The Phish Tank

Welcome to the "Phish Tank".  This page highlights examples of phishing emails received on campus.  There are many variations of the types of scams listed here, this is only a small sampling of ones we've received. 

This list is intended for the purpose of educating students and staff to spot a phish, do not assume an email is safe because it is not listed here.

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu (link sends e-mail) (link sends e-mail).  Be sure to include the entire text of the message, including the email header.

How to show message headers in bMail

1. Log in to bMail
2. Open the message for which you'd like to view headers
3. Click the '3 vertical dot' button next to 'Reply', at the top of the
message pane.
4. Select Show Original. The full headers will appear in a new window.
5. Please click the 'Copy to clipboard' button, or copy-and-paste all this information to a reply email to <security@berkeley.edu>

Tax Scams Never Say Die!

August 27, 2019

Instead of finding One-Eyed Willy's treasure at the end of an IRS-spoofed email, victims are tricked into clicking malicious links and giving up their treasure.

The IRS recently issued warnings about new email scams where attachers send unsolicited emails to taxpayers from fake IRS email addresses. The email subject line may vary, but recent examples use the phrase "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder."

Phishing Example: Robocalls

July 21, 2019
Robocalls are on the rise. Be wary of any pre-recorded messages you might receive.

Phishing for Gift Cards

July 17, 2019

"Hey, are you available?"

Email Fraud Schemes Targeting Universities

March 14, 2019

A couple of recent phishing scams, referred to as a “Business Email Compromise (BEC),” have been targeting universities to steal funds through the purchasing process.

The first phishing scam targets suppliers that do business with campus by using Berkeley emails as the hook. These attacks involve purchase orders and requests for quotes that appear to come from the University, but are in fact fraudulent. 

Be Alert:

Tax Season is Here - Protect Yourself from Tax Fraud

January 24, 2019

W-2 wage statements became available online this week and every year several convincing phishing messages are crafted by tax scammers and sent to Campus to trick victims into giving out personal information. Taxpayers should continue to watch out for fake emails and/or websites looking to steal personal information during the 2019 filing season.  

Email Impersonation Attacks Are on the Rise

January 11, 2019

A widely reported spear phishing scam, termed “Business Email Compromise (BEC),” has been targeting universities and other academic institutions. These attacks are spear phishing scams designed to impersonate someone you know in an attempt to gain access to sensitive information or to encourage you to transfer funds or provide gift cards. There has been an increase of these assaults across the University this new year.

Phishing Example: Business Email Compromise

December 27, 2018
These are targeted and simple forms of phishing emails designed to get victims to purchase gift cards, the "email compromise" gets its name because the attacker mimics the email of a known sender. However, these can also be sent through a legitimate, albeit hacked account. The messages start out as basic greetings then progress into requests for money or data. Since the content is highly personalized it’s often easy to get hooked.

Phishing Example: Google Doc Phishing Message

May 3, 2017
What appears to be a wide-spread Internet worm hit the campus in the form of a phishing email message. The message slipped through normal spam filters as the worm virus spread to email accounts in the "berkeley.edu" domain.

Phishing Example: Message from human resources

April 13, 2017
This message, appearing to come from the HR department, was successful at convincing several campus recipients to click on the link provided and enter their Calnet credentials. The link was directed to a fake Calnet login page, the account name and password entered on this page would be compromised.

Phishing Example: Library Account

April 1, 2017
This phishing message was received by students across campus, purporting that the student's library account has expired. The Library does not issue emails concerning inactive accounts.

Phishing Example: Your Dropbox File

January 30, 2017
A recent spate of phishing messages have been received on campus purporting to be Dropbox notifications. The link in the email message to "View File" is a ruse to capture CalNet passphrase credentials.

Phishing Example: bCourses Expiration Notice

January 25, 2017
A targeted phishing message was received on campus appearing as an expiration notice for access to bCourses. The message attempted to trick recipients to login with CalNet credentials to prevent access expiration

Phishing Example: First 2017 Tax Season Phish

January 24, 2017
This was the first tax season related phishing message reported on campus this year. Beware of phishing messages containing fake instructions for downloading your W2 form.

Phishing Example: FedEx Shipment Update

January 3, 2017
This very simple phishing message that appeared to be sent from FedEx was effective in convincing several campus recipients to download the PDF attachment. The file contained a link that required password authentication, allowing the attacker to capture these credentials for future use.

Phishing Example: Important Announcement from Chancellor Dirks

December 14, 2016
On Dec. 14th, the campus was the target of a phishing email purporting to be from Chancellor Dirks and containing a PDF file attachment with a link to a site intended to steal credentials. Beware of emails with the subject line "Important Announcement from Chancellor B. Dirks".

Phishing Example: Email Account Upgrade

October 28, 2016
A pretty convincing phishing message that appears to come from CSS-IT issuing a warning that the user's ID may have been compromised.

Phishing Example: Irregular Activity

October 20, 2016
This phishing message, purportedly from Bank of America, contained multiple threats - two file attachments that likely contain malware and a separate ploy to obtain user credentials.

Phishing Example: Messages containing Locky malware

August 24, 2016
There has been a recent spate of email messages to campus containing the Locky ransomware virus in file attachments. The format of the message content is very similar.

Phishing Example: Vital Info

May 23, 2016
Another targeted phishing message, this one has been spoofed to appear to come from the Office of the Registrar.

Phishing Example: bCourses Phish Attack

May 20, 2016
Several people on campus reported this targeted phishing message concerning access to bCourses. The message was signed by a fictitious member of the Security department.

Phishing Example: PayPal - We need your help

March 22, 2016
This is an example of how phishing messages can be made to look like they are from a legitimate business, such as PayPal. However, poor grammar and other indicators make this an easy phish to spot.

Phishing Example: RE: Notice from @rescue.org

March 14, 2016
A phishing message purporting to be from the International Rescue Committee regarding IT maintenance has been circulating on campus. The message requests that the recipient upgrade their mailbox size by selecting a link that redirects to a malicious website.

Phishing Example: Last Reminder You Must Update Your Apple Account Information!

March 13, 2016
An email message purporting to be from Apple Support, requesting that the recipient verify their account information, has been seen in several variations on campus.

Phishing Example: Help Desk Notice

March 4, 2016
This phish is an example of how poorly most culprits have taken steps to disguise the message - it is often the case that phishing messages are originally drafted for another school or school district.

Phishing Example: UCOP Spear Phish Attack

February 22, 2016
A targeted phishing message was received at both Berkeley and UCLA campuses that was purportedly from the UC Office of the President requesting an employee's W2 form.

Phishing Example: Google Docs Download

February 22, 2016
This phish example attempts to trick the recipient into clicking on a link to a malicious website by purporting to be a link to download a Google doc.

Phishing Example: ITunes Access Disabled

February 21, 2016
Another example of a common ploy to trick the recipient into clicking a link to a malicious website by claiming access to ITunes has been disabled.

Phishing Example: "Dear Email User" Expired Password Ploy

February 9, 2016
An example of a common phishing ploy - a notice that your email password will expire, with a link to change the password that leads to a malicious website.

Phishing Example: IT-Service Help Desk "Password Update"

February 2, 2016
Another example of a phish that attempts to trick the user to click on a link to a malicious website by claiming their password will expire otherwise. This one purports to come from the IT-Service Help Desk.

Phishing Example: U.S. Dept. of Labor "Record Update"

January 18, 2016
Campus was the target of a phishing email purporting to be from the U.S. Dept of Labor and asking for users to update their employment records. Beware of emails with the subject line "Record Update".

Phishing Example: IRS Service "Important Update"

January 15, 2016
The 2016 tax filing season is upon us, beware of messages requesting personal information to be updated online to make your "refund easier".

Phishing Example: DHL Express Document

January 15, 2016
Phishing message purporting to be from DHL and requesting package delivery confirmation contains links to malware-infected websites.

Phishing Example: "Paperless W2"

January 6, 2016
Several people on campus fell for this phish, which directed the recipient to a fake CalNet login page where credentials were stolen. Beware of tax-related phishing exploits, like this one, during this time of year.

Phishing Example: Spear Phishing Attack "Articles"

January 2, 2016
This spear phishing attack was targeted to campus academic staff. The recipient was asked to share access to research articles, but the embedded link was routed to a fake CalNet login page.

Phishing Example: PayPal Forgery

January 1, 2016
This is a forgery example of a commonly used service provider, PayPal. The intent is to fool the recipient into clicking the link directed to a malware infected webpage.

Phishing Example: UCB-HR "Your New Salary Notification"

December 10, 2015
This phishing message was forged to appear to come from the UCB Human Resources office. Beware of "URGENT" message from HR concerning "Your New Salary Notification".

For more examples of Phishing messages, please visit the Phishing Examples Archive.