Phishing Example: (ITCS Notification:) Account Irregular Activity Detected [INC1147653]

September 3, 2020

Below is a sophisticated, targeted form of phishing emails designed to look like legitimate UC Berkeley IT Client Services emails with the intention of scaring the victim to get them to provide personal information. Legitimate UC Berkeley IT departments will NEVER ask for your passphrase over email. Do not interact with these emails, instead report it.

Report and/or flag it

To flag it in bMail open the message and next to Reply click the three dots and select "Report phishing". 

Things to look for in this attack:

  • Notice the "sender's" email is different from the ITCS helpdesk email.
  • The campus Duo "migration" occurred in 2018.
  • Bad grammar used through out the messages and it is sprinkled with "technical words" that don't actually make sense.
  • UC Berkeley IT services and departments will never ask for you for passphrase in an email!
  • Notice the threatening language used to scare you into responding.

Original Message:

From: nginx user <nginx@mobididong> on behalf of Service at UC Berkeley <>
Sent: Wednesday, September 2, 2020 8:22 AM
To: xxx
Subject: (ITCS Notification:) Account Irregular Activity Detected [INC1147653]
UC Berkeley       |                   IT Client Services


This is an automated official communication from Berkeley IT Client Services Ticket system in reference to the incident number below.

Ticket INC1147653 has been created from the recent activities in your CalNet - ID credentials.

ITCS system have detected an irregular activity related to your UC Berkeley CalNet ID credentials. As a precautionary measure, we will temporary block your account and should be moving it to our backup server but we need your help to do this effectively otherwise you may lose your login information and data at the end of the Duo Account Migration & Quarantine clean-up process.

To regain and secure access to your UC Berkeley CalNet ID credentials, kindly confirm the below requested information to enable us migrate your UC Berkeley CalNet ID credentials to a  DUO 2-factor authentication Symantec Endpoint Protection Communication software and register it to a new SPAM filtering service which will improve your Firewall Email Security Overview and the ability to identify and block Spam/Phishing attempts automatically and other undesirable messages that flood our email system on a daily basis.

You can resolve your ticket by doing  the following:

Click on the "reply" button and Confirm your active UC Berkeley CalNet ID credentials;   

*CalNet ID:    
*Email id:

Note: We will permanently deactivate and delete your UC Berkeley CalNet ID credentials if you do not adhere to this notice immediately as part of our Inactive ID credentials clean-up process to enable service upgrade efficiency.


UC Berkeley IT Client Services

Copyright © 2020 University of California, Berkeley.
You received this email because you have submitted a ticket into ServiceNow.

University of California • University of California, Berkeley, California, 94720, US 

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

How to report phishing:

  • Open the message

  • To the right of 'Reply' arrow

  • Select 'More' (typically denoted with three vertical dots)

  • Then 'Report phishing'

If you are unable to log into bMail, forward the message to