Phishing Example: FedEx Shipment Update

January 3, 2017

What makes this a Phishing message?

This very simple phishing message that appeared to be sent from FedEx was effective in convincing several campus recipients to download the PDF attachment.  The file contained a link that required password authentication, allowing the attacker to capture these user credentials for future use.  Note the following clues that this is not a valid message from FedEx:

  • The sender address is from a "berkeley.edu" address.
  • The recipient address is blank, indicating the message was sent as a "blind carbon-copy" to a larger audience.
  • The grammar is very simple, but poorly stated.
  • There is no message signature other than "Thanks".


Original Message:

From:  "FedEx." <xxxxxx@berkeley.edu>
To:
Date:  Tue, Jan 3, 2017

FedEx

Dear Customer,

We could not deliver your item.

You can review and print complete details of shipping duty on your order.

Thanks


PDF Attachment:  update_Form.pdf

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu.  Be sure to include the entire text of the message, including the email header.