Welcome to the Phish Tank — where you can take a look at common phishing email examples and learn how to avoid becoming a victim of a phishing scam. The examples are all taken from actual emails that have been received in the past.
If you would like to see current phishing attempts that are being frequently reported, you may wish to visit our Fresh Phish page.
Phishing emails are emails designed to trick you into replying to them with personal information like your username and password, your birthday or financial account numbers. In addition to asking for personal information, a phishing message typically:
Phishing messages are often sent from suspicious-looking email addresses and frequently have either a generic recipient (like email recipient, members, or UGA) or a blank in the 'To' field.
Attention:Did you receive an email message that looks suspicious? Do you think it may be a phishing message? Send it to firstname.lastname@example.org for review.
There will be times when legitimate messages must be sent to inform UGAMail users of necessary changes to their accounts. These may include inactive account removal notices or information about account abuse.
It is very important to remember that UGA will never ask for your password in an email. Any MyID password change, refresh or update will always take place on the MyID Tools and Information webpage. If you are ever in doubt about the legitimacy of a potential phishing email, call the EITS Help Desk at (706) 542-3106 or forward the email with its headers to email@example.com.
Let's take a look at some examples of phishing emails.
This style of phishing scam tries to trick you into giving away your UGA MyID. It is designed to steal your login credentials and get access to your email account. While getting access to your email may not seem like a big deal, remember that your UGA MyID and password is also used to access many other accounts and systems at the university.
EITS will never ask for your username and password in an email. Your name will be listed in the 'To' field and you will be addressed by name in the body of the email. Plus, any communication from EITS will come from an @uga.edu email address. It certainly won't come from System Administrator at an email address in Russia like this example:
System Administrator <firstname.lastname@example.org>
Your mailbox has exceeded the storage limit which set by your administrator, you may not be able to send or receive new mail until you re-validate your mailbox. To re-vaildate your mailbox send the following details below:
If you fail to re-validate your mailbox, your mailbox will be De-activated!!!
This version of the "full mailbox" phishing attack suffers from poor grammar and a noticeable lack of punctuation. It includes a link for you to click instead of asking directly for login credentials in a reply. If the link were still active clicking it would doubtless take you to an official looking form and a malicious software download. You are obviously not going to find an official UGA business form on a website called 890m.com.
mailboxupgrade administrator <email@example.com>
Your mailbox has exceeded the storage limit 2.GB Set by the administrator currently 2.30GB, can not send or receive new messages until you re-validate your e-mail Click the link below to validate your e-mail
http://www.mailboxupgrade.890m.com [link removed]
Full mailbox type phishing scams are not limited to UGAMail. You may see variations on this scam in your private email accounts as well.
Like all phishing attacks, the financial account scam is after information. This time, the attack is specifically after your money. These scams pretend to be from your bank, your credit card company or another financial service like PayPal or ebay. Financial account scams usually include a link to a form or a website. Sometimes they try to lure you into opening an attachment that includes a fake form and some malicious software. Not only are these scams trying to steal your identity, they may be infecting your computer as well.
In the PayPal example provided, the form that was attached to the original email has been removed. Had you downloaded the form, you probably would have also downloaded a trojan (a type of malicious software) designed to track your movements online and record your login credentials. The message contains some obvious clues to its phishy nature:
Reminder: Your account will be limited until we hear from you
Remove the limitation
Your security is important,
Customer ID PP3081061
Your account access has been limited.
While your account is limited, some options in your account won't be available such as sending and receiving money, editing your details and closing your account.
If you choose to ignore our request, you leave us no choice but to temporary suspend your account.
If you see a payment that you don't recognise, let us know immediately. Go to downloading the form attached to this e-mail to remove the limitation , open it in a browser (recommended internet explorer 8, mozilla firefox or google chrome) follow the instructions on your screen
We appreciate your understanding as we work to ensure account safety
Thank you for using PayPal!
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link in the top right corner of any PayPal page.,
Copyright © 1999-2014 PayPal. All rights reserved.
PayPal Email ID PP315 - 14776b4c1b619
There is one question you should ask yourself any time you see an email that may be a financial account scam. Do you even have an account with the company claiming to have sent the email? If you don't, you can simply delete the email.
These scams come in a variety of styles. Some appear to be friend requests or requests to add someone to your social network. They look like legitimate invitations and often include links to the sites they claim to be related to. Others pretend to be account notifications that range from notices that your account will be shut down for inactivity, or that your account may have been compromised. (It certainly will be if you fall for this phishing scam!)
This particular example is a recreation of an email that was received in a UGAMail inbox. The sender's name has been removed and the name of his company changed. The email includes several links (that we removed) that try very hard to trick you into clicking on them. You could click on the sender's name to find out more about him or her; you could go to your InBox to read your message; you could even log in to your LinkedIn account - if any of the links were legitimate.
Name of Sender - LinkedIn <firstname.lastname@example.org>
Join my network on LinkedIn
From [Name of Sender] [link removed](Founder of ReallyBig Company)
There are a total of 1 messages awaiting your responce. Go to InBox now [link removed]
This message was sent to [username]@uga.edu. Don't want email notifications? Log in to your LinkedIn account to Unsubscribe [link removed]
LinkedIn valuse your privacy. At no time has Linked IN made your email address available to anyother LinedIn user without yrou permission. ©2013. LinkedIn Corporation.
This particular email did not include a LinkedIn logo, but many social networking scams do. The logos they use tend to look legitimate and it's all part of an attempt to trick you. If you get email invitations claiming to be from one of your social networking sites, it is good practice to navigate to the site, log in and confirm that the invitation is legitimate from within the site. Even then you have to be cautious. The invitation may be legitimate, but the person might be fake.
Contact the organization that was the target of the scam to change any private information such as passwords or account numbers immediately. For UGA, contact the EITS Help Desk. If you suspect a bank or credit card account may have been compromised, contact that institution to check your account immediately. You should also request a credit report from one of the three credit bureaus; Equifax, Experian or TransUnion. Visit the FTC web site or the Office of Information Security's Identity Theft and Identity Fraud webpage for more information.