Skip to content Skip to site navigation

Recent Examples of Phishing

These are some examples of phishing emails seen on campus. Do NOT assume a suspect email is safe, just because it is not listed here. There are many variants of each, and new ones are being sent out each day.

Job Scams Targeting Students

December 8, 2022

Beware of a campaign targeting students with fraudulent job opportunities. Refer to this UIT news article for more detailed information.

What does the scam look like?

  • The initial email is either purportedly from or references a Stanford faculty member.
  • The email content describes a part-time job opportunity as a research assistant, intern, tutor, software developer, etc.
  • The job comes with an attractive weekly salary and often can be done remotely.
  • Attackers attempt early on to move the discussion with the target to a non-Stanford platform (text messaging, non-Stanford email, or a phone call).
  • The target is asked to fill out some basic information in a form and then is given a list of job tasks. After some tasks have been completed, the attacker expresses satisfaction.
  • Attackers send the target a digital image of a check with instructions to deposit in their account to cover initial salary plus buying startup items such as office supplies, laptop computer or training.
  • Attackers later ask for a sizable portion of the startup money to be transferred back via Zelle, PayPal, Venmo, etc., allegedly to cover one or more of those aspects (office supplies/computer/training).
  • If challenged, scammers may offer "proof" of the faculty member's identity, such as images of a forged Stanford ID card.
  • The target then transfers money to the attackers via Zelle, PayPal, Venmo, etc., only to find out some time later that the startup check is fraudulent and has bounced. Funds transferred from the target’s account are often not recoverable by the bank.

View examples of the scam components below:

Initial offer:

Application form:

Switch Away from Stanford Email:

First task:

Second task:

Deposit Fraudulent Paycheck:

Fraudulent paycheck:

Request to transfer some paycheck funds back for office supplies:

Fictitious ID to “verify” identity:

Payroll Schedule!

March 17, 2020

From: Stanford <>
Sent: Tuesday, March 17, 2020 6:41:17 PM
Subject: Payroll Schedule!

You have 1 new Schedule Message

Click here to read

© 2020 New York University

New Messages From Stanford Canvas Team

December 11, 2019
Canvas Phishing screeshot


The Stanford Canvas team posted five new messages on your Canvas dashboard that requires immediate attention.

Login to Canvas


Stanford Canvas Team

New message for <user>

December 2, 2019

Another phishing email looking for your SUNet password. Never click on links without validating URL.

Dear <user>,

You have a new messages regarding to your SUNet ID.

View message

Stanford/message/SUNetID -> link to fake login page

© Stanford University

Access locked: Server Error

November 20, 2019

Phishing emails using a compromised SUNet id. Hovering on the link reveals the malicious URL.

From: Stanford University <>
Sent: Wednesday, November 20, 2019 8:44 AM
To: user <>
Subject: Access locked: Server Error

Due to a server error on your e-mail, ( (7) incoming messages were delayed.

Log on to your portal to recover your delayed messages
Recover Delayed Messages
2019 Message Center

from <random phone number>

November 14, 2019

Attachment that mimics a sound file but it is really a HTML page. Leads to a credential harvesting page.

From: Scott Spain <>
Sent: Thursday, November 14, 2019 2:42 AM
Subject: from (671) 322-3152

Duration - {00:59} secs.
Time - 14-Nov-2019 05:42:15

Urgent Scheduled Meeting

November 11, 2019

Hovering over the link reveals the true nature of the email. Broken english is another red flag.

From: Stanford University <>
Sent: Monday, November 11, 2019 10:01 PM
Subject: Urgent Scheduled Meeting

Hello Member,

There would be an important meeting scheduled for tomorrow.

Kindly click here to view meeting details

Thank You
Stanford University.

Case ID:9354-61 - random numbers after Case ID:

November 7, 2019

A quick hover over the link reveals the phishing URL.

Senders email address a big red flag.

From: IT Support Note. <>
Sent: Thursday, November 7, 2019 7:50 AM
To: User <>
Subject: Case ID:9354-61

Due to a server error on your e-mail, ( (7) incoming messages were delayed.

Log on to your portal to recover your delayed messages
Recover Delayed Messages
2019 Message Center

Your e-mail will be deleted.

September 25, 2019

From: Stanford University <>
Sent: Wednesday, September 25, 2019 6:31 AM
To: Harvey, Zachary <>
Subject: Your e-mail will be deleted.


This is a final notification to all Stanford University e-mail users, that we are deleting in-active accounts. Validate your email now. Failure to do this within 24 hours, your account will be deleted

Validate Email Account

Stanford University
IT Help Desk

Stanford CS -Payroll Notice

August 2, 2019

Marked as SPAM in the subject but some were delivered without the warning.

From: Stanford CS - Payroll Service <>
Date: Friday, August 2, 2019 at 2:28 PM
Subject: *****SPAM***** Stanford CS -Payroll Notice

1 New Payroll Stanford CS Message

Click to READ

Human Resources & Payroll Service
Stanford CS - Stanford University

Campus Administrative Registrar

July 29, 2019

Phishing email sent from compromised SUNet.

From: Registrar 7/29/2019 8:11:05 PM Desk <>
Sent: Monday, July 29, 2019 1:11 PM
Subject: Campus Administrative Registrar

Hello ,,

Submit your symester course attendance to (Faculty Dean 7/29/2019 8:11:05 PM) on

Due to the file size, it can not be uploaded to email. Review to authenticate.


July 29, 2019

Second email from compromised SUNet. Lots of red flags. Why would MSFT Support Team be sending out emails to students?

From: "STANFORD FACULTY DESK 7/29/2019 8:58:37 PM" <>
Date: Monday, July 29, 2019 at 1:58 PM

Verify your account


Please note that your course registration dues is past due be restricted to campus facilities and classes.
It is imperative to conduct an audit of your information is
present, otherwise your lectures would be denied.

Started now

We invite you to act fast, if you need any help you can
contact our online support.

MSFT Support Team

Important Info HR Department

July 19, 2019

A hover over the URL unmasks this as a phishing email. 


A private document has been sent to you by the Human Resources Department.

Click to Login to view the document. Thank you!

Stanford University HR.
©2019 Stanford University
CONFIDENTIALITY NOTICE: This email and any attachments may contain confidential information that is protected by law and is for the sole use of the individuals or entities to which it is addressed. If you are not the intended recipient, please destroying all copies of the communication and attachments. Further use, disclosure, copying, distribution of, or reliance upon the contents of this email and attachments is strictly prohibited.

Are you available?

July 17, 2019

Please see article on Stanford News for information on the gift card scam:


I’m in a meeting right now and that’s why I’m contacting you through email. I should have called you, but phone call is not allowed during the meeting. I don’t know when the meeting will be rounding up, I want you to help me out on something very important right away.

On Jul 13, 2019 12:05 PM, John Doe <> wrote:

John Doe


July 17, 2019

This is a variation of the gift card scam. Please see:

Phishing email

Job Offer

July 16, 2019

Fake job offers will attempt to collect personal and banking information. In this instance look at the reply to field for a solid red flag: Reply-To: Walgreens <>

From: Walgreens <>
Date: July 16, 2019 at 09:06:22 PDT
To: Undisclosed recipients:;
Subject: Job Offer
Reply-To: Walgreens <>

Walgreens Secret Reviewers
We are looking for secret reviewers to rate their local Walgreens store!

No experience needed, just your honest opinion.
The task requires you to shop and evaluate our employees.

You will get paid to shop and you can keep the products.

You will be paid with amounts between $200-400 per assignment.

Reviewers are selected randomly every week and if selected, they will be contacted via phone or email.

Join our team by filling in the application form.

Join Us*
* If you have received this message inside your spam folder some links and other functionality might be disabled, move it to inbox folder in case you are having problems pressing 'Join Us'.
© Copyright 2019 Walgreen Co. All rights reserved.
You can unsubscribe from this list.

Open Opportunity

July 10, 2019

Beware of overly generous pay. Check the reputation of the email address with or similar tool.

From: Eve Marrs <>
Subject: Open Opportunity
Date: July 11, 2019 at 4:05:22 PM PDT
To: undisclosed-recipients:;


I am offering a post that only requires 1-2 hours, 2-3 days in a week, you can work at your convenience and earn 230 weekly. Respond for more details if interested.

Best Regards,

Eve Marrs

Email with Attached PDF

January 31, 2017

Note the inaccurate email address in the "From:" field.

Screenshot of phishing PDF that was attached to this email.

From: Marc Tessier-Lavigne <>
Date: January 31, 2017 at 8:30:41 AM PST
To: undisclosed-recipients:;

I am pleased to inform you that there will be a new development at the

Stanford University that will benefit all of it's members. You can read pdf

attached file for more information.


Marc Tessier-Lavigne
Office of the President
Building 10
Stanford University
Stanford, CA 94305-2061
phone:(650) 723-2481
fax:(650) 725-6847

Request for W-2 Forms and Earnings Summary

January 20, 2017

Note the inaccurate, non-Stanford email address for Marc Tessier-Lavigne in the "From:" field.

From: Marc Tessier-Lavigne <>
Date: January 20, 2017 at 7:45:30 AM PST
To: <>
Subject: Imperative

Hi Kelly,

Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our staff for a quick review. Prepare the lists and email them to me asap.

Best regards
Marc Tessier-Lavigne
Provost and President

Email Account Update

September 30, 2016

From: < >
Sent: Friday, Sept. 30, 2016 10:31 AM
To: <employee name>
Subject: Email Account Update

Due to migration to a new Open Source Email Collaboration Solution (SunsetGates), it is mandatory that you update your Stanford University information immediately, using the update link below:

Failure to update, will result to closure of your account.

Thanks for your Co-Operation.

Email Admin Desk


May 2, 2016

True sending account is: not

President Hennessy's name is spelled incorrectly.

From: John Hennessay <>
Sent: Monday, May 2, 2016 11:31 AM
To: <employee name>
Subject: Request


Are you at your desk? I need you to send me an email attachment with the individual 2015 W-2 (PDF) and earnings summary of all the employees

Thank You

Sent from my iPhone

[email-campaign] Stanford Webmail UPDATE 2016

February 1, 2016

Mon 2/1/2016 9:35 AM
From: email-campaign <>
Sent: Sat 1/30/2016 10:02 AM
Checkout the new Stanford webmail and know if it has started working for you, its secured, faster and easy, you can give it a try by signing with your correct user and password.

click here to sign in:


Stanford Mail Service
email-campaign mailing list

Invoice Attached

November 20, 2015

A Trojan malware email attachment is affecting computers Stanford-wide. The subject of the email is 2 Invoices Attached. The symptoms of an infected machine are the browsers continually crashing; otherwise, there are no additional signs.

University IT Computer Resource Consulting (CRC) has received guidance from the Information Security Office that if the attachment is opened on a Windows machine (not just previewed in Outlook/Office 365) a complete rebuild of the machine is required. Macs, phones, and Chromebooks are not affected.

Please advise your users NOT to open the attachment. If they have opened the attachment, please advise them to submit a HelpSU request so CRC or the appropriate IT team can remediate their machine.

More information on the malware can be found at:

Good morning,

Please see the attached invoices and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.

Thank you!

"Subject: update" (to CS students, at least)

June 20, 2015

This example is pretty flagrant in many respects.   The grammar is very bad (note the first sentence is not even a complete sentence).    It does not come from a Stanford address (what is  It is signed "Standford".   The email is addressed to "".  Even if that is a legitimate address, it would clearly go to a very large number of people, but the email itself suggests that the individual recipient's account has been compromised.  And, of course, the email includes a link to click where the recipient is supposed to "update settings".    Do not trust links like this, especially when they do not even pretend to go to a site.  

From: Help Desk <>
Date: June 20, 2015 at 7:57:55 AM PDT
Subject: update

It had been detected that your cs-stanford-edu email account. Mail delivery system had been affected with virus. Your email account had been sending virus included with your mail to recipient's account and as such a threat to our database. You'll need to update the settings on your cs-stanford-edu email account by clicking on this link:

CS. Standford
ITS Helpdesk

Your Email Account

April 30, 2015

Stanford University Email Account
Security info replacement

Someone started a process to replace all of the security info for your Email Account.

If this was you, you can safely ignore this email. Your security info will be replaced with 15623535981 when the 5-day waiting period is up.

If this wasn't you, someone else might be trying to take over your email account. Click here to fill in details and verify your current information in our servers and we'll help you protect this account.

Barker Ashton

For: Standford University Email Team
Phone: 650-723-2300

Weblogin Phishing Attempt

May 12, 2014

The reply-to address is a non-Stanford address: Stanford University <>

When you hover over the icons they reveal non-Stanford links.

Subject: Stanford University WebLogin Updates

Your Apple ID was used to sign in to iCloud on an iPhone 4

February 8, 2014

This one is pretty convincing.   In case you're wondering, the address at the bottom in Luxembourg is the actual address Apple publishes for iTunes.   The clues here are the same as in most phishing scams, first of all the actual URL behind the links in the email, and even more than that the very fact that you're asked to click on a link in email and, once there, change your password to some account.   Simple rule: never do this.   If you're in doubt, contact the IT Service Desk at 725-HELP (650-725-4357) or submit a HelpSU request (copy paste this URL into your browser:

Dear customer,
Your Apple ID was used to sign in to iCloud on an iPhone 4.

Time: February 06, 2014
Operating System: iOS;6.0.1

If you recently signed in to this device, you can disregard this email.
If you have not recently signed in to an iPhone with your Apple ID and believe someone may have accessed your account, please click here to confirm your details and change your password.
Apple Support

My Apple ID | Support | Privacy Policy
Copyright © 2014 iTunes S.à r.l. 31-33, rue Sainte Zithe, L-2763 Luxembourg. All rights reserved.

E-mail Security Notice

January 30, 2014

The biggest clue that this is a phishing attempt is the most obvious: it is asking you to click on a link in an email message.   It is also telling that it says your email account has been suspended, but in fact you just received this message by email, most likely with a lot of other messages, so that part is clearly untrue.  There is also nothing that tells you who or what organization in Stanford actually sent it; it just says "Stanford University".   Finally, if your email program allows  you to see the URL behind the link without clicking on it, you would see that the "Click here" link goes not to a host but to one in ".kz", which turns out to be Kazakhstan.   They are unlikely to be involved in the security of Stanford email, except perhaps to try and reduce it.

signature.gif (156×30) saying "Stanford University"

Your e-mail access has been suspended for your security.

To regain your access Click here

Stanford University.


January 16, 2014

This message has many cues as to its lack of authenticity.   First and foremost are the many spelling and grammar errors: "You can active your account", "Centeral", "seccussfull", "you will be redirect", "If there was error in login".   You should also be suspicious when there are names for services that either you don't recognize or seem to be used inappropriately, such as "Authcate Account" (there is no such thing at Stanford), "Centeral Authentication System(CAS) Weblogin", "available on the helpsu". 

What is most concerning, and what makes this a phishing attempt rather than just bad spam, is the link in the message purporting to go to accounts.  The URL behind this text actually points to a host ( in Iran.  Because you sometimes cannot determine what the link in an email message actually points to, you should never click on an embedded link.  It is generally very safe to copy the text of the link (e.g., and paste it into the address bar of your browser, as long as you recognize the domain part of the link (in this case, "").

Dear Stanford Student, Faculty, Staff

Your Authcate Account will be inactive in 2 days. Because of some
security problems about login from strange IP addresses we decided to make
some changes (Upgrade) and this is due to the implementation of a new
version of Centeral Authentication System(CAS) Weblogin in new

You can active your account by going to the
Weblogin and simply login by your SUNet ID to activate your
Then, after seccussfull login click on "Logout" and you will be redirect to [link removed]
and in StatusChecker check your
account state. if your Account Status is Active or not. If
there was error in login, try to activate again.

Please note: If you get an Authentication Error Just try 2 times to
login again, and return to the
portal login page and start again. because System will automatically block
your IP and Account and you should contact Support System to

Answers to some frequently asked questions
(FAQs) are available on the helpsu.


IT Services
Panama Street
Stanford, CA 94305-4102

0pen - P0sition

November 21, 2013

The message purports to represent a "Customer Service Research" organization, but never mentions the name, and there is no contact information provided.  There are, as is often the case, numerous grammatical, capitalization, and other errors (e.g., "We are Leading Agency", "Should you interested...").   There are also elements that may be intended to keep the message from being tagged as a phishing attempt, such as "Full A.d.d.r.e.s.s :" (in case a filter is looking for "Address").   Even the subject line uses a zero instead of an "o" in "P0sition" in case that word is flagged.

We are Leading Agency Specialized in (Global) Customer Service Research. We are starting a very big research project in USA. This project takes place every month. We need to recruit Mystery Shoppers to join our project to work as a surveyor. Should you interested, your salary would be US$300 per assignment.

Money order will be in a certain amount that you will be asked for cash at your bank, deduct your salary and have the rest used for the evaluation. Provide me with the following details listed below:

Contact us with your INF0RMATI0N If you interested:
Full Name :
Full A.d.d.r.e.s.s :
StateCityZip :
A.g.e :
Phones :
Gender :
Current Job
Thank you,
Your response would be greatly appreciated.

Voice Message from Unknown Caller (745-894-7559)

November 13, 2013

This email appeared to be a message from the voicemail system with a voice message attached as a file. The message appeared to come from Unity Messaging System <>,  which turns out to be a non-existent Stanford address. The attachment should have been removed by Stanford's newly enhanced screening mechanisms, which remove attachments that are likely (based on the kind of file) to be phishing attempts or other malware.

Without the current attachment screening and removal tools, the only clues that this was not a legitimate message would be that the "From" address was not valid (which would not necessarily be easy to determine, but a call to the IT Service Desk would reveal this), and the fact that the "voicemail" file had the extension .zip instead of the normal .wav (again, a subtle detail that many are not aware of).   

The message itself has very little text, but the following would appear as a way of notifying recipients that the attachment was removed:

Note: The original attachment was automatically removed by Stanford's email
system because it was identified as a file type that is commonly associated
with malicious software. In order to transmit this type of file, please use
an alternate mechanism such as Stanford's Box service.

The attachment name is,
The attachment type is application/zip.

CS.Stanford Email Sign-in Alert

September 16, 2013

We detected a login attempt with valid password to your CS. Stanford email account from an unrecognized device on Mon Sept 16, 2013 01:56 PM PDT.
Location: Germany (IP=3D81.169.136.48) Note: The location is based on information from your Internet service or wireless carrier provider.
Was this you? If so, you can disregard the rest of this email.

If this wasn't you, please LOGIN HERE to confirm your ownership of this account and to protect your email account information from potential future account compromise.
The office of Information Security will keep this updated if information should change, but we encourage all users to run their updates after the expected release of this patch.

The Computer Science Department Computer Facilities (CSD-CF)

Location: Gates 170
Phone: 650 725-1451
Fax: 650 723-1701

RE: Faculty &Staff Account Notification

September 11, 2013

The "ITS" in the email is hyperlinked but hovering over the link shows the URL does not point to a domain.

Institute account Routine System. all institutional mail account users  are advice to upgrade /Update account now This has been made mandatory for all. for assistance click: ITS
Failure to do this you will have your account suspended on till report is made to the institution authorities.

ITS service Team
© Copyright 2013.
All Rights Reserved

Webmail Account Alert!!!

September 9, 2013

From: Stanford Webmail Team

Dear Stanford Account User,
This message is from Stanford Admin Team, Your email account has exceeded its mail quota on
our server database and your account will be inactive within the next 24-48 hours if it is not
verified. You are advised to on click the link below and follow the instructions to verify your
[link removed]
Stanford Help Desk.

Please Reactivate Your SUNet ID

September 8, 2013

Dear All Students of Stanford University,

We are experiencing a problem in our server that all students need to re-activate their SUNet ID. This is due to the implementation of a new library system. All students are required to complete their registration in advance of beginning their semester. This will enable us proceed their classes to be started on time. Please visit following page to activate your SUNet ID.

Consequences of Incomplete Activation

Students will not receive grades for courses attended.
Once classes begin, students cannot add, late add, or late drop courses for the current semester.
Students are ineligible to register for future semesters.
If receiving student loans, the student may enter a repayment status with lender.
If receiving student aid, some aid sources may be cancelled and unable to be reinstated at a later date.
If receiving an award, the student cannot be hired.
The University reserves the right to cancel an incomplete registration for failure to pay tuition and fees.
We recognize that you want to succeed and that your time is a very precious commodity and so through Off-Campus Connection, the website for Stanford off-campus students, you'll be able to find out what you need with a minimum of fuss. We are always looking to improve and update our website, and so welcome your comments and feedback. Send them along to us at the Off-Campus Learning Centre.
I wish you all the very best in your studies at Stanford University.

Stanford IT Service Desk: 724-HELP
243 Panama Street
Stanford, CA 94305-4102
Contact us

2013 Helpdesk

September 3, 2013

Mailbox is full,00.1 MB,Please reduce your mailbox size. Delete any items you don't need from your mailbox and expand your email quota with the below web links:

HERE: [Link to phishing website removed]

Thank you for your understanding.
2013 Helpdesk

Webmail Update

September 3, 2013

While the text of the link in the email looks legitimate, the URL is actually different and brings you to a phishing website.

Webmail Update

Stanford University Email & Calendar system have been updated.
Please visit the updated Zimbra Email for information and instructions on how to access your email.

To access your email via the web: https//

Updated Webmail includes a refreshed interface with tabs on top and a new inbox email default theme.
Beginning on Friday, August 30th, 2013, the new web-mail application becomes the default for all users.
Updated to improve performance (Standard and Basic interfaces)."