You are here

Password Phishing Scam Messages - 5/25/2017

This message fraudulently tells you your account is about to expire and tries to get you to click the link to read the message. The sender of the message is not from Lehigh and the link takes you to a non-Lehigh site which may have malicious software. Delete this message. NOTE: you can hover over links to see that it does not go to a real Lehigh domain. You can also verify if your account will soon expire by going to your Lehigh Account web page linked at the bottom of the main Lehigh and Inside Lehigh web pages.

Drob Box Phishing Scam Messages - 5/3/2017

Lehigh has been experiencing a number of phishing messages using emails with links to Drop Box documents. If you hover your mouse cursor over the link, it will show the address it is attempting to get you to go to. The messages may appear to be from people you know. If you are not expecting a file, you should immediately be suspicious and use extreme caution. If you have clicked on anything that requires a password you feel is not legitimate, it is always a good idea to reset your Lehigh password at https://www.lehigh.edu/change.

Google Phishing Scam Messages - 5/3/2017

USE EXTREME CAUTION! Lehigh and locations across the country (and possibly world-wide) have been experiencing a high volume of phishing messages using emails with links to Google Documents which use malicious code to affect your Google account. These are being caused a compromised Google App which has now been blocked by Google, but there will be continued issues with those who were compromised before the problem was blocked.

Urgent-Important Campus Alert!

This is a phishing email intended to get you to enter credentials on a non-Lehigh web page. You will notice:
1) Sender is from an alleged Canadian address (uoguelph.ca)
2) Hovering over the link displays it goes to a non-Lehigh address.
3) Signed by Richard Nixxon
4) Falsely lists our address in the signature line.
5) Uses urgency (you must act now) as a scare tactic to get you to respond.

Please be aware of these types of details when you see messages of a questionable nature,

LTS

BlackBoard Mail message

This is likely a message distributed to a number of universities -- Lehigh is not a BlackBoard institution (we use Moodle, or CourseSite). Note that the sender is not a Lehigh email address and the grammar is poor.

BlackBoard email message

IT Service: Mail Exceeded Allocated Storage

Notice the two features identifying this as a phishing email: 1) The sender (highlighted) is not a Lehigh account; 2) the link in the email (highlighted) is to a non-Lehigh web address. Do not click on the link, and simply delete this email.

Phishing Example - 7/24/2016

Phishing example from consumer Gmail account

Phishing example from July 25, 216. Note that sender is a generic Gmail account and the link is not Lehigh branded. The footer and greeting contains some Lehigh-specific information, but URL is not a Lehigh domain, the sender is not a Lehigh domain, and the message is sent impersonally to "undisclosed recipients."

Phishing example from July 25, sender is generic Gmail account, link is not Lehigh branded

Phishing invoice with attachment

Another message received by a Lehigh staff member working in a financial area. The message was personalized to the staff member and had a .doc attachment which likely contains malicious content.

Sterling Bank

Example of a spear phishing message that has been targeting financial departments at Lehigh.

Re: Expiration Notice

This is a bogus message about Lehigh Library Accounts. Lehigh Library accounts don't expire. Looking at the send address reveals that it's from a commercial Gmail address (ends in @gmail.com) not from a Lehigh email address, which ends in @lehigh.edu. Another clue that this is phishing message is that the URL points to a domain ending in .ga, NOT lehigh.edu.

Fake request to restore service after inactiveness

Be alert to phishing messages like this example which try to fool you into clicking the link because it contains "ltshelpdesk". You will notice that the link actually goes to the domain 'moonfruit.com', and was sent from an email address reportedly from 'slu.edu', not 'lehigh.edu'. Another hint of possible phishing is the emphasis on urgency and poor grammar.

Do not click on links that you are unfamiliar with, or that don't come from lehigh.edu domains. Simply delete the message.

sample phishing email

Exceeded Web Mail Quota

Message falsely claims you have reached your 500MB limit on Lehigh Web Mail. You may note the sender has a .pk (Pakistan) email address. The link for Lehigh Web Mail may work, but the link to "Click Here" takes you to a non-Lehigh Google web form in an attempt to collect your username and password.

Do not click either link. Simply delete this message.

Phishing Example - 2015-12-09

Important Message

Clues that this is a phishing message and not a legitimate Lehigh email:
1. The sender's non-Lehigh email address
2. Incorrect spelling
3. The link takes you outside of the lehigh.edu domain

If you are a Lehigh Gmail user, you can report this as a phishing message:
1. At the top-right corner of the message, click the down arrow next to the Reply button.
2. Select Report Phishing from the drop-down list--the message will go directly into your Spam folder.

Lehigh University Terror Alert***

The non-Lehigh email address this was sent from, the grammatical errors and vague contextual information, and the fact that the messages requests your username and password are all clues that this is phishing scam. Always remember, LTS will never ask you for your password.

As a Gmail user, you can report this as a phishing message:
1. At the top-right corner of the message, click the down arrow next to the Reply button.
2. Select Report Phishing from the drop-down list--the message will go directly into your Spam folder.

Important Blackboard Message Phishing Mail

This phishing mail claims to be from Blackboard Learning regarding an important course work message. It is addressed to the user, and the link also includes the user's email address in the link text. Hovering over the link will reveal that the true destination of the link has nothing to do with Lehigh University at all, and typically points to another country.

Do not click the link. Simply discard this message.

Email Upgrade

Like any other phishing message you'll receive, hovering over the link shows that the it does NOT take you to a Lehigh University webpage (all Lehigh pages will end in .EDU).

Simply report it as phishing if you're a Gmail user:
1. At the top-right corner of the message, click the down arrow next to the "Reply" button.
2. Select Report Phishing--the message will go directly into Spam

With Subject Line: DT, db, or bD

The non-Lehigh URL, http://webbmail-vcu.bravesites.com/ (note that it ends in bravesites.COM, not LEHIGH.EDU) is a clue that this is a phishing message.

If you are a Gmail user, you can mark it as Phishing by opening the message and:
1. At the top-right corner of the message, click the down arrow next to the "Reply" button.
2. Select Report Phishing.

Dear Lehigh.edu Account User

The non-Lehigh email address (ends in @udd.cl) and non-Lehigh URL, http://sso-cc-lehigh-edu.jimdo.com/ (note that it ends in JIMDO.COM, not LEHIGH.EDU) are clear warning signs this is a phishing message and not from the Help Desk. Grammar and punctuation errors are also always common red flags...

If you are a Gmail user, you can mark it as Phishing by opening the message and:
1. At the top-right corner of the message, click the down arrow next to the "Reply" button.
2. Select Report Phishing.

Wells Fargo Account Scam

This is a classic phishing scam using scare tactics to get you to reveal personal information. Note that the apparent sender of the message (@cyberlink.ch) is in Switzerland.

Wells Fargo fake account warning message

Webmail Account Certificate?

This email, which purports to be from the "Help Desk®" with the subject "Your Mailbox" claims that you need to update and verify your Webmail certificate. It will ask you to click a link within the email to provide your credentials. This is NOT legitimate! You will never be asked by LTS to provide your credentials through a direct link within an email. Please delete this email or any similar email that hits your inbox.

Fake Blackboard website

This scam website, with the URL "www.ceyice.cc/board/webmail.blackboard.htm" (a domain associated with the Cocos Islands in Australia) purports to be a login for Blackboard (the campus learning tool Lehigh used before Coursesite). Do not submit any information to this site!

Fake Blackboard login page

Dear lehigh.edu Account User

This is not an email from the Help Desk. Notice the link they want you to click on tries to fool you into thinking it's a Lehigh website but close inspection reveals it ends in jimdo.com, which is NOT a Lehigh site. Do not click it--mark it as SPAM immediately and delete.

Webmail account email upgrade -- bogus!

This bogus message includes a link that is not a Lehigh domain and other signs that it is of doubtful origin.

Warning! Upgrade phishing message

Terror Threat Phishing Email

This is NOT an LTS or Lehigh communications email but a Phishing email. Lehigh departments nor LTS will NEVER ask you to send your log on credentials in ANY email we author. You can delete the email.

If you have sent your credentials in response, you will want to log into your account and reset your password immediately.

Fake Resume / Internship Request

This email (and variants of it) claims to be a request for an internship, job, or simply an open sharing of a resume. It is NOT legitimate. Opening the attachment can trigger a password stealing trojan or malware infection on your computer. The name and sender (as well as the exact wording in the text) may vary. Under no circumstances should you attempt to open an attached file from an unsolicited email.

Resume

Fake Anti-Phishing Email

This email purports to be from "Lehigh Help Desk Services". It requests that you click a link to upgrade your email account as part of an "anti-phishing server upgrade". This email is not legitimate and was designed to steal your credentials. If you receive this message, please delete it.

Fake Anti-Phishing Email

Click here to renew your Webmail account

This message will ask for your credentials, but the link takes you to a non-Lehigh web address starting http://artwentyone.altervista. Delete it (don't click on the link in the body of the email!).

CONFIRM YOUR EMAIL IDENTITY NOW!!!

This message is phishing, even though it references Lehigh Roundcube -- the message is tailored to Lehigh's systems, which is called spear phishing. It is specious, and should be deleted.

CONFIRM YOUR EMAIL IDENTITY NOW!!!

Fake Webmail Security Message

This email is NOT legitimate. It purports to be from the "Lehigh University Webmail Management Team" warning about an account break-in attempt. The link in the email is an attempt to steal usernames and passwords. Do NOT click the link. This message should be discarded with no further action. If you have clicked the link and supplied information, please change your password immediately.

Fake Webmail Security Message

Fake email from HELP DESK to update records

The following email has been seen in circulation at Lehigh. This is NOT a legitimate email, and asks users to click the link in an attempt to steal their username and password. Do NOT click the link. This message should be discarded with no further action. If you have clicked the link and supplied information, please change your password immediately.

Travel assistance spear phishing message

This message attempts to seem trustworthy by appropriating the name of an actual person at Lehigh. Unfortunately, this is all too easy for an attacker to do. The message is a complete fraud and the person named was not involved in any way.

Travel arrangements phishing message

Fake IRS Tax Refund Email

This phishing email purports to be from the "IRS Tax Credit Office". It is designed to trick the recipient into submitting confidential financial information. Never submit personal information online when solicited via email. This type of phishing email message should be deleted immediately.

IRS Scam

System Administrator

This phishing message is designed to trick you into believing you've exceeded your email quota/limit. While it's coming from a Lehigh email address (the user's account was compromised) the key sign that makes this email a fake is the non-Lehigh URL the "click here" text links to, outlookwebmails.weebly.com. Always hover your mouse cursor over the link to see the target destination BEFORE clicking. If you have any doubt, call the Help Desk before you click.

Fake Wells Fargo message

This message is confirmed to be "fake." Wells Fargo was contacted and they offered this advice: Review the following tips to help safeguard your personal and account information:

Phishing attempt dated Dec. 4

This message appears to be coming from a university in Missouri -- which may or may not be the case. The sender, the urgently worded subject line of "reply asap," and the request for credentials via mail are all indicators that this is phishing.

Phishing attempt dated 12/4

Fake University Portal Email Upgrade

This fake email "over limit" email purports to be from Lehigh and suggests that you must upgrade your email account because you are over your usage limit. It is NOT from Lehigh and should be deleted immediately. If you clicked the link and entered your Lehigh credentials, you should reset your Lehigh password immediately.

Fake Portal Mail upgrade

Alert - You have exceeded your webmail.lehigh.edu quota

This is yet another phishing attempt that tries to trick you into thinking you've exceeded your email quota. Notice the sender isn't even from Lehigh (mail.gvsu.edu) and that the CLICKHERE link goes to a non-Lehigh website. Always hover your mouse cursor over the link to see the target destination BEFORE clicking. If you have any doubt, call the Help Desk before you click.

You have exceeded your webmail.lehigh.edu quota

This phishing message is designed to trick you into believing you've exceeded your email quota. Note the signs that make this email suspicious:

  1. The sender's email is not a Lehigh email address: maplew@mail.gvsu.edu
  2. A non-Lehigh URL: www.form2pay.com...

Fake Upgrade your email account message

This false email attempts to have you log into a non-Lehigh web in an effort to steal your credentials. Note that the sender is oddly formed: "lehigh.edu Help Desk" with a none lehigh email address at oswego308.org address. The ClickHere link links to a non-Lehigh web page containing a form. Always hover your mouse cursor over the link and check it's target destination BEFORE clicking. If you have any doubt, call the Help Desk before you click.

Fake Upgrade your email account message

Upgrade your email account

This email is not legitimate and is a deceptive attempt to trick you into believing you need to upgrade your email. Note the signs that make this email suspicious:

  1. The sender's email is not a Lehigh email address: jmalnick1109@oswego308.org
  2. Incorrect grammar ("...yours need update")
  3. The link you are supposed to click on is NOT a Lehigh website (hovering over the "ClickHere" link reveals that it goes to www.formforall.com)

Fake Virus Alert Warning

This message, with a bogus link to "lehi.yolasite.com", is not legitimate. Do not click on links to non-Lehigh sites (something other than "lehigh.edu"), never give out personal information (SSN, credit card numbers) or provide credentials (such as username or password), and do not reply to unexpected spurious messages.

Fake Virus Alert Warning

Verify your account

This is a specious attempt to get you to reveal your Lehigh credentials to a malicious third party. Signs that this message is suspicious:

  • The sender is not a is not the LTS Help Desk email. While it does end in lehigh.edu this is easy to spoof in the header of a message.
  • If you hover over the link in the message, note that it goes to lehighdotyolasitedotcom -- NOT a Lehigh domain (Lehigh domains end in lehigh.edu)
  • Lehigh will never ask you to provide your credentials via an email message or embed a link in an email for login purposes.
Verify your account

Lehigh Webmail Sign-in Alert!!!

This phishing email falsely attempts to alert you to a sign-in to your webmail account from a different location.

The message is crafted to look like it is from Lehigh, with a forged sender of webinfo@lehigh.edu, and is signed with a proper Lehigh mailing address and phone number.

You will, however, notice the verification address is NOT a Lehigh address, but rather hostoi.com, and runs a php script which may allow malicious code to run in your web browser.

Fake Trojan Horse Warning

This is a relatively straightforward phishing example. Note that the link address (which isn't hidden in any way) is not in the "lehigh.edu" domain, but in "webs.com". And Lehigh is misspelled.

Trojan Warning

Lehigh Webmail: E-Portal update

This message is an attempt to confuse you with poor grammar and technical terms so you click the "Click here" link. Notice that the sender address is 'cmb@telia.com', and is NOT from the lehigh.edu domain. Do NOT click on the link! You can always verify your own quota limit by going to your account page (www.lehigh.edu/account) and checking quotas under mail management.

Lehigh University Portal

This message is an attempt to obtain your credentials through claiming your email has exceeded its memory size and requests you to upgrade your mailbox by clicking on the listed link. Do NOT click on the link! You can always verify your own quota limit by going to your account page (www.lehigh.edu/account) and checking quotas under mail management.

Quota Limit - Phishing Example

This message is an attempt to obtain your credentials through claiming your email has exceeded it's quota and requests you to upgrade your mailbox by clicking on the listed link. Notice that the sender address for Lehigh University is 'drh@uc.pt', and is NOT from the lehigh.edu domain. Do NOT click on the link! You can always verify your own quota limit by going to your account page and checking quotas under mail management

Quota Limit - Phishing Example

"ITS Web Upgrade"

This message is a repeat (look back in the archive to April 30, 2013). The "From:" address has been forged, but that fact doesn't mean much. Email addresses can't be counted on as an indication of a message's validity. The real key is that the link directs you to a web address that has nothing to do with Lehigh (http://myshoponline.net/wp-admin/includes/webmail/). Not only didn't Lehigh send this, it isn't a reasonable imitation of anything we actually would send. Delete it.

ITS Web Upgrade

Fake Email Sign-In Alert

This is an alarmingly well-crafted (but still completely fake) message that aims to steal your login credentials. Don't fall for it.

Fake Email Sign-In Alert

Irregular Activities Verification

This message contains an attached web form for you to provide personal information (including credit card accounts). The form also contains Javascript, which will capture additional information. As with all such messages, do not open the attachment and do not submit personal information into any forms sent to you by email. Note that although this claims to be from a bank, the sender is a Lehigh address. The listed recipient is the same Lehigh address, and you are only getting a blind courtesy copy (BCC:), so your name and address don't even appear.

Irregular Activities Verification

Pages