Phishing Example: Important Announcement from Chancellor Dirks

December 14, 2016

What makes this a Phishing message?

A large number (2000+) campus email accounts received a phishing email that appeared to come from Chancellor Dirks.  This malicious email contained a PDF attachment, which contained a link to a site for providing personal information, including username and password, to the attacker.  As far as we can tell, the attachment was not infected with malware, but out of caution please delete any copies of this email without opening the attachment.

Please note a couple of suspicious indicators in the message:

  • The return address for Chancellor Dirks is for a mysterious email account from a domain outside of "".
  • There is no recipient address in the "To:" field, indicating the message was "blind carbon-copied" to the intended victims.

If you or anyone you support opened the attachment, followed the link and provided the requested information, please contact for assistance.

Original Message:

From: Nicholas B. Dirks <>
Date: Wed, Dec 14, 2016 at 8:55 AM
Subject: Important Announcement from Chancellor Nicholas B. Dirks

Good Morning Berkeley Family,

Please read attached for an important announcement from Chancellor Nicholas B. Dirks

Nicholas B. Dirks


1 attachment: shared Document.pdf

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

How to report phishing:

  • Open the message

  • To the right of 'Reply' arrow

  • Select 'More' (typically denoted with three vertical dots)

  • Then 'Report phishing'

If you are unable to log into bMail, forward the message to