Phishing Example: IT-Service Help Desk "Password Update"

February 2, 2016

What makes this a Phishing message?

  • The creator of this phish used the real name and email address of a faculty member in the Medford school district (the name has been changed to "John Doe") as the sender of the message.  They neglected to change this address to appear to come from a "berkeley.edu" account.
  • The recipient field is to an email alias ("adm122") in an unknown domain ("@desk.us").  This is often an indicator that the message is illigitimate.
  • The "Click Here" link leads to a malicious website.


Original Message:

Subject: Help Desk / Password Update
From: John Doe <John.doe@medford.k12.or.us>
Date: 2/2/2016 5:01 AM
To: "adm122@desk.us" <adm122@desk.us>

Password will expire in 2 days  Click Here To Validate E-mail
Thank you,
IT-Service Help Desk

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu.  Be sure to include the entire text of the message, including the email header.