What should you do if you receive a suspicious email?

  1. Do not open any attachments or click on included links.
  2. Please
    forward the original email as an attachment In Outlook, click the message to select it, then click the 3 dots in the top-right and select "Forward as Attachment".
    to soc@uwaterloo.ca (UW-IST Security Operations Centre). Cc Michael (mwagoner@uwaterloo.ca), Gordon (gboerke@uwaterloo.ca) and myself (bee@uwaterloo.ca) so that we also have a handle on the sort of things folks in the department are receiving.
  3. If you feel the message violates Canada's anti-spam legislation you might also want to consider reporting it as spam to the Government of Canada - I find forwarding as an attachment to spam@fightspam.gc.ca is less trouble than going through the form.
  4. To ensure no other messages from the sender arrive in the future, while viewing it in Outlook, you might also want to click "Junk / Block sender". Maybe also consider going into the "Junk / Junk E-mail Options" and add @thedomain to the blocked senders list so that you won't see any messages from anyone in that domain.
  5. Delete the original message.
  6. Stop gritting your teeth.
Forwarding as an attachment includes additional delivery details that a regular forward does not include which better helps to determine how the message arrived. With that additional information we can determine where the message originated from, the servers it went through to be delivered, and whether or not a UW user on campus was compromised or if it's the case the From field was simply forged with false information. If it's determined a UW account was compromised, it can be disabled immediately to present the spread of additional messages. If the message is widespread on campus and convincing, IST may consider notifying the campus community, blocking/removing link access from campus sites, and/or possibly fine-tuning campus email filters. If they know about it early enough, there's also the possibility they can remove the message from UW Inboxes before people see it.


Details

Phishing is the bad guys' attempt to steal your userid/password so that they can login to your accounts, steal confidential information in your files/emails, or to use your computer accounts for sending spam, hosting porn, etc.

IST also reminds people that Phishing season, open all year round! They also have information on Cyber Awareness.

For what appear to be UW-related emails, if you notice the address you would be replying to, or the URL you are directed to is not under uwaterloo.ca, it's a dead giveaway that it's bogus. In general, there's really never a need for you to share your password with anyone at any time.

As usual, if you get'em, just chuck'em. If you have responded, let us know and we'll investigate and ensure your various passwords are changed ASAP.

See also:


Recent Examples

The link goes to a https://forms.gle/... site. It seems to be a compromised UW account which is why it's coming from a UW address.
From: Heather Keller  
Sent: Wednesday, January 17, 2024 8:19 AM
Subject: OPEN POSITION

Faculty/Personal/Student/Alumni.,

You have been offered an open position at the convenience of your home or school, which serves as a gateway to pay all expenses incurred on campus. This opportunity should be done at leisure taking at most 2 hr./day,2-3 times a week and earn $650 Weekly. It’s a Flexible Opportunity where you will determine your working time. All the tasks are work from home/on campus job, you don't need to travel somewhere, and you don’t need to have a car to get started. It’s a home base office work you can be in any location and work from your home/school. 

To apply for this position kindly click [here] [[[a link to a bogus forms.gle site... Bill]]]

Heather Keller RD PhD FDC FCAHS

Schlegel Research Chair Nutrition & Aging
Schlegel-UW Research Institute for Aging
&  Professor, Department of Kinesiology 
University of Waterloo

Prescription for life: Eat your food with gladness; drink your wine with a joyful heart; sleep the sleep of a labourer; and be in community.  
Ecclesiastes




A few red lighst to recognize this one... it's coming from a uwinnipeg.ca address, and the link goes to a https://forms.gle/... site.
From: Kevin Doyle  
Sent: Tuesday, January 16, 2024 1:06 PM
Subject: Total compensation statement for The University of uwaterloo faculty & staff members

Thank you for being part of University of Waterloo! We are glad that you are here, and we want you to know that your total compensation is made up of much more than what you see in your Paycheck.

Total compensation statements bring visibility to the value of uwaterloo employee benefits and time off policies. All uwaterloo Staff/Non-Staff in regular positions have access to a Personalized online statement of total compensation. Individuals will be able to access their own statement upon logging in with their uwaterloo credentials.

 
Access your Personalized statement. (uwaterloo Login required).
 
VIEW YOUR STATEMENT  [[[a link to a bogus forms.gle site here... Bill]]]
 
 
Prepared by the Compensation Office
Department of Human Resources



Looks like this came from a compromised UW account. The attached PDF would beg for credentials...
From: Mahla Poudineh mahla.poudineh@uwaterloo.ca
Sent: Monday, December 18, 2023 12:17 PM
Subject: Transcript for Student Record

A copy of your Student record is available for you to look at Look through and keep up to date with your accomplishments

NOTE:  Your UWaterloo Access is needed to go through the Transcript. Initial Access is Transcript

Please do let us know if there are any errors that need to be rectified

Office of the Registrar
UNIVERSITY OF WATERLOO
200 Universtity Ave W,
Waterloo ON N2l 3G1
Phone: 519-888-4567
Fax: 519-888-4568
Office Hours: Monday-Friday, 8:00 AM - 5:00 PM



The bad guys would do bad things if you gave them this information.
From: Zihan Zeng zzeng226@uwo.ca 
Sent: Wednesday, December 6, 2023 5:28 PM
Subject: Office of Vice-Principal & Dean Western USC: Duo Security Update

Your uwaterloo account has been filed under the list of accounts set for deactivation due to retirement/graduation/freshers/full-time/part-time or transfer of the concerned account holder.

But the record shows you are still active in service and so advised to verify this request otherwise give us reason to deactivate your university account.
Please send the requested information below to this phone number  +1 (740) 417-2147   via SMS ONLY, to verify your uwaterloo immediately to avoid Deactivation and to book an appointment:

* Full Name:
* Campus Email:
* Password:
* DUO Security Cell Phone Number:
* Duo 6 digit passcode on your Duo Mobile (Kindly check your Duo Mobile) 
* Date of Birth:

NOTE: Please check your Duo Mobile and fill in the 6-digit passcode above correctly and always send the new code if you mistakenly or consciously used the code you sent, make sure you send the new Duo code immediately.
Please note the one-time submission and entry only.



This one probably from a compromised UW account.
From: Sonia Khalghollah skhalghollah@uwaterloo.ca 
Sent: Wednesday, December 6, 2023 5:50 PM
Subject: Office of Vice-Principal & Dean Uwaterloo: Student Application Form

Are you interested in a Job Opportunity at the convenience of your home or school, which serves as a gateway to paying all expenses incurred on campus?

This opportunity should be done at leisure taking at most 1 hr./day,2-3 times a week, and earning a Weekly pay. It’s a Flexible Opportunity where you will determine your working time.

All the tasks are work-from-home/on-campus jobs, you don’t need to travel outside your city, and also you don’t need to have a car to get started. It’s home-based office work within your city. You can be in any location and work from your home/school.

*Skills needed

*Basic use of Excel
*Accuracy
*Ability to work independently
*Basic computer knowledge

To apply, send the information below via SMS to +1 (740) 417-2147

* Full Name:     
* Full Address:    
* Personal Email:   
* Campus Email:  
* Cell Phone Number:  
* WhatsApp Number:   
* DOB:   
* College Name:   
* Major:    
* How many hours are you willing to work:

Kindly send the requested information above via SMS to the cell # above to proceed and you will be contacted within 24 to 48 hours with the full details of the job and how to proceed.




You'll notice the From address is not from a UW email and the link it attempts to lead you to is not a UW site - it's just a site the bad guys have set up to snarf your userid/password.
From: Shiroki, Kathy G. shirokkg@buffalostate.edu
Sent: Monday, December 4, 2023 9:05 AM
To: Undisclosed recipients:
Subject: You have (3) Important unread messages

Dear Students/Staffs/Non-Staffs, 
You have (3) important unread messages from the school's financial aid department.  
  
Kindly click [Verify] to read it. [[[you'll noticed the link would take you to a non-UW site... Bill]]] 
  
Unread messages will be deleted in 24 hours. 
  
Best Regards 
  
Financial Aid Department.



This one actually came from a compromised UW account. The link it attempts to lead you to is not a UW site - it's just a site the bad guys have set up to snarf your userid/password.
From: Anna-Mireilla Hayden ahayden@uwaterloo.ca 
Sent: Friday, December 1, 2023 4:27 PM
Subject: Important Message for All Staffs and Students
Importance: High
 
Dear Students/Staffs/Non-Staffs,

You have (3) important unread messages from the school's financial aid department. 

[Kindly click here] to read it. [[[That link would take you to a bogus non-UW site asking for your UW userid/password... Bill]]]

Unread messages will be deleted in 24 hours.

Best Regards

Financial Aid Department.



You'll notice the From address is forged and the link it attempts to lead you to is not a UW site - it's just a site the bad guys have set up to snarf your userid/password.
From: UWATERLOO gaetano.caserta@uslsudest.toscana.it
Sent: August 28, 2022 10:11 PM
Subject: Verify Your Email Account

Dear mail user,

We are experiencing congestion due to anonymous registration of UWATERLOO
email accounts. So we update all accounts to avoid mail delivery
traffic. If you still want to use your email account, please verify your
account immediately.
You must confirm your email account through this instant update link
below. If you can't click, copy and paste the address into your browser:

https://sevenmilebeachcondorentals.com/uwa/connect.uwaterloo.ca/owa/auth/logon04a0.html

Caution! Any UWATERLOO email account holder who refuses to update their
account after receiving this email will permanently lose their account.

Cheers,
UWATERLOO
Account maintenance service.



Hoovering over the link in the email shows that it's from https://forms.sendpulse.com/.../ which is not a UW site - it's just a site the bad guys have set up to snarf your userid/password. The UW email address was compromised which allowed the bad guys to get the message throught to the campus community.
From: Bethany Mulder-Kelly bethany.mulder-kelly@uwaterloo.ca
Sent: Monday, August 22, 2022 8:39:50 PM
To: Centre for Career Action 
Subject: Individual Assistance Program 
 
All employees can now apply for the 2022 individual assistance program through the COVID-19 Benefits Program. This is to support all employees in the new year due to the impact of the COVID-19 pandemic.  
  
As a new year's support program, the individual assistance program will provide employees with cash assistance of up to $4,500 to help individuals and families.  
  
Applications can be submitted through the Individual Assistance Program. Visit the [[[Individual Assistance portal]]] and fill out the application form.  
 
Thanks, 
Bethany.mulder kelly



Hoovering over the link in the email shows that it's from https://replug.link/... which is not a UW site - it's just a site the bad guys have set up to snarf your userid/password. Notice also the email is from installations@tormaxusa.com.
From: Hamblin, Nancy Nancy.Hamblin@lakecountyohio.gov
Sent: August 7, 2022 5:06 PM
Subject: Summer Benefits Plan

I'd like to notify you about the Summer 2022 Benefits plan, which will
be available to give financial support to employees and their families
over the summer holiday.

The previous few years have been terrible for every family because of
the COVID-19 Pandemic. The Employee Benefits Plan's objective will be
to give monetary assistance to employees up to a maximum of $5,000.

Applications are now being accepted for the Employee Benefits
plan. Applications may be filed through the 2022 Employee Benefits page.

Sincerely,

Nancy Hamblin



Hoovering over the link in the email shows that it's from https://forms.sendpulse.com/... which is not a UW site - it's just a site the bad guys have set up to snarf your userid/password. Notice also the email is from installations@tormaxusa.com.
From: installations installations@tormaxusa.com
Sent: Thursday, August 4, 2022 3:30 PM
To: IAPbenefits@tormaxusa.com
Subject: Individual Assistance Program 

All employees can now apply for the 2022 individual assistance program
through the COVID-19 Benefits Program. This is to support all employees
in the new year due to the impact of the COVID-19 pandemic.

As a new year's support program, the individual assistance program will
provide employees with cash assistance of up to $4,500 to help individuals
and families.

Applications can be submitted through the Individual Assistance
Program. Visit the Individual Assistance portal and fill out the
application form.

Sincerely,
installations  



Hoovering over the link shows that it's from https://uwaterlooportal.000webhostapp.com/ which is not a UW site - it's just a site the bad guys have set up to snarf your userid/password. Notice also the email is from argus@pobox.com.
From: Uwaterloo argus@pobox.com
Sent: July 17, 2022 6:37 AM
To: helpdesk1@uwaterloo.ca
Subject: To all Staff \Faculty

To all Staff \Faculty

Note this important update that our new web-mail has been enhanced with
a new messaging system from Owa/Outlook, including faster use in emails,
shared calendars, web documents, and the new 2022 anti-spam version
includes.

Please use the link below to complete your update for our new Microsoft
Outlook Exchange   enhanced web-mail. Click UW Outlook Web Access
to update

Greetings,
IT service support. 

Microsoft Outlook. Exchange email



This one might fool you if you don't pay attention to the URL you arrive at. Notice the sender is in Japan and has just forged the address to appear to be from an @uwaterloo.ca address. It contains an attachment tempting you to download something. Oddly seems to include Geoff's name/email and your address is probably Bcc'd. The download probably contains malware or is trying to snarf your password.
From: voicemail@uwaterloo.ca hong@qses.co.jp
Sent: October 20, 2021 11:30 AM
To: Geoff Fong 
Subject: Emailing: New Voice e-mail to gfong@uwaterloo.ca

Attention : gfong@uwaterloo.ca
Length : 00:23 Sec
Date : October 20, 2021
Reception : Uwaterloo Voice Mail Service
 
Download attached file to listen to your voice message 
 
This message was sent to gfong@uwaterloo.ca 



Avoid replying as it's not Heather.
From: Heather Henderson <departmentchairm@gmail.com>
Date: Monday, September 27, 2021 at 2:59 PM
To: yourname <youremail@uwaterloo.ca>
Subject: <no subject>
Available cell phone number?
Professor & Chair

University of Waterloo



The bad guys are hoping you'll enter your login credentials into the bogus site in order to access your account later. A compromised UW account was used (I've included the Soandso exmaple below).
From: Lilian Wambutsi <LilianWambutsi@shannonhealth.org> 
Sent: July 5, 2021 4:03 PM
To: Lilian Wambutsi <LilianWambutsi@shannonhealth.org>
Subject: IT Advisory


Your OWA User Account password has expired. As a component of the OWA IT
security strategy for account management, account holders are required to
reset their OWA user account password periodically. Passwords not reset
within the established timeframes will expire and further access to the
account is denied preventing access to any Outlook Web Access services
including email, external (OWA) websites, SMP or accessing computers
requiring your logon.

To avoid inconvenience, update your password [here] on the access
change portal.
[[[you'll notice the "here" link would take you to a bogus site - Bill]]]

If you haven't already done so make sure that your Outlook Web Access
(OWA) account security profile is up-to-date so that if you forget your
password or need to reset an expired password in the future you can do
so through the above access change portal anytime, anywhere, without
needing to contact anyone.

Note that this is an automatically generated email.
Please do NOT reply.

-----------------

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient and may contain confidential
and privileged information. Any unauthorized review, use, disclosure,
or distribution is prohibited. If you are not the intended recipient,
please destroy all copies of the original message.



The bad guys are hoping you'll enter your login credentials into the bogus site in order to access your account later. A compromised UW account was used (I've included the Soandso exmaple below).
From: Administrative Notification <adam.brazda01@upol.cz> 
Sent: March 31, 2021 12:13 PM
To: your name <youremail@uwaterloo.ca>
Subject: Payroll Update

 
Recipient: youremail@uwaterloo.ca
New Notification Regarding Your 2021 Payroll
https://www.uwaterloo.ca/UI/payr0ll/2021/f0rm.pdf
[[[if you hover over the above link without clicking it, you'll notice
it would take you to a bogus site
https://shubhastrology.com/uwaterloo/uwaterloo.html ...Bill]]]
 
Copyright © uwaterloo, All rights reserved.




The bad guys are hoping you'll enter your login credentials into the bogus site in order to access your account later. A compromised UW account was used (I've included the Soandso exmaple below).
From: Antony Robert <antony.robert@uwaterloo.ca> 
Sent: February 2, 2021 11:32 PM
To: Updates6@uwaterloo.ca
Subject: Re: Covid-19 Benefits

In response to the current hardship in the community due to the COVID-19
pandemic, The University of Waterloo, has decided to help support all
employee and students to get through these hard times.

The University will award $2000 to all eligible employee and students of
The University of Waterloo, as COVID-19 support, starting from, Tuesday,
February 2, 2021.

Visit the COVID-19 Benefits page and register with your information to
apply for this giveaway.
[[[bogus link there to a compromised site... Bill]]] 

Note: If you do not submit all the information requested, your application
will not be processed.

Sincerely,  

COVID-19 Support Team
University of Waterloo 
200 University Ave W, 
Waterloo, ON 
N2L 3G1, Canada



Jump to - the beeHive - UW Psychology - UWInfo Home Page.
bee@uwaterloo.ca