Phishing Example: bCourses Phish Attack

May 20, 2016

What makes this a Phishing message?

The header information is missing from this message, so there is not much here that might help identify this email as fraudulent.  A couple of clues do stand out:

  • Instructions from IT Support or Security requesting for you to click on a link and enter credentials to prevent your access from expiring is a very common ploy to trick users into exposing their account name and password.  Don't fall for it.
  • The URL link is highly suspicious and dangerous:
    • The top-level domain of the host "" is from Equatorial Guinea.
    • The long list of characters following "login" is unusual and should alert the recipient that something is amiss.
    • The URL link leads to a login page that looks exactly like the Calnet login - but it is a fake that is designed to steal your account name and password.
  • If you search the campus directory, you will find there is no Mary Patel in Security.

Original Message:

Dear User,

This message is to inform you that your access to bCourses will soon
expire.  You will have to log in to your account to continue to have access
to this service.

You need to reactivate it just by logging in through the following URL.  A
a successful login will activate your account, and you will be redirected to
your bCourses page.

If you are not able to login, please contact Mary Patel at for immediate


Mary Patel
Berkeley Security
University of California, Berkeley

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to Be sure to include the entire text of the message, including the email header.