Phishing Example: First 2017 Tax Season Phish

January 24, 2017

What makes this a Phishing message?

This was the first tax season related phishing message reported on campus this year.  The message contains a common ploy to trick the recipient into clicking on a link to download their W2 Form.  In this case, the link went to a forged site for "MyADP" with account login fields.  CalNet credentials entered into this page would be intercepted by the scammers and compromised.

The formatting in this message is very poor, and both the sender address and download URL link are highly suspicious, so this phish should be pretty easy to spot.  UC Berkeley does not utilize ADP for payroll services, another hint that this is a phishing message.

Original Message:
From:  ADP PORTAL <>
Date:  Tue, 24 Jan 2017 13:31:49
Subject:  Update Portal

The Human Resources/Payroll Department has completed the final paystub
changes for 2017 tax year.
To view the changes to your paystub information and view/download your W-2
forms (2014 - 2016 tax years), go to: Adp Portal

We hope you find the changes to your paystub information useful and welcome
any comments you may have.
Yours Sincerely,
Danielle Carrel.

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to Be sure to include the entire text of the message, including the email header.