Phishing Example: FedEx Shipment Update

January 3, 2017

What makes this a Phishing message?

This very simple phishing message that appeared to be sent from FedEx was effective in convincing several campus recipients to download the PDF attachment.  The file contained a link that required password authentication, allowing the attacker to capture these user credentials for future use.  Note the following clues that this is not a valid message from FedEx:

  • The sender address is from a "" address.
  • The recipient address is blank, indicating the message was sent as a "blind carbon-copy" to a larger audience.
  • The grammar is very simple but poorly stated.
  • There is no message signature other than "Thanks".

Original Message:

From:  "FedEx." <>
Date:  Tue, Jan 3, 2017


Dear Customer,

We could not deliver your item.

You can review and print complete details of shipping duty on your order.


PDF Attachment:  update_Form.pdf

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

How to report phishing:

  • Open the message

  • To the right of 'Reply' arrow

  • Select 'More' (typically denoted with three vertical dots)

  • Then 'Report phishing'

If you are unable to log into bMail, forward the message to