Phishing Example: Vital Info

May 23, 2016

What makes this a Phishing message?

This message has been forged to appear to come from a real staff member in the Office of the Registrar, which, along with the "CONFIDENTIALITY NOTICE",  gives it the appearance of a valid official message.  There are a few strange items that stand out however:

  • There is no recipient name in the "To:" field.  That usually indicates that the message was "blind carbon-copied" to recipients and the sender is trying to hide something.
  • The message is not specific about what "vital info" is being shared, this should seem very suspicious to the recipient if they were not expecting a message from the Office of the Registrar.
  • Hold your cursor over the URL link and you will see that it is not really directed to Google Docs - it is actually a link to a fake Calnet login page where the user's account name and password can be intercepted.

(Nice touch adding the "consider the environment" note at the end of the message - very convincing coming from an @berkeley.edu address).


Original Message:

From: <sender's name removed>
Date: Mon, May 23, 2016 at 2:56 PM
Subject:  Vital Info
To:

Hello,  Please refer to the vital info I've shared with you using Google Drive.  Click https://www.google.com/drive/docs/file0116 and sign in to view details..

Regard

--
<sender's name removed>
Readmission Representative
Office of the Registrar

CONFIDENTIALITY NOTICE:  This e-mail and any transmitted files are private and confidential and are solely for the use of the recipient(s)  to whom it is addressed.  Any unauthorized review, use, disclosure, distribution or copying of this communication is strictly forbidden.  If you have received this communication in error, please delete and immediately notify the sender via the e-mail return address.  Thank you for your compliance.

Please consider the environment before printing this e-mail

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu.  Be sure to include the entire text of the message, including the email header.