Phishing Example: Email Account Upgrade

October 28, 2016

What makes this a Phishing message?

This message is a somewhat clever attempt to fool the recipient, claiming that there may have been some unauthorized account access from Thailand.  The sender address has been forged to appear to come from CSS-IT.  Without looking at this message closely, the following clues could be missed:

  • The subject line "Email Account Upgrade" has nothing to do with the warning contained in the message.
  • The generic greeting "Dear User" is suspicious - a notification concerning unauthorized account access should be directed to a person by name, and the term "Dear" is inappropriate.
  • A campus account is referred to as a "CalNet ID", not a "Berkeley ID".
  • The "Click Here" short URL link is highly suspicious - never trust a short link that obfuscates the true link destination.

A recipient who read this message in haste could easily click on the link, which likely leads to a site that silently transfers malware to their computer.


Original Message:

Subject: Email Account Upgrade
Date10/28/2016 4:38 PM


Dear User,

Someone else was trying to use your Berkeley ID to sign into iCloud via a web browser.

Date and Time: 28 October 2016, 1:38 PM
Browser: Firefox
Operating System: Windows
Location:Thailand


If the information above looks familiar, you can disregard this email.
If you have not recently and believe someone may be trying to access your account, you should Click Here <http://goo.gl/rk87KW>.

Sincerely,
Technical Support Team

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu.  Be sure to include the entire text of the message, including the email header.