The Phish Tank

Welcome to the "Phish Tank".  This page highlights recent examples of phishing emails received on campus.  There are many variations of the types of scams listed here, this is only a small sampling of new ones received every day. 

This list is intended for the purpose of educating students and staff to spot a phish, do not assume an email is safe because it is not listed here.

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu (link sends e-mail) (link sends e-mail).  Be sure to include the entire text of the message, including the email header.

How to show message headers in bMail

1. Log in to bMail
2. Open the message for which you'd like to view headers
3. Click the '3 vertical dot' button next to 'Reply', at the top of the
message pane.
4. Select Show Original. The full headers will appear in a new window.
5. Please click the 'Copy to clipboard' button, or copy-and-paste all this information to a reply email to <security@berkeley.edu>

Email Fraud Schemes Targeting Universities

March 14, 2019

A couple of recent phishing scams, referred to as a “Business Email Compromise (BEC),” have been targeting universities to steal funds through the purchasing process.

The first phishing scam targets suppliers that do business with campus by using Berkeley emails as the hook. These attacks involve purchase orders and requests for quotes that appear to come from the University, but are in fact fraudulent. 

Be Alert:

  • Monitor your inbox and restrict the use of auto-forwarding and inbox filtering rules so you don’t miss emails.
  • Be suspicious if you think you might be missing or not receiving emails, investigate immediately.

If you think your @berkeley.edu email has been spoofed or compromised, report it immediately to security@berkeley.edu. Additional information on reporting listed here.

The second phishing scam targets Universities in the midst of construction projects. The hackers compromise or spoof emails for known business partners working through the Berkeley purchasing process to reroute payments from the authentic company to themselves.

Take Action:

  • Be suspicious of any requests to changes in the payment processes.
  • Verify all changes in payment and financial information via phone or in person with a known and trusted individual.

We encourage you to be skeptical and if you are unsure whether an email is legitimate, send an email to consult@berkeley.edu or call 510-664-9000.

 

Tax Season is Here - Protect Yourself from Tax Fraud

January 24, 2019

W-2 wage statements became available online this week and every year several convincing phishing messages are crafted by tax scammers and sent to Campus to trick victims into giving out personal information. Taxpayers should continue to watch out for fake emails and/or websites looking to steal personal information during the 2019 filing season.  

Be wary of any message asking for W-2 or other tax information. Additionally, during the UCPath conversion scammers may send emails with fraudulent links. Do not open any attachments or click on any email links. The UC does not send tax statements to employees by email or text. If you receive an email or text that has an attachment to view your W-2 or other tax statement, it is a phishing scam designed to gain your private information. Be extra alert during this time of transition.

Over the past few years, tax scams were primarily seen in two forms on campus:

  1. Extremely authentic looking emails impersonating UC communications about how to access your W-2 statement.
    • These emails looked almost exactly like the genuine UC emails, but contained a harmful link intended to steal passwords and personal information.

  2. Emails direct to financial and payroll employees requesting copies of employee W-2 forms.
    • These emails looked like they were from executive management, such as the UC President, or the head of Financial Affairs, and requested copies of employee W-2 forms for review purposes.

To protect yourself against harmful links, use these tips:

  • If you have consented to having an electronic copy of your W-2 statement made available online, it will only be available directly on the At Your Service Online (AYSO) website.  AYSO is hosted by the University of California, Office of the President and should only be accessed using the following address:

    https://atyourserviceonline.ucop.edu/ayso/

  • To avoid clicking on a harmful link in a potential phishing message, manually enter the AYSO address into your browser's address bar when you are ready to download your W-2 form:

  • Alternatively, you may access AYSO directly from the Blu Self-Service portal (left-hand menu) at: https://blu.berkeley.edu 
    (Note: Campus VPN and CalNet ID login are required for off-campus access to Blu)
  • Report any suspicious emails by forwarding them with full headers to consult@berkeley.eAt Your Service Online URL w/Green Padlockdu.

More Anti-Phishing Tips and FAQs

Tax Fraud Prevention Resources

Email Impersonation Attacks Attacks Are on the Rise

January 11, 2019

A widely reported spear phishing scam, termed “Business Email Compromise (BEC),” has been targeting universities and other academic institutions. These attacks are spear phishing scams designed to impersonate someone you know in an attempt to gain access to sensitive information or to encourage you to transfer funds or provide gift cards. There has been an increase of these assaults across the University this new year.

Messages tend to come from an account mimicking a known sender. They can start out as basic greetings then progress to requests for money or data. Since the content is highly personalized, it’s often easy to get hooked.

Tips if Something Seems Off:

Double-check the email address before responding

Look to make sure the email address is correct. In Gmail hover your mouse over the sender name for the email to display. And if you are on a mobile phone? Wait until you can get to a computer.

Follow up with the sender separately

If you didn’t expect it, reject it. Or follow-up with the individual directly in a separate email or call/text to confirm.

Report and/or flag it

To flag it in bMail open the message and next to Reply click the three dots and select "Report phishing". Not sure if it's a phish? Email us at consult@berkeley.edu or call 510 664-9000. For more information visit https://security.berkeley.edu/resources/phishing

Examples of these types of attacks include:

 

Original Message:

From:  XXX.subdomain.berkeley.edu@gmail.com
Subject:  vendor payment
To:  xxxxx@berkeley.edu

Are you around? I need to pay a vendor with the blucard.



<Name Removed>
University of California, Berkeley

Original Message (Additional Example):

From:  XXX.subdomain.berkeley.edu
Subject:  Quick question
To:  xxxxx@berkeley.edu

I'm in a meeting and need help getting some Amazon Gift Cards



<Name Removed>
University of California, Berkeley

Phishing Example: Google Doc Phishing Message

May 3, 2017

Why is this a Phishing message?

What appears to be a global wide-spread Internet worm hit the campus in the form of a phishing email message.  The message slipped through normal spam filters as the worm virus spread to email accounts in the "berkeley.edu" domain, so that receipt of the message to campus mailboxes was also widespread.

The message was a forgery of the common message notification received when a Google Doc is shared, but there are a couple of obvious indicators that this message is a fake:

  • The recipient address in the message is very suspicious:  hhhhhhhhhhhhhhhh@mailinator.com
  • The actual recipient's address is included in the "Bcc" line - why would a notification about a shared Google Doc be blind-carbon-copied to someone?

The following announcement was posted to campus concerning this incident:  Global Google Phishing Alert

Please contact Campus Shared Services IT by calling 510-664-9000 or itcsshelp@berkeley.edu if you have questions about this incident.

Original Message:

From:  XXX@berkeley.edu
Subject:  XXX has shared a document on Google Docs with you
To:  hhhhhhhhhhhhhhhh@mailinator.com
Bcc:  Me

XXX has invited you to view the following document:

Open in Docs





Phishing Example: Message from human resources

April 13, 2017

What makes this a Phishing Message?

The cyber criminal responsible for this phishing scam put some effort into making this email message appear to be legitimate.  The sender email address has been faked to appear to come from the campus HR department and the document link led to a fake Calnet login page.  There is one clue that the message is a forgery:

  • If you hold your mouse cursor over the "Click here" link, you can see that the destination is not the real Calnet login page (https://auth.berkeley.edu).

Two things to remember in this situation:

Original Message:

From: "HR@berkeley.edu" <HR@berkeley.edu>
Subject: Message from human resources
Date: April 13, 2017 at 9:29:54 PM PDT
To: XXXXX@berkeley.edu

Dear XXXXX@berkeley.edu

An information document has been sent to you by the Human Resources Department.

Click here to Login to view the document.  Thank you!

Berkeley University Of California HR Department
© 2017 The Regents of the University of California.  All rights reserved.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This email and any attachments may contain confidential information that is protected by law and is for the sole use of the individuals or entities to which it is addressed. If you are not the intended recipient, please destroying all copies of the communication and attachments. Further use, disclosure, copying, distribution of, or reliance upon the contents of this email and attachments is strictly prohibited.

Phishing Example: Library Account

April 1, 2017

What makes this a Phishing message?

This email message was well crafted to fool recipients into logging into a forged CalNet authentication site to steal their credentials.  It appeared to come from an authentic campus email address, and the instructions are clearly written, without the tell-tale typos or grammatical errors usually found in phishing messages.

The link to the fake CalNet site is made to appear to be the real site (https://auth.berkeley.edu), but if you hover your cursor over the link, the actual hidden URL address is for a site registered in Mali.

Keep in mind when receiving emails like this that cyber criminals can easily forge an email address to appear to come from someone else, or disguise a link so it appears to be safe.

Original Message:

From: <NAME REMOVED>
Date: Sat, Apr 1, 2017 at 2:09 PM
Subject: Library Account
To: xxxxx@berkeley.edu


Dear Student,

Your access to your library account is expiring soon due to inactivity. To
continue to have access to the library services, you must reactivate your
account. For this purpose, click the web address below or copy and paste it
into your web browser. A successful login will activate your account and
you will be redirected to your library profile.

https://auth.berkeley.edu/cas/login?service=https%3a%2f%


If you are not able to login, please contact <Name Removed> at
xxxxx@berkeley.edu for immediate assistance.

Sincerely,

<Name Removed>
University Library
University of California Berkeley

Phishing Example: Your Dropbox File

January 30, 2017

What makes this a Phishing message?

A recent spate of phishing messages have been received on campus purporting to be Dropbox notifications.  The link in the email message to "View File" is a ruse to capture CalNet passphrase credentials.

  • The return address of the sender is from the network domain for Texas A&M Health Sciences Center (@tamhsc.edu), not Dropbox.
  • If you hold your cursor over the "View File" link, you will see that the URL address is a forgery of the real CalNet login address (https://auth.berkeley.edu).

Visit the How to Detect the Authentic CalNet Login Page to learn how to protect yourself from these kind of scams.

Original Message:

From:  "Sass, Bradley" <sass@tamhsc.edu>
Subject:  Your Dropbox File
Date:  Mon, 30 Jan 2017

Dropbox logo


Hello,
 
You just received a file through Dropbox Share Application.
Please click below and log in to view file.
 
 
Every time a friend installs Dropbox, we'll give both of you 1 GB of
space for free! Need even more space? Upgrade your Dropbox and get 1 TB
(1,000 GB) of space.
 
Happy Dropboxing.
 
- The Dropbox Team
 
 
 
 
Dropbox, Inc., PO Box 77767, San Francisco, CA 94107 © 2017 Dropbox

Phishing Example: bCourses Expiration Notice

January 25, 2017

What makes this a Phishing message?

This phishing message attempted to trick recipients into entering CalNet credentials into a fake CalNet authentication page to prevent access to bCourses from expiring.

The main clue that this is a phishing message is the inordinately long URL address link to bCourses.  If you hold your cursor over the link, you will see that the underlying destination address is not the real bCourses site.


Original Message:

Dear User,

This message is to inform you that your access to bCourses will soon expire. You will have to login to your account to continue to have access to this service.
You need to reactivate it just by logging in through the following URL. A successful login will activate your account and you will be redirected to your bCourses page.

http:/bcourses.berkeley.edu/login_0DZvfIrGID322o0ki22F0IZotK3lPfYHa62pNgFo4Oh4B40FO4WFMbL4BeL22BMCB8yNmkrd1qJSMjMmbphO9TsF3jX2LqgZijDXGuwEM8fb8yNE7xdTJSMBNYpD4cemhm/

If you are not able to login, please contact Danielle Patel at dapatel@berkeley.edu for immediate assistance.

Sincerely,

Danielle Patel
Berkeley Security
University of California, Berkeley
510-643-6957
dapatel@berkeley.edu

Phishing Example: First 2017 Tax Season Phish

January 24, 2017

What makes this a Phishing message?

This was the first tax season related phishing message reported on campus this year.  The message contains a common ploy to trick the recipient into clicking on a link to download their W2 Form.  In this case, the link went to a forged site for "MyADP" with account login fields.  CalNet credentials entered into this page would be intercepted by the scammers and compromised.

The formatting in this message is very poor, and both the sender address and download URL link are highly suspicious, so this phish should be pretty easy to spot.  UC Berkeley does not utilize ADP for payroll services, another hint that this is a phishing message.


Original Message:

Toxxxxxx@berkeley.edu
From:  ADP PORTAL <director.stics@boyaca.gov.co>
Date:  Tue, 24 Jan 2017 13:31:49
Subject:  Update Portal

The Human Resources/Payroll Department has completed the final paystub
changes for 2017 tax year.
To view the changes to your paystub information and view/download your W-2
forms (2014 - 2016 tax years), go to: Adp Portal

We hope you find the changes to your paystub information useful and welcome
any comments you may have.
Yours Sincerely,
Danielle Carrel.

Phishing Example: FedEx Shipment Update

January 3, 2017

What makes this a Phishing message?

This very simple phishing message that appeared to be sent from FedEx was effective in convincing several campus recipients to download the PDF attachment.  The file contained a link that required password authentication, allowing the attacker to capture these user credentials for future use.  Note the following clues that this is not a valid message from FedEx:

  • The sender address is from a "berkeley.edu" address.
  • The recipient address is blank, indicating the message was sent as a "blind carbon-copy" to a larger audience.
  • The grammar is very simple, but poorly stated.
  • There is no message signature other than "Thanks".


Original Message:

From:  "FedEx." <xxxxxx@berkeley.edu>
To:
Date:  Tue, Jan 3, 2017

FedEx

Dear Customer,

We could not deliver your item.

You can review and print complete details of shipping duty on your order.

Thanks


PDF Attachment:  update_Form.pdf

Phishing Example: Important Announcement from Chancellor Dirks

December 14, 2016

What makes this a Phishing message?

A large number (2000+) campus email accounts received a phishing email which appeared to come from Chancellor Dirks.  This malicious email contained a PDF attachment, which contained a link to a site for providing personal information, including username and password, to the attacker.  As far as we can tell, the attachment was not infected with malware, but out of caution please delete any copies of this email without opening the attachment.

Please note a couple of suspicious indicators in the message:

  • The return address for Chancellor Dirks is for a mysterious email account from a domain outside of "berkeley.edu".
  • There is no recipient address in the "To:" field, indicating the message was "blind carbon-copied" to the intended victims.

If you or anyone you support opened the attachment, followed the link and provided the requested information, please contact security@berkeley.edu for assistance.


Original Message:

From: Nicholas B. Dirks <penweltm@miamioh.edu>
Date: Wed, Dec 14, 2016 at 8:55 AM
Subject: Important Announcement from Chancellor Nicholas B. Dirks
To:


Good Morning Berkeley Family,

Please read attached for an important announcement from Chancellor Nicholas B. Dirks
 
Thanks,

Nicholas B. Dirks

Chancellor

1 attachment: shared Document.pdf

Phishing Example: Email Account Upgrade

October 28, 2016

What makes this a Phishing message?

This message is a somewhat clever attempt to fool the recipient, claiming that there may have been some unauthorized account access from Thailand.  The sender address has been forged to appear to come from CSS-IT.  Without looking at this message closely, the following clues could be missed:

  • The subject line "Email Account Upgrade" has nothing to do with the warning contained in the message.
  • The generic greeting "Dear User" is suspicious - a notification concerning unauthorized account access should be directed to a person by name, and the term "Dear" is inappropriate.
  • A campus account is referred to as a "CalNet ID", not a "Berkeley ID".
  • The "Click Here" short URL link is highly suspicious - never trust a short link that obfuscates the true link destination.

A recipient who read this message in haste could easily click on the link, which likely leads to a site that silently transfers malware to their computer.


Original Message:

Subject: Email Account Upgrade
Date10/28/2016 4:38 PM


Dear User,

Someone else was trying to use your Berkeley ID to sign into iCloud via a web browser.

Date and Time: 28 October 2016, 1:38 PM
Browser: Firefox
Operating System: Windows
Location:Thailand


If the information above looks familiar, you can disregard this email.
If you have not recently and believe someone may be trying to access your account, you should Click Here <http://goo.gl/rk87KW>.

Sincerely,
Technical Support Team

For more examples of Phishing messages, please visit the Phishing Examples Archive.