from getting your accounts hacked.


We recommend that you update your Uga.edu account now to avoid termination or account de-activation.


UPDATE CLICK HERE [link removed]


As always, your privacy and security are of utmost importance to us. We apologize if you have experienced any difficulties due to this situation, and please know that our technical staffs are working to solve the problem.


Thanks for your anticipated co-operation,
Uga.edu Webmaster.

 

Support

Reported on 8/18/2015

It's a big day for phishing today. Here is another message that many people are reporting through the abuse@uga.edu  email inbox. As we take a look, our first question should be, "Who is A. D. Garner and why is he or she emailing me this warning?"  There are no names listed in the 'To' field and no-one is addressed by name. There isn't even a signature! Four phishing red flags in row should have you reaching for your delete key. The grammar is off and the punctuation in the body of the email message is poorly done. The criminals are being a bit clever, though, and using an IP address known to belong to a major spam network (you can look it up if you want). That administrator link is also a dead giveaway - if you had any doubts about this being a phishing message they should be all gone by now. Not only is the actual link hidden behind 'Click here now', but it directs you of a non-UGA website called formscraft.com. No signature or contact information are included to make the email look official. As full of red flags as this email is, you should not even consider it as anything other than a phishing attempt.

From: A D Gardner
Sent: Tuesday, August 18, 2015 6:53 AM
Subject: Support




Your e-mail account was LOGIN today by Unknown IP address: 103.240.180.228, click on the Administrator link below and LOGIN to validate and verify your e-mail account or your account will be temporary block for sending more messages.

 CLICK LINK BELOW <https://formcrafts.com/a/13828<http://formcrafts.com/a/13775> [link removed]

 

Dear Uga Customer

Reported on 8/13/2015

This message is a bit trickier than some phishing messages. It has been sent from an '@uga.edu' email address that has probably been compromised by another phishing attack. At first glance, you might be tricked into accepting this message as legitimate. It is not. There are other indications that this is a phishing attack. In the subject line and the greeting 'Uga' is not in all capital letters. The recipients are listed as located '@customercare.com' - which is definitely not an official UGA address. The grammar used in the message is poor. The 'Click Here' link points to a tricky URL that has been disguised to look like a uga.edu link - take a closer look; uga-edu (uga dash edu) is not the same as uga.edu (uga dot edu). The link would actually take you to a phishing site in Spain. Not to mention that EITS would not ever send you an email message like this one.

From: "User Name" <username@uga.edu<mailto:username@uga.edu>>
Date: Thu, Aug 13, 2015 at 12:44 AM -0700
Subject: Dear Uga Customer,
To: "info@customercare.com" <info@customercare.com<mailto:info@customercare.com>>

Dear Uga Customer,

It is strongly recommended that you update your uga.edu account now. There are series of issues about misuse and theft of our customers uga.edu account informations. We have update our security server for the year 2015 to enhance your online security and protect our customers from online fraud.

Click Here<http://uga-edu.esy.es/> [link removed], to update your uga account.

We Are Here For You.

Thanks for your anticipated co-operation,
uga.edu Webmaster.

 

Notice

Reported on 7/29/2015

This phishing email is pretty poorly done. Let's start at the top by asking a question. Who is this person, and how does he or she represent the University of Georgia? If the message was sent to a gmail address, why is it in your UGAMail account?  The sender does not address you by name ( a common phishing message giveaway.) A closer look reveals other strong phishing indicators in this message. The first sentence runs into the second. The next sentence is incomplete. Asking for 'your online data' should be a red flag, as should having to click an oddly constructed jimodo.com link for anything to do with UGA business. Finally, updating a UGA email account would be done through EITS and not a non-existent 'Division of Information Technology'.

Many messages that ask you to update your email account or send information to prevent your account from being frozen are received each week. Remember, EITS will not ask you to provide user name, password or any other account information in an email. Don't get hooked by one of these scams.

From: User Name
Sent: Wednesday, July 29, 2015 5:08 PM
To: notice@gmail.com
Subject: Notice

We have safeguarded your account, there is a possibility that someone other than you is attempting to login your account. As part of our ongoing commitment to provide the best protection to all our customer's security.

We therefore ask you to fill in your online data correctly, in other for us to update the settings in your account,

by click or copy past this link on your browser: http://uga-e.jimdo.com/ [link removed]

University Of Georgia
Your security is our priority.
Copyright © 2015 All rights reserved
Division of Information Technology

 

Thank You To For This E-mail

Reported on 7/14/2015

This email claims to be from Apple, but it has a return email address at PayPal. Does that seem wrong? The subject line is definitely odd, showing both indecision and strange phrasing. In the body of the email, both the wording and the lack of punctuation should raise the alarm telling you that this is not a legitimate email from Apple. The link that has been removed points to a very official looking form designed to steal your personal information. The form is on a website in India. Finally, the 'Apple Team' sign off is as generic as possible without being insulting. And the copyright notice at the bottom of the email is designed to convince you that this really is a message from Apple. Did it work?

From: Apple.inc <Account@e.paypal.en.com>
To: [user name]
Subject: Thank You To For This E-mail‏.

This is an automated email, please do not reply

Dear Client

We've noticed that some of your account information appears to be missing or incorrect We need to verify your account information in order to continue using your Apple ID, Please Verify your account information by clicking on the link below

Click here to Verify your ID [link removed]

Thanks for choosing Apple,
Apple Team

© 2015 Apple. All rights reserved.

Email ID: 163327

 

 

Email Quota Limit

Reported on 7/2/2015

This quota limit email is not from an @uga email address, has no recipients specified, and starts off with a oddly specific greeting that includes the recipient's complete UGA email address. And why is the Mail Administrator ending this notice from a non-UGA address? All these are warning signs of a phishing attack. In addition, the message features a 'Click here' link, has inconsistent punctuation and does not include an official signature. Also, take a look at the final notification statement. Why would Google send you a notice about your UGAMail account? UGAMail is not a Google supported email system.  If you think this is a phishing email, you are correct!

From: Mail Administrator <sabu@sparkleanintl.com>
To: [name of user]@uga.edu
Subject: Email Quota Limit

Dear, [name of user]@uga.edu;

Your mailbox is almost full.

3840MB  4096MB
Current size Maximum size 
Please reduce your mailbox size. Delete any items you don't need from your mailbox and empty your Deleted Items folder. Click here [link removed] to do reduce size automatically.

Thanks,

Mail System Administrator

This notification was sent to [name of user]@uga.edu ; Don't want occasional updates about subscription preferences and friendly suggestions? Change [link removed] what email Google+ sends you.

Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043 USA

 Additional Resources