Phishing Example: RE: Notice from @rescue.org

March 14, 2016

Why is this a Phishing message?

  • Always be suspicious of messages that appear to be a response to a prior message that you did not initiate (e.g., "RE: Notice,").  The hanging comma at the end of the subject line is also a suspicious indicator.
  • The recipient and sender address is the same, suggesting that the message was "blind carbon-copied" to the actual recipient.  A sender will sometimes do this if they have something to hide.
  • The message doesn't make much sense - it's a notification of an IT outage event and an invitation to upgrade your mailbox size.  Both of these are common ploys used in phishing messages.
  • The "IT SYSTEM AND MAINTENANCE" link is directed to a nefarious website address (maintenance.zohosites.com).


Original Message:

Subject: RE: Notice,
From: Ashley Mathew <Ashley.Mathew@rescue.org>
Date: 3/14/2016 7:35 AM
To: Ashley Mathew <Ashley.Mathew@rescue.org>

Hello Everyone,
 
  There will be additional IT maintenance today between 10am – 11am. During this time, some IT systems and applications used by the IRC globally may be affected, and you may experience brief outages. Please upgrade your mailboxes (size to 20.0GB). by clicking IT SYSTEM AND MAINTENANCE.

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu.  Be sure to include the entire text of the message, including the email header.