User menu

Menu

Main menu

Recent Phishing Examples

Banking Information Form

This is the form included with the "Irregular Activities Verification" scam message.

Banking Information Form

Fake Exceeded Your Sending and Receiving Portal Message

This message is a clever attempt to obtain your credentials through claiming your email has exceeded it's sending and receiving limits on the Campus Portal. Notice the tell-tale signs of phishing highlighted in the example. Message claims to be from Lehigh Webmail, but address is Admissions (both false). If you hover over the link, you will see it attempts to take you to a domain shreenandinternational.com, not an actual Lehigh web site. Do NOT click on the link!

Fake Anti-Virus Update

This message attempts to get you to sign into your lehigh account in order to update a fake "anti-spam/anti-virus/anti-spyware" software called "F-Secure R-HTK4S". It is an attempt to steal your lehigh credentials.

antiviurs phishing message screenshot

Fake eFax

This message tries to get you to click on a link by claiming that you have received a fax message online. Some of the links on the page are copies of legitimate links, but the trap is a very deceptive link. On the surface, the link text says "http://www.efax.com/fax/fax_view.aspx?fax_id=7132159010", which looks like a reasonable link.

efax phishing message screenshot

Email Suspension

This message claims that your email is suspended and provides a link -- note that the link is NOT in the lehigh.edu domain and that it lacks punctuation.

Email Suspension

Fake Mail Quota Warning

This message fraudulently tells you that your email quota has been exceeded. The message is not from Lehigh and the link takes you to a non-Lehigh site which may have malicious software. Delete this message. NOTE: you can hover over links to see that it does not go to a real lehigh domain. You can also check your (legacy, not Gmail) mail quota by going to your Lehigh Account web page linked at the bottom of the main Lehigh and Inside Lehigh web pages.

Fake Mail Quota Warning

Fake LinkedIn Announcement

This message purports to be from the social media site LinkedIn, suggesting that someone wishes to connect with you. This message is a fraud, as can be seen by examining the destinations of the links in the message (they do not go to LinkedIn). Delete this message; do not click on any of the links or attempt to reply.

Fake LinkedIn Announcement

Fake Security Update

This message falsely indicates a security update requires your action to complete, and that if not responded to within 24 hours, you may lose your email. This message is a fraud, by examining the destinations of the link in the message you will notice they go to some other domain, 'webs.com'. Delete this message; do not click on any of the links or attempt to reply.

Fake Security Update

Account Expiration Fraud

This message fraudulently tells you your account is about to expire and tries to get you to click the link to read the message. The message is not from Lehigh and the link takes you to a non-Lehigh site which may have malicious software. Delete this message. NOTE: you can hover over links to see that it does not go to a real lehigh domain. You can also verify if your account will soon expire by going to your Lehigh Account web page linked at the bottom of the main Lehigh and Inside Lehigh web pages.

Account Expiration Fraud

Calendar Phishing

This is a calendar event that appeared on a staff member's Lehigh Google Calendar, and a variation on the theme of email phishing. Delete calender events that may appear in your calendar.

Calendar Phishing

IT Services and Operations (Fraud)

This message fraudulently tells the you, the recipient, that the webmail server has been upgraded and that you should click and follow the links to take advantage of new security features. While the text appears to be a legitimate link if you hover over the link you see that it takes you to a non-Lehigh server and likely one that will do harm to your identity or your computer.

IT Services and Operations (Fraud)

Webmail Upgrade Fraud

This message indicates that you are using more space for web mail than you have been allocated. It threatens that unless a link is clicked to upgrade the account, the account holder will be unable to receive email. Notice that the message is signed "Admin Help Desk" (no such thing), refers to "email labs" (again, no such thing), and that the link points to someplace that is not lehigh.edu. Clicking the link can result in having your account credentials compromised. This email should be regarded as SPAM and deleted.

Webmail Upgrade Fraud

Account Security Breach Violation

This message purports to be a "Lehigh Web Notice" about a security breach to your account. It threatens that unless a link is clicked to verify the account, the account holder will be unable to send email. Clicking the link can result in having your account credentials compromised. This email should be regarded as SPAM and deleted.

Account Security Breach Violation

Xerox Scan Fraud

This message pretends to be an email message sent by a multifunction printer/scanner/fax machine as the result of scanning a document. The message claims that the document is a PDF, but the attachment is actually a ZIP archive (note the extension at the end of the file name). The key principle here is that any message you weren't expecting should be regarded as suspect--if you didn't just scan a document, why would you be receiving this? If you aren't sure, don't click on any links or open any attachments.

Xerox Scan Fraud

Secure Message Fraud

This message purports to be a transmission of a secure message from a company called "fiserv.com," a mobile banking services company. The sender address, however, is "nacha.org," which is a completely different (and unrelated) group that oversees the ACH network (a key player in electronic fund transfers). The NACHA name has been used for some time as a cover for fraudulent mailings of various types (see https://www.nacha.org/node/983). This particular mailing is an attempt to get you to open and execute an infected attachment.

Secure Message Fraud

Fake Upgrade Alert (again)

This message is a version of the same scam we have seen before. The screenshot shows that, depending upon your mail client, and whether it blocks images, the message can look slightly different. Note that the link, which purports to go to http:/www.lehigh.edu/ltsNews (this URL does not exist and is not even correctly-formed, as the slash following the colon should be two slashes) actually goes to http://www.123contactform.com/form-580146/Lehigh.

Fake Upgrade Alert (again)

Fake LinkedIn "Important Profile Changes" Alert

This email attempts to trick you into clicking on a link. It purports to be from LinkedIn, and it looks very realistic (the graphics are all exactly like those in real LinkedIn messages, and there are no apparent errors in grammar or style). But the link, whose address is http://199.47.149.2/~sunnycha/probabilities.html, does not point to a LinkedIn address (it does not even point to a named server, but just an IP address!). This email should be regarded as SPAM and deleted.

Fake LinkedIn "Important Profile Changes" Alert

Fake Amazon Kindle Order Confirmation

This email appears to come from Amazon, but note the email address is not amazon.com, but rather amazon.org. The links all point to code on the myataworld.com domain. This email should be regarded as a phishing attack with intent to infect your computer and obtain data. Do not click any links and delete it immediately.

Fake Amazon Kindle Order Confirmation

"Violation Security Breach"

This email tells you that your webmail has been infected with a dangerous virus. It is a fake.

"Violation Security Breach"

Fake "Verify Mailbox and Increase Quota" Alert

This email tricks you into thinking there is a problem with your mailbox and quota and encourages you to click the link to fix it. Do not click on the link. Note also the improperly sized Lehigh graphic. This email should be regarded as SPAM and deleted.

Fake "Verify Mailbox and Increase Quota" Alert

Fake "Account Update" Alert

This email implies that as a result of an upgrade, you need to log in to your account to check out the "effect". It provides a link to the supposed login page (LTS would not do this--users should know where the login page is, and should know not to click on links in email messages). Notice that this link goes to a page in a non-Lehigh domain (the page looks very much like our portal login page--but if you pay attention to the web address, it can't possibly be a Lehigh page). This email should be regarded as SPAM and deleted.

Fake "Account Update" Alert

Fake Portal Login Page

This is the fake portal login page that the fake "Account Update" alert message links to. It looks almost perfect. But notice the address, "chriscomport.com". This page is not real and you should not enter any information whatsoever into this page.

Fake Portal Login Page

Fake "Security Breach" Alert

This email is quite similar to yesterday's fake Upgrade Alert message, even using the same Subject line. However this message attempts to create a sense of urgency by claiming that your account will be closed if you take no action. That should be a red flag, as LTS will never threaten you with account closure. Also notice that the link at the bottom of the email is pointing to a non-Lehigh domain. This email should be regarded as SPAM and deleted.

Fake "Security Breach" Alert

Fake Upgrade Alert

This email purports to be a notification from LTS about upgrades to the Lehigh web-mail servers. As a security precaution, Library and Technology Services no longer sends emails with links in them. If you get an email claiming to be from us, and directing you to follow a link, you may safely assume it is fraudulent, and should delete it immediately.

Fake Upgrade Alert

Fake "Irregular Action" / Verify Address Alert

This clever phishing example looks like it is from Lehigh. If you hover over the link, notice that the server address - the part between the double-slash and the next slash - is not the lehigh.edu domain (it starts out like a Lehigh web address, but it actually ends with "beverlyblackburn.com"!). Very tricky. If you were to follow this link (DON'T), you'd see a fake webmail login page (shown elsewhere in this list). NOTE: LTS will not send links in email, and we will not ask for your password!

Fake "Irregular Action" / Verify Address Alert

Fake Lehigh Webmail Login

This web form is attempting to look like a Lehigh secure web page. Note that the web address (URL) is not in the lehigh.edu domain.

Fake Lehigh Webmail Login

Fake Lehigh Account Information Form

This web form is attempting to look like a Lehigh secure web page. Note that the web address (URL) is not the lehigh.edu domain. There are also a number of misspelled words, including Lehigh.

Fake Lehigh Account Information Form

Fake Lehigh LTS Account Compromise Alert

This clever phishing example looks like it is from Lehigh LTS - note that if you hover over the link, it is not the lehigh.edu domain. NOTE: LTS will not send links in email, and we will not ask for your password!

Fake Lehigh LTS Account Compromise Alert

Fake Adobe Website

This phishing scheme takes users to a fake Adobe site. Note the web address, whose domain is "goodcollegeloans.org."

Fake Adobe Website

LinkedIn Email

Many at Lehigh are using LinkedIn for professional networking. This example looks very much like the email messages received daily from LinkedIn.

LinkedIn Email

Better Business Bureau Claim Email

Phishers often use scare tactics to encourage people to click before they think! This is an example of a messages that appears to come from the Better Business Bureau.

Better Business Bureau Claim Email

Amazon Order Confirmation

Clicking on the links in this fake Amazon Order Confirmation will take you to a compromised site that will infect your computer.

Amazon Order Confirmation

Income Tax Return Payment Receipt

This message purports to be a rejected electronic income tax refund. It attempts to trick you into downloading and opening an infected Word document.

Income Tax Return Payment Receipt

Pages