Recent examples of phishing
True sending account is: firstname.lastname@example.org not email@example.com.
President Hennessy's name is spelled incorrectly.
From: John Hennessay <firstname.lastname@example.org>
Sent: Monday, May 2, 2016 11:31 AM
To: <employee name>
Are you at your desk? I need you to send me an email attachment with the individual 2015 W-2 (PDF) and earnings summary of all the employees
Sent from my iPhone
Mon 2/1/2016 9:35 AM
From: email-campaign <email@example.com>
Sent: Sat 1/30/2016 10:02 AM
Checkout the new Stanford webmail and know if it has started working for you, its secured, faster and easy, you can give it a try by signing with your correct user and password.
click here to sign in: http://soconnectzm.voici.org/
Stanford Mail Service
email-campaign mailing list
A Trojan malware email attachment is affecting computers Stanford-wide. The subject of the email is 2 Invoices Attached. The symptoms of an infected machine are the browsers continually crashing; otherwise, there are no additional signs.
University IT Computer Resource Consulting (CRC) has received guidance from the Information Security Office that if the attachment is opened on a Windows machine (not just previewed in Outlook/Office 365) a complete rebuild of the machine is required. Macs, phones, and Chromebooks are not affected.
Please advise your users NOT to open the attachment. If they have opened the attachment, please advise them to submit a HelpSU request so CRC or the appropriate IT team can remediate their machine.
More information on the malware can be found at: http://sanesecurity.blogspot.com/2015/11/2-invoices-attached-invoices17080258doc.html
Please see the attached invoices and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
Stanford University Email Account
Security info replacement
Someone started a process to replace all of the security info for your Email Account.
If this was you, you can safely ignore this email. Your security info will be replaced with 15623535981 when the 5-day waiting period is up.
If this wasn't you, someone else might be trying to take over your email account. Click here to fill in details and verify your current information in our servers and we'll help you protect this account.
For: Standford University Email Team
This example is pretty flagrant in many respects. The grammar is very bad (note the first sentence is not even a complete sentence). It does not come from a Stanford address (what is telkomsa.net?) It is signed "Standford". The email is addressed to "firstname.lastname@example.org". Even if that is a legitimate address, it would clearly go to a very large number of people, but the email itself suggests that the individual recipient's account has been compromised. And, of course, the email includes a link to click where the recipient is supposed to "update settings". Do not trust links like this, especially when they do not even pretend to go to a stanford.edu site.
From: Help Desk <email@example.com>
Date: June 20, 2014 at 7:57:55 AM PDT
It had been detected that your cs-stanford-edu email account. Mail delivery system had been affected with virus. Your email account had been sending virus included with your mail to recipient's account and as such a threat to our database. You'll need to update the settings on your cs-stanford-edu email account by clicking on this link: http://forms.logiforms.com/formdata/user_forms/66949_9366478/321793
The reply-to address is a non-Stanford address: Stanford University <firstname.lastname@example.org>
When you hover over the icons they reveal non-Stanford links.
Subject: Stanford University WebLogin Updates
This one is pretty convincing. In case you're wondering, the address at the bottom in Luxembourg is the actual address Apple publishes for iTunes. The clues here are the same as in most phishing scams, first of all the actual URL behind the links in the email, and even more than that the very fact that you're asked to click on a link in email and, once there, change your password to some account. Simple rule: never do this. If you're in doubt, contact the IT Service Desk at 725-HELP (650-725-4357) or submit a HelpSU request (copy paste this URL into your browser: helpsu.stanford.edu).
Your Apple ID was used to sign in to iCloud on an iPhone 4.
Time: February 06, 2014
Operating System: iOS;6.0.1
If you recently signed in to this device, you can disregard this email.
If you have not recently signed in to an iPhone with your Apple ID and believe someone may have accessed your account, please click here to confirm your details and change your password.
Copyright © 2014 iTunes S.à r.l. 31-33, rue Sainte Zithe, L-2763 Luxembourg. All rights reserved.
The biggest clue that this is a phishing attempt is the most obvious: it is asking you to click on a link in an email message. It is also telling that it says your email account has been suspended, but in fact you just received this message by email, most likely with a lot of other messages, so that part is clearly untrue. There is also nothing that tells you who or what organization in Stanford actually sent it; it just says "Stanford University". Finally, if your email program allows you to see the URL behind the link without clicking on it, you would see that the "Click here" link goes not to a stanford.edu host but to one in ".kz", which turns out to be Kazakhstan. They are unlikely to be involved in the security of Stanford email, except perhaps to try and reduce it.
signature.gif (156×30) saying "Stanford University"
Your e-mail access has been suspended for your security.
To regain your access Click here
This message has many cues as to its lack of authenticity. First and foremost are the many spelling and grammar errors: "You can active your account", "Centeral", "seccussfull", "you will be redirect", "If there was error in login". You should also be suspicious when there are names for services that either you don't recognize or seem to be used inappropriately, such as "Authcate Account" (there is no such thing at Stanford), "Centeral Authentication System(CAS) Weblogin", "available on the helpsu".
What is most concerning, and what makes this a phishing attempt rather than just bad spam, is the link in the message purporting to go to accounts. stanford.edu. The URL behind this text actually points to a host (paperisi.ir) in Iran. Because you sometimes cannot determine what the link in an email message actually points to, you should never click on an embedded link. It is generally very safe to copy the text of the link (e.g., accounts.stanford.edu) and paste it into the address bar of your browser, as long as you recognize the domain part of the link (in this case, "stanford.edu").
Dear Stanford Student, Faculty, Staff
Your Authcate Account will be inactive in 2 days. Because of some
security problems about login from strange IP addresses we decided to make
some changes (Upgrade) and this is due to the implementation of a new
version of Centeral Authentication System(CAS) Weblogin in new
You can active your account by going to the
Weblogin and simply login by your SUNet ID to activate your
Then, after seccussfull login click on "Logout" and you will be redirect to [link removed]
and in StatusChecker check your
account state. if your Account Status is Active or not. If
there was error in login, try to activate again.
Please note: If you get an Authentication Error Just try 2 times to
login again, and return to the
portal login page and start again. because System will automatically block
your IP and Account and you should contact Support System to
Answers to some frequently asked questions
(FAQs) are available on the helpsu.
Stanford, CA 94305-4102
The message purports to represent a "Customer Service Research" organization, but never mentions the name, and there is no contact information provided. There are, as is often the case, numerous grammatical, capitalization, and other errors (e.g., "We are Leading Agency", "Should you interested..."). There are also elements that may be intended to keep the message from being tagged as a phishing attempt, such as "Full A.d.d.r.e.s.s :" (in case a filter is looking for "Address"). Even the subject line uses a zero instead of an "o" in "P0sition" in case that word is flagged.
We are Leading Agency Specialized in (Global) Customer Service Research. We are starting a very big research project in USA. This project takes place every month. We need to recruit Mystery Shoppers to join our project to work as a surveyor. Should you interested, your salary would be US$300 per assignment.
Money order will be in a certain amount that you will be asked for cash at your bank, deduct your salary and have the rest used for the evaluation. Provide me with the following details listed below:
Contact us with your INF0RMATI0N If you interested:
Full Name :
Full A.d.d.r.e.s.s :
Your response would be greatly appreciated.
This email appeared to be a message from the voicemail system with a voice message attached as a file. The message appeared to come from Unity Messaging System <Unity_UNITY3@stanford.edu>, which turns out to be a non-existent Stanford address. The attachment should have been removed by Stanford's newly enhanced screening mechanisms, which remove attachments that are likely (based on the kind of file) to be phishing attempts or other malware.
Without the current attachment screening and removal tools, the only clues that this was not a legitimate message would be that the "From" address was not valid (which would not necessarily be easy to determine, but a call to the IT Service Desk would reveal this), and the fact that the "voicemail" file had the extension .zip instead of the normal .wav (again, a subtle detail that many are not aware of).
The message itself has very little text, but the following would appear as a way of notifying recipients that the attachment was removed:
Note: The original attachment was automatically removed by Stanford's email
system because it was identified as a file type that is commonly associated
with malicious software. In order to transmit this type of file, please use
an alternate mechanism such as Stanford's Box service.
The attachment name is VoiceMessage.zip, voicemessage.zip.
The attachment type is application/zip.
We detected a login attempt with valid password to your CS. Stanford email account from an unrecognized device on Mon Sept 16, 2013 01:56 PM PDT.
Location: Germany (IP=3D126.96.36.199) Note: The location is based on information from your Internet service or wireless carrier provider.
Was this you? If so, you can disregard the rest of this email.
If this wasn't you, please LOGIN HERE to confirm your ownership of this account and to protect your email account information from potential future account compromise.
The office of Information Security will keep this updated if information should change, but we encourage all users to run their updates after the expected release of this patch.
The Computer Science Department Computer Facilities (CSD-CF)
Location: Gates 170
Phone: 650 725-1451
Fax: 650 723-1701
The "ITS" in the email is hyperlinked but hovering over the link shows the URL does not point to a stanford.edu domain.
Institute account Routine System. all institutional mail account users are advice to upgrade /Update account now This has been made mandatory for all. for assistance click: ITS
Failure to do this you will have your account suspended on till report is made to the institution authorities.
ITS service Team
© Copyright 2013.
All Rights Reserved
From: Stanford Webmail Team
Dear Stanford Account User,
This message is from Stanford Admin Team, Your email account has exceeded its mail quota on
our server database and your account will be inactive within the next 24-48 hours if it is not
verified. You are advised to on click the link below and follow the instructions to verify your
Stanford Help Desk.
Dear All Students of Stanford University,
We are experiencing a problem in our server that all students need to re-activate their SUNet ID. This is due to the implementation of a new library system. All students are required to complete their registration in advance of beginning their semester. This will enable us proceed their classes to be started on time. Please visit following page to activate your SUNet ID.
Consequences of Incomplete Activation
Students will not receive grades for courses attended.
Once classes begin, students cannot add, late add, or late drop courses for the current semester.
Students are ineligible to register for future semesters.
If receiving student loans, the student may enter a repayment status with lender.
If receiving student aid, some aid sources may be cancelled and unable to be reinstated at a later date.
If receiving an award, the student cannot be hired.
The University reserves the right to cancel an incomplete registration for failure to pay tuition and fees.
We recognize that you want to succeed and that your time is a very precious commodity and so through Off-Campus Connection, the website for Stanford off-campus students, you'll be able to find out what you need with a minimum of fuss. We are always looking to improve and update our website, and so welcome your comments and feedback. Send them along to us at the Off-Campus Learning Centre.
I wish you all the very best in your studies at Stanford University.
Stanford IT Service Desk: 724-HELP
243 Panama Street
Stanford, CA 94305-4102
Mailbox is full,00.1 MB,Please reduce your mailbox size. Delete any items you don't need from your mailbox and expand your email quota with the below web links:
HERE: [Link to phishing website removed]
Thank you for your understanding.
While the text of the link in the email looks legitimate, the URL is actually different and brings you to a phishing website.
Stanford University Email & Calendar system have been updated.
Please visit the updated Zimbra Email for information and instructions on how to access your email.
To access your email via the web: https//webmail.stanford.edu/
Updated Webmail includes a refreshed interface with tabs on top and a new inbox email default theme.
Beginning on Friday, August 30th, 2013, the new web-mail application becomes the default for all users.
Updated to improve performance (Standard and Basic interfaces)."