Phishing Example: "Paperless W2"

January 6, 2016

What makes this a Phishing message?

This one is a classic example of how CalNet credentials are often compromised: 

  • The link in the message redirects the user to a counterfeit CalNet login page
  • Recipient enters their CalNet ID and passphrase
  • Their credentials are then in the hands of the bad guys 

Several people fell for this phish, and soon after experienced tampering with their direct deposit payroll accounts.  If you fall for an exploit like this one, change your CalNet passphrase immediately.

Some things to notice about this message that indicate it's a fake - aside from the poor grammar and run-on sentences:

  • The message is not signed by a real person to indicate who it is from 
  • If you hover your cursor over the "Click Here" link, the URL address is an obvious give-away - it is not the address to the CalNet login page

The correct CalNet login page address is always https://auth.berkeley.edu.

Original Message:

From: ESSW2@berkeley.edu <huatom@clarke.k12.ga.us>
Date: January 6, 2016 at 5:53:32 AM PST
To: undisclosed-recipients:;

Subject: IMPORTANT TAX RETURN DOCUMENT AVAILABLE‏‎

Dear: Account Owner,

Our records indicate that you are enrolled in the University of California paperless W2 Program. As a result, you do not receive a paper W2 but instead receive e-mail notification that your online W2 (i.e. "paperless W2") is prepared and ready for viewing. ​​

Your W2 is ready for viewing under Employee Self Service. Logon at the following link:

Click Here to Logon

If you have trouble logging in to Employee Self Service at the link above, please contact your Payroll Department for support.

If you would like to un-enroll in the Paperless W2 Program, please logon to Employee Self Service at the link above and go to the W2 Delivery Choice webpage and follow the instructions.

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu (link sends e-mail) (link sends e-mail).  Be sure to include the entire text of the message, including the email header.