User menu

Menu

Main menu

Recent Phishing Examples

Dear lehigh.edu Account User

This is not an email from the Help Desk. Notice the link they want you to click on tries to fool you into thinking it's a Lehigh website but close inspection reveals it ends in jimdo.com, which is NOT a Lehigh site. Do not click it--mark it as SPAM immediately and delete.

Webmail account email upgrade -- bogus!

This bogus message includes a link that is not a Lehigh domain and other signs that it is of doubtful origin.

Warning! Upgrade phishing message

Terror Threat Phishing Email

This is NOT an LTS or Lehigh communications email but a Phishing email. Lehigh departments nor LTS will NEVER ask you to send your log on credentials in ANY email we author. You can delete the email.

If you have sent your credentials in response, you will want to log into your account and reset your password immediately.

Fake Resume / Internship Request

This email (and variants of it) claims to be a request for an internship, job, or simply an open sharing of a resume. It is NOT legitimate. Opening the attachment can trigger a password stealing trojan or malware infection on your computer. The name and sender (as well as the exact wording in the text) may vary. Under no circumstances should you attempt to open an attached file from an unsolicited email.

Resume

Fake Anti-Phishing Email

This email purports to be from "Lehigh Help Desk Services". It requests that you click a link to upgrade your email account as part of an "anti-phishing server upgrade". This email is not legitimate and was designed to steal your credentials. If you receive this message, please delete it.

Fake Anti-Phishing Email

Click here to renew your Webmail account

This message will ask for your credentials, but the link takes you to a non-Lehigh web address starting http://artwentyone.altervista. Delete it (don't click on the link in the body of the email!).

CONFIRM YOUR EMAIL IDENTITY NOW!!!

This message is phishing, even though it references Lehigh Roundcube -- the message is tailore to Lehigh's systems, which is called spear phishing. It is specious, and should be deleted.

CONFIRM YOUR EMAIL IDENTITY NOW!!!

Fake Webmail Security Message

This email is NOT legitimate. It purports to be from the "Lehigh University Webmail Management Team" warning about an account break-in attempt. The link in the email is an attempt to steal usernames and passwords. Do NOT click the link. This message should be discarded with no further action. If you have clicked the link and supplied information, please change your password immediately.

Fake Webmail Security Message

Fake email from HELP DESK to update records

The following email has been seen in circulation at Lehigh. This is NOT a legitimate email, and asks users to click the link in an attempt to steal their username and password. Do NOT click the link. This message should be discarded with no further action. If you have clicked the link and supplied information, please change your password immediately.

Travel assistance spearphishing message

This message attempts to seem trustworthy by appropriating the name of an actual person at Lehigh. Unfortunately, this is all too easy for an attacker to do. The message is a complete fraud and the person named was not involved in any way.

Travel arrangements phishing message

Fake IRS Tax Refund Email

This phishing email purports to be from the "IRS Tax Credit Office". It is designed to trick the recipient into submitting confidential financial information. Never submit personal information online when solicited via email. This type of phishing email message should be deleted immediately.

IRS Scam

System Administrator

This phishing message is designed to trick you into believing you've exceeded your email quota/limit. While it's coming from a Lehigh email address (the user's account was compromised) the key sign that makes this email a fake is the non-Lehigh URL the "click here" text links to, outlookwebmails.weebly.com. Always hover your mouse cursor over the link to see the target destination BEFORE clicking. If you have any doubt, call the Help Desk before you click.

Fake Wells Fargo message

This message is confirmed to be "fake." Wells Fargo was contacted and they offered this advice: Review the following tips to help safeguard your personal and account information:

Phishing attempt dated Dec. 4

This message appears to be coming from a university in Missouri -- which may or may not be the case. The sender, the urgently worded subject line of "reply asap," and the request for credentials via mail are all indicators that this is phishing.

Phishing attempt dated 12/4

Fake University Portal Email Upgrade

This fake email "over limit" email purports to be from Lehigh and suggests that you must upgrade your email account because you are over your usage limit. It is NOT from Lehigh and should be deleted immediately. If you clicked the link and entered your Lehigh credentials, you should reset your Lehigh password immediately.

Fake Portal Mail upgrade

Alert - You have exceeded your webmail.lehigh.edu quota

This is yet another phishing attempt that tries to trick you into thinking you've exceeded your email quota. Notice the sender isn't even from Lehigh (mail.gvsu.edu) and that the CLICKHERE link goes to a non-Lehigh website. Always hover your mouse cursor over the link to see the target destination BEFORE clicking. If you have any doubt, call the Help Desk before you click.

You have exceeded your webmail.lehigh.edu quota

This phishing message is designed to trick you into believing you've exceeded your email quota. Note the signs that make this email suspicious:

  1. The sender's email is not a Lehigh email address: maplew@mail.gvsu.edu
  2. A non-Lehigh URL: www.form2pay.com...

Fake Upgrade your email account message

This false email attempts to have you log into a non-Lehigh web in an effort to steal your credentials. Note that the sender is oddly formed: "lehigh.edu Help Desk" with a none lehigh email address at oswego308.org address. The ClickHere link links to a non-Lehigh web page containing a form. Always hover your mouse cursor over the link and check it's target destination BEFORE clicking. If you have any doubt, call the Help Desk before you click.

Fake Upgrade your email account message

Upgrade your email account

This email is not legitimate and is a deceptive attempt to trick you into believing you need to upgrade your email. Note the signs that make this email suspicious:

  1. The sender's email is not a Lehigh email address: jmalnick1109@oswego308.org
  2. Incorrect grammer ("...yours need update")
  3. The link you are supposed to click on is NOT a Lehigh website (hovering over the "ClickHere" link reveals that it goes to www.formforall.com)

Fake Virus Alert Warning

This message, with a bogus link to "lehi.yolasite.com", is not legitimate. Do not click on links to non-Lehigh sites (something other than "lehigh.edu"), never give out personal information (SSN, credit card numbers) or provide credentials (such as username or password), and do not reply to unexpected spurious messages.

Fake Virus Alert Warning

Verify your account

This is a specious attempt to get you to reveal your Lehigh credentials to a malicious third party. Signs that this message is suspicious:

  • The sender is not a is not the LTS Help Desk email. While it does end in lehigh.edu this is easy to spoof in the header of a message.
  • If you hover over the link in the message, note that it goes to lehighdotyolasitedotcom -- NOT a Lehigh domain (Lehigh domains end in lehigh.edu)
  • Lehigh will never ask you to provide your credentials via an email message or embed a link in an email for login purposes.
Verify your account

Lehigh Webmail Sign-in Alert!!!

This phishing email falsely attempts to alert you to a sign-in to your webmail account from a different location.

The message is crafted to look like it is from Lehigh, with a forged sender of webinfo@lehigh.edu, and is signed with a proper Lehigh mailing address and phone number.

You will, however, notice the verification address is NOT a Lehigh address, but rather hostoi.com, and runs a php script which may allow malicious code to run in your web browser.

Fake Trojan Horse Warning

This is a relatively straightforward phishing example. Note that the link address (which isn't hidden in any way) is not in the "lehigh.edu" domain, but in "webs.com". And Lehigh is misspelled.

Trojan Warning

Lehigh Webmail: E-Portal update

This message is an attempt to confuse you with poor grammar and technical terms so you click the "Click here" link. Notice that the sender address is 'cmb@telia.com', and is NOT from the lehigh.edu domain. Do NOT click on the link! You can always verify your own quota limit by going to your account page (www.lehigh.edu/account) and checking quotas under mail management.

Lehigh University Portal

This message is an attempt to obtain your credentials through claiming your email has exceeded its memory size and requests you to upgrade your mailbox by clicking on the listed link. Do NOT click on the link! You can always verify your own quota limit by going to your account page (www.lehigh.edu/account) and checking quotas under mail management.

Quota Limit - Phishing Example

This message is an attempt to obtain your credentials through claiming your email has exceeded it's quota and requests you to upgrade your mailbox by clicking on the listed link. Notice that the sender address for Lehigh University is 'drh@uc.pt', and is NOT from the lehigh.edu domain. Do NOT click on the link! You can always verify your own quota limit by going to your account page and checking quotas under mail management

Quota Limit - Phishing Example

"ITS Web Upgrade"

This message is a repeat (look back in the archive to April 30, 2013). The "From:" address has been forged, but that fact doesn't mean much. Email addresses can't be counted on as an indication of a message's validity. The real key is that the link directs you to a web address that has nothing to do with Lehigh (http://myshoponline.net/wp-admin/includes/webmail/). Not only didn't Lehigh send this, it isn't a reasonable imitation of anything we actually would send. Delete it.

ITS Web Upgrade

Fake Email Sign-In Alert

This is an alarmingly well-crafted (but still completely fake) message that aims to steal your login credentials. Don't fall for it.

Fake Email Sign-In Alert

Irregular Activities Verification

This message contains an attached web form for you to provide personal information (including credit card accounts). The form also contains Javascript, which will capture additional information. As with all such messages, do not open the attachment and do not submit personal information into any forms sent to you by email. Note that although this claims to be from a bank, the sender is a Lehigh address. The listed recipient is the same Lehigh address, and you are only getting a blind courtesy copy (BCC:), so your name and address don't even appear.

Irregular Activities Verification

Banking Information Form

This is the form included with the "Irregular Activities Verification" scam message.

Banking Information Form

Fake Exceeded Your Sending and Receiving Portal Message

This message is a clever attempt to obtain your credentials through claiming your email has exceeded it's sending and receiving limits on the Campus Portal. Notice the tell-tale signs of phishing highlighted in the example. Message claims to be from Lehigh Webmail, but address is Admissions (both false). If you hover over the link, you will see it attempts to take you to a domain shreenandinternational.com, not an actual Lehigh web site. Do NOT click on the link!

Fake Anti-Virus Update

This message attempts to get you to sign into your lehigh account in order to update a fake "anti-spam/anti-virus/anti-spyware" software called "F-Secure R-HTK4S". It is an attempt to steal your lehigh credentials.

antiviurs phishing message screenshot

Fake eFax

This message tries to get you to click on a link by claiming that you have received a fax message online. Some of the links on the page are copies of legitimate links, but the trap is a very deceptive link. On the surface, the link text says "http://www.efax.com/fax/fax_view.aspx?fax_id=7132159010", which looks like a reasonable link.

efax phishing message screenshot

Email Suspension

This message claims that your email is suspended and provides a link -- note that the link is NOT in the lehigh.edu domain and that it lacks punctuation.

Email Suspension

Fake LinkedIn Announcement

This message purports to be from the social media site LinkedIn, suggesting that someone wishes to connect with you. This message is a fraud, as can be seen by examining the destinations of the links in the message (they do not go to LinkedIn). Delete this message; do not click on any of the links or attempt to reply.

Fake LinkedIn Announcement

Fake Mail Quota Warning

This message fraudulently tells you that your email quota has been exceeded. The message is not from Lehigh and the link takes you to a non-Lehigh site which may have malicious software. Delete this message. NOTE: you can hover over links to see that it does not go to a real lehigh domain. You can also check your (legacy, not Gmail) mail quota by going to your Lehigh Account web page linked at the bottom of the main Lehigh and Inside Lehigh web pages.

Fake Mail Quota Warning

Fake Security Update

This message falsely indicates a security update requires your action to complete, and that if not responded to within 24 hours, you may lose your email. This message is a fraud, by examining the destinations of the link in the message you will notice they go to some other domain, 'webs.com'. Delete this message; do not click on any of the links or attempt to reply.

Fake Security Update

Account Expiration Fraud

This message fraudulently tells you your account is about to expire and tries to get you to click the link to read the message. The message is not from Lehigh and the link takes you to a non-Lehigh site which may have malicious software. Delete this message. NOTE: you can hover over links to see that it does not go to a real lehigh domain. You can also verify if your account will soon expire by going to your Lehigh Account web page linked at the bottom of the main Lehigh and Inside Lehigh web pages.

Account Expiration Fraud

Calendar Phishing

This is a calendar event that appeared on a staff member's Lehigh Google Calendar, and a variation on the theme of email phishing. Delete calender events that may appear in your calendar.

Calendar Phishing

IT Services and Operations (Fraud)

This message fraudulently tells the you, the recipient, that the webmail server has been upgraded and that you should click and follow the links to take advantage of new security features. While the text appears to be a legitimate link if you hover over the link you see that it takes you to a non-Lehigh server and likely one that will do harm to your identity or your computer.

IT Services and Operations (Fraud)

Webmail Upgrade Fraud

This message indicates that you are using more space for web mail than you have been allocated. It threatens that unless a link is clicked to upgrade the account, the account holder will be unable to receive email. Notice that the message is signed "Admin Help Desk" (no such thing), refers to "email labs" (again, no such thing), and that the link points to someplace that is not lehigh.edu. Clicking the link can result in having your account credentials compromised. This email should be regarded as SPAM and deleted.

Webmail Upgrade Fraud

Account Security Breach Violation

This message purports to be a "Lehigh Web Notice" about a security breach to your account. It threatens that unless a link is clicked to verify the account, the account holder will be unable to send email. Clicking the link can result in having your account credentials compromised. This email should be regarded as SPAM and deleted.

Account Security Breach Violation

Xerox Scan Fraud

This message pretends to be an email message sent by a multifunction printer/scanner/fax machine as the result of scanning a document. The message claims that the document is a PDF, but the attachment is actually a ZIP archive (note the extension at the end of the file name). The key principle here is that any message you weren't expecting should be regarded as suspect--if you didn't just scan a document, why would you be receiving this? If you aren't sure, don't click on any links or open any attachments.

Xerox Scan Fraud

Secure Message Fraud

This message purports to be a transmission of a secure message from a company called "fiserv.com," a mobile banking services company. The sender address, however, is "nacha.org," which is a completely different (and unrelated) group that oversees the ACH network (a key player in electronic fund transfers). The NACHA name has been used for some time as a cover for fraudulent mailings of various types (see https://www.nacha.org/node/983). This particular mailing is an attempt to get you to open and execute an infected attachment.

Secure Message Fraud

Fake Upgrade Alert (again)

This message is a version of the same scam we have seen before. The screenshot shows that, depending upon your mail client, and whether it blocks images, the message can look slightly different. Note that the link, which purports to go to http:/www.lehigh.edu/ltsNews (this URL does not exist and is not even correctly-formed, as the slash following the colon should be two slashes) actually goes to http://www.123contactform.com/form-580146/Lehigh.

Fake Upgrade Alert (again)

Fake LinkedIn "Important Profile Changes" Alert

This email attempts to trick you into clicking on a link. It purports to be from LinkedIn, and it looks very realistic (the graphics are all exactly like those in real LinkedIn messages, and there are no apparent errors in grammar or style). But the link, whose address is http://199.47.149.2/~sunnycha/probabilities.html, does not point to a LinkedIn address (it does not even point to a named server, but just an IP address!). This email should be regarded as SPAM and deleted.

Fake LinkedIn "Important Profile Changes" Alert

Fake Amazon Kindle Order Confirmation

This email appears to come from Amazon, but note the email address is not amazon.com, but rather amazon.org. The links all point to code on the myataworld.com domain. This email should be regarded as a phishing attack with intent to infect your computer and obtain data. Do not click any links and delete it immediately.

Fake Amazon Kindle Order Confirmation

"Violation Security Breach"

This email tells you that your webmail has been infected with a dangerous virus. It is a fake.

"Violation Security Breach"

Fake "Verify Mailbox and Increase Quota" Alert

This email tricks you into thinking there is a problem with your mailbox and quota and encourages you to click the link to fix it. Do not click on the link. Note also the improperly sized Lehigh graphic. This email should be regarded as SPAM and deleted.

Fake "Verify Mailbox and Increase Quota" Alert

Fake "Account Update" Alert

This email implies that as a result of an upgrade, you need to log in to your account to check out the "effect". It provides a link to the supposed login page (LTS would not do this--users should know where the login page is, and should know not to click on links in email messages). Notice that this link goes to a page in a non-Lehigh domain (the page looks very much like our portal login page--but if you pay attention to the web address, it can't possibly be a Lehigh page). This email should be regarded as SPAM and deleted.

Fake "Account Update" Alert

Pages