Skip to main content

Recent Examples of Phishing

These are some examples of phishing emails seen on campus. Do NOT assume a suspect email is safe, just because it is not listed here. There are many variants of each, and new ones are being sent out each day.

Your Email Account

Stanford University Email Account
Security info replacement

Someone started a process to replace all of the security info for your Email Account.

If this was you, you can safely ignore this email. Your security info will be replaced with 15623535981 when the 5-day waiting period is up.

If this wasn't you, someone else might be trying to take over your email account. Click here to fill in details and verify your current information in our servers and we'll help you protect this account.

Thanks,
Barker Ashton

For: Standford University Email Team
Phone: 650-723-2300
Email: alert@stanford.edu

Weblogin Phishing Attempt

The reply-to address is a non-Stanford address: Stanford University <donotreply@asiatrans.com.ph>

When you hover over the icons they reveal non-Stanford links.

Subject: Stanford University WebLogin Updates

Your Apple ID was used to sign in to iCloud on an iPhone 4

This one is pretty convincing.   In case you're wondering, the address at the bottom in Luxembourg is the actual address Apple publishes for iTunes.   The clues here are the same as in most phishing scams, first of all the actual URL behind the links in the email, and even more than that the very fact that you're asked to click on a link in email and, once there, change your password to some account.   Simple rule: never do this.   If you're in doubt, contact the IT Service Desk at 725-HELP (650-725-4357) or submit a HelpSU request (copy paste this URL into your browser:  helpsu.stanford.edu).

Dear customer,
Your Apple ID was used to sign in to iCloud on an iPhone 4.

Time: February 06, 2014
Operating System: iOS;6.0.1

If you recently signed in to this device, you can disregard this email.
If you have not recently signed in to an iPhone with your Apple ID and believe someone may have accessed your account, please click here to confirm your details and change your password.
Apple Support

My Apple ID | Support | Privacy Policy
Copyright © 2014 iTunes S.à r.l. 31-33, rue Sainte Zithe, L-2763 Luxembourg. All rights reserved.

E-mail Security Notice

The biggest clue that this is a phishing attempt is the most obvious: it is asking you to click on a link in an email message.   It is also telling that it says your email account has been suspended, but in fact you just received this message by email, most likely with a lot of other messages, so that part is clearly untrue.  There is also nothing that tells you who or what organization in Stanford actually sent it; it just says "Stanford University".   Finally, if your email program allows  you to see the URL behind the link without clicking on it, you would see that the "Click here" link goes not to a stanford.edu host but to one in ".kz", which turns out to be Kazakhstan.   They are unlikely to be involved in the security of Stanford email, except perhaps to try and reduce it.

signature.gif (156×30) saying "Stanford University"

Your e-mail access has been suspended for your security.

To regain your access Click here

Stanford University.

[unknown]

This message has many cues as to its lack of authenticity.   First and foremost are the many spelling and grammar errors: "You can active your account", "Centeral", "seccussfull", "you will be redirect", "If there was error in login".   You should also be suspicious when there are names for services that either you don't recognize or seem to be used inappropriately, such as "Authcate Account" (there is no such thing at Stanford), "Centeral Authentication System(CAS) Weblogin", "available on the helpsu". 

What is most concerning, and what makes this a phishing attempt rather than just bad spam, is the link in the message purporting to go to accounts. stanford.edu.  The URL behind this text actually points to a host (paperisi.ir) in Iran.  Because you sometimes cannot determine what the link in an email message actually points to, you should never click on an embedded link.  It is generally very safe to copy the text of the link (e.g., accounts.stanford.edu) and paste it into the address bar of your browser, as long as you recognize the domain part of the link (in this case, "stanford.edu").

Dear Stanford Student, Faculty, Staff

Your Authcate Account will be inactive in 2 days. Because of some
security problems about login from strange IP addresses we decided to make
some changes (Upgrade) and this is due to the implementation of a new
version of Centeral Authentication System(CAS) Weblogin in new
year(2014).

You can active your account by going to the
CenteralAuthenticationSystem(CAS)
Weblogin and simply login by your SUNet ID to activate your
account.
Then, after seccussfull login click on "Logout" and you will be redirect to [link removed]
and in StatusChecker check your
account state. if your Account Status is Active or not. If
there was error in login, try to activate again.

Please note: If you get an Authentication Error Just try 2 times to
login again, and return to the
https://stanfordyou.stanford.edu/
portal login page and start again. because System will automatically block
your IP and Account and you should contact Support System to
Unclock.

Answers to some frequently asked questions
(FAQs) are available on the helpsu.

Regards,

IT Services
243
Panama Street
Stanford, CA 94305-4102
650-725-4357
support@stanford.edu

0pen - P0sition

The message purports to represent a "Customer Service Research" organization, but never mentions the name, and there is no contact information provided.  There are, as is often the case, numerous grammatical, capitalization, and other errors (e.g., "We are Leading Agency", "Should you interested...").   There are also elements that may be intended to keep the message from being tagged as a phishing attempt, such as "Full A.d.d.r.e.s.s :" (in case a filter is looking for "Address").   Even the subject line uses a zero instead of an "o" in "P0sition" in case that word is flagged.

We are Leading Agency Specialized in (Global) Customer Service Research. We are starting a very big research project in USA. This project takes place every month. We need to recruit Mystery Shoppers to join our project to work as a surveyor. Should you interested, your salary would be US$300 per assignment.

Money order will be in a certain amount that you will be asked for cash at your bank, deduct your salary and have the rest used for the evaluation. Provide me with the following details listed below:

Contact us with your INF0RMATI0N If you interested:
Full Name :
Full A.d.d.r.e.s.s :
StateCityZip :
A.g.e :
Phones :
Gender :
Current Job
:
Thank you,
Your response would be greatly appreciated.

Voice Message from Unknown Caller (745-894-7559)

This email appeared to be a message from the voicemail system with a voice message attached as a file. The message appeared to come from Unity Messaging System <Unity_UNITY3@stanford.edu>,  which turns out to be a non-existent Stanford address. The attachment should have been removed by Stanford's newly enhanced screening mechanisms, which remove attachments that are likely (based on the kind of file) to be phishing attempts or other malware.

Without the current attachment screening and removal tools, the only clues that this was not a legitimate message would be that the "From" address was not valid (which would not necessarily be easy to determine, but a call to the IT Service Desk would reveal this), and the fact that the "voicemail" file had the extension .zip instead of the normal .wav (again, a subtle detail that many are not aware of).   

The message itself has very little text, but the following would appear as a way of notifying recipients that the attachment was removed:

Note: The original attachment was automatically removed by Stanford's email
system because it was identified as a file type that is commonly associated
with malicious software. In order to transmit this type of file, please use
an alternate mechanism such as Stanford's Box service.

The attachment name is VoiceMessage.zip, voicemessage.zip.
The attachment type is application/zip.

CS.Stanford Email Sign-in Alert

We detected a login attempt with valid password to your CS. Stanford email account from an unrecognized device on Mon Sept 16, 2013 01:56 PM PDT.
Location: Germany (IP=3D81.169.136.48) Note: The location is based on information from your Internet service or wireless carrier provider.
Was this you? If so, you can disregard the rest of this email.

If this wasn't you, please LOGIN HERE to confirm your ownership of this account and to protect your email account information from potential future account compromise.
The office of Information Security will keep this updated if information should change, but we encourage all users to run their updates after the expected release of this patch.

The Computer Science Department Computer Facilities (CSD-CF)

Location: Gates 170
Phone: 650 725-1451
Fax: 650 723-1701
Email: action@cs.stanford.edu

RE: Faculty &Staff Account Notification

The "ITS" in the email is hyperlinked but hovering over the link shows the URL does not point to a stanford.edu domain.

Institute account Routine System. all institutional mail account users  are advice to upgrade /Update account now This has been made mandatory for all. for assistance click: ITS
Failure to do this you will have your account suspended on till report is made to the institution authorities.

ITS service Team
© Copyright 2013.
All Rights Reserved

Webmail Account Alert!!!

From: Stanford Webmail Team

Dear Stanford Account User,
This message is from Stanford Admin Team, Your email account has exceeded its mail quota on
our server database and your account will be inactive within the next 24-48 hours if it is not
verified. You are advised to on click the link below and follow the instructions to verify your
account.
[link removed]
Thanks.
Stanford Help Desk.