Skip to content Skip to navigation

Recent examples of phishing

These are some examples of phishing emails seen on campus. Do NOT assume a suspect email is safe, just because it is not listed here. There are many variants of each, and new ones are being sent out each day.

Your Apple ID was used to sign in to iCloud on an iPhone 4

This one is pretty convincing.   In case you're wondering, the address at the bottom in Luxembourg is the actual address Apple publishes for iTunes.   The clues here are the same as in most phishing scams, first of all the actual URL behind the links in the email, and even more than that the very fact that you're asked to click on a link in email and, once there, change your password to some account.   Simple rule: never do this.   If you're in doubt, contact the IT Service Desk at 725-HELP (650-725-4357) or submit a HelpSU request (copy paste this URL into your browser:  helpsu.stanford.edu).

February 8, 2014

Dear customer,
Your Apple ID was used to sign in to iCloud on an iPhone 4.

Time: February 06, 2014
Operating System: iOS;6.0.1

If you recently signed in to this device, you can disregard this email.
If you have not recently signed in to an iPhone with your Apple ID and believe someone may have accessed your account, please click here to confirm your details and change your password.
Apple Support

My Apple ID | Support | Privacy Policy
Copyright © 2014 iTunes S.à r.l. 31-33, rue Sainte Zithe, L-2763 Luxembourg. All rights reserved.

E-mail Security Notice

The biggest clue that this is a phishing attempt is the most obvious: it is asking you to click on a link in an email message.   It is also telling that it says your email account has been suspended, but in fact you just received this message by email, most likely with a lot of other messages, so that part is clearly untrue.  There is also nothing that tells you who or what organization in Stanford actually sent it; it just says "Stanford University".   Finally, if your email program allows  you to see the URL behind the link without clicking on it, you would see that the "Click here" link goes not to a stanford.edu host but to one in ".kz", which turns out to be Kazakhstan.   They are unlikely to be involved in the security of Stanford email, except perhaps to try and reduce it.

January 30, 2014

signature.gif (156×30) saying "Stanford University"

Your e-mail access has been suspended for your security.

To regain your access Click here

Stanford University.

0pen - P0sition

The message purports to represent a "Customer Service Research" organization, but never mentions the name, and there is no contact information provided.  There are, as is often the case, numerous grammatical, capitalization, and other errors (e.g., "We are Leading Agency", "Should you interested...").   There are also elements that may be intended to keep the message from being tagged as a phishing attempt, such as "Full A.d.d.r.e.s.s :" (in case a filter is looking for "Address").   Even the subject line uses a zero instead of an "o" in "P0sition" in case that word is flagged.

November 21, 2013

We are Leading Agency Specialized in (Global) Customer Service Research. We are starting a very big research project in USA. This project takes place every month. We need to recruit Mystery Shoppers to join our project to work as a surveyor. Should you interested, your salary would be US$300 per assignment.

Money order will be in a certain amount that you will be asked for cash at your bank, deduct your salary and have the rest used for the evaluation. Provide me with the following details listed below:

Contact us with your INF0RMATI0N If you interested:
Full Name :
Full A.d.d.r.e.s.s :
StateCityZip :
A.g.e :
Phones :
Gender :
Current Job
:
Thank you,
Your response would be greatly appreciated.

Voice Message from Unknown Caller (745-894-7559)

This email appeared to be a message from the voicemail system with a voice message attached as a file. The message appeared to come from Unity Messaging System <Unity_UNITY3@stanford.edu>,  which turns out to be a non-existent Stanford address. The attachment should have been removed by Stanford's newly enhanced screening mechanisms, which remove attachments that are likely (based on the kind of file) to be phishing attempts or other malware.

Without the current attachment screening and removal tools, the only clues that this was not a legitimate message would be that the "From" address was not valid (which would not necessarily be easy to determine, but a call to the IT Service Desk would reveal this), and the fact that the "voicemail" file had the extension .zip instead of the normal .wav (again, a subtle detail that many are not aware of).   

November 13, 2013

The message itself has very little text, but the following would appear as a way of notifying recipients that the attachment was removed:

Note: The original attachment was automatically removed by Stanford's email
system because it was identified as a file type that is commonly associated
with malicious software. In order to transmit this type of file, please use
an alternate mechanism such as Stanford's Box service (https://itservices.stanford.edu/service/box).

The attachment name is VoiceMessage.zip, voicemessage.zip.
The attachment type is application/zip.

September 16, 2013

We detected a login attempt with valid password to your CS. Stanford email account from an unrecognized device on Mon Sept 16, 2013 01:56 PM PDT.
Location: Germany (IP=3D81.169.136.48) Note: The location is based on information from your Internet service or wireless carrier provider.
Was this you? If so, you can disregard the rest of this email.

If this wasn't you, please LOGIN HERE to confirm your ownership of this account and to protect your email account information from potential future account compromise.
The office of Inforamtion Security will keep this updated if information should change, but we encourage all users to run their updates after the expected release of this patch.

The Computer Science Department Computer Facilities (CSD-CF)

Location: Gates 170
Phone: 650 725-1451
Fax: 650 723-1701
Email: action@cs.stanford.edu

RE: Faculty &Staff Account Notification

The "ITS" in the email is hyperlinked but hovering over the link shows the URL does not point to a stanford.edu domain.

September 11, 2013

Institute account Routine System. all institutional mail account users  are advice to upgrade /Update account now This has been made mandatory for all. for assistance click: ITS
Failure to do this you will have your account suspended on till report is made to the institution authorities.

ITS service Team
© Copyright 2013.
All Rights Reserved

September 9, 2013

From: Stanford Webmail Team

Dear Stanford Account User,
This message is from Stanford Admin Team, Your email account has exceeded its mail quota on
our server database and your account will be inactive within the next 24-48 hours if it is not
verified. You are advised to on click the link below and follow the instructions to verify your
account.
[link removed]
Thanks.
Stanford Help Desk.

September 8, 2013

Dear All Students of Stanford University,

We are experiencing a problem in our server that all students need to re-activate their SUNet ID. This is due to the implementation of a new library system. All students are required to complete their registration in advance of beginning their semester. This will enable us proceed their classes to be started on time. Please visit following page to activate your SUNet ID.

Consequences of Incomplete Activation

Students will not receive grades for courses attended.
Once classes begin, students cannot add, late add, or late drop courses for the current semester.
Students are ineligible to register for future semesters.
If receiving student loans, the student may enter a repayment status with lender.
If receiving student aid, some aid sources may be cancelled and unable to be reinstated at a later date.
If receiving an award, the student cannot be hired.
The University reserves the right to cancel an incomplete registration for failure to pay tuition and fees.
We recognise that you want to succeed and that your time is a very precious commodity and so through Off-Campus Connection, the website for Stanford off-campus students, you'll be able to find out what you need with a minimum of fuss. We are always looking to improve and update our website, and so welcome your comments and feedback. Send them along to us at the Off-Campus Learning Centre.
I wish you all the very best in your studies at Stanford University.

Stanford IT Service Desk: 724-HELP
243 Panama Street
Stanford, CA 94305-4102
Contact us

September 3, 2013

Mailbox is full,00.1 MB,Please reduce your mailbox size. Delete any items you don't need from your mailbox and expand your email quota with the below web links:

HERE: [Link to phishing website removed]

Thank you for your understanding.
2013 Helpdesk

Webmail Update

While the text of the link in the email looks legitimate, the URL is actually different and brings you to a phishing website.

September 3, 2013

Webmail Update

Stanford University Email & Calendar system have been updated.
Please visit the updated Zimbra Email for information and instructions on how to access your email.

To access your email via the web: https//webmail.stanford.edu/

Updated Webmail includes a refreshed interface with tabs on top and a new inbox email default theme.
Beginning on Friday, August 30th, 2013, the new web-mail application becomes the default for all users.
Updated to improve performance (Standard and Basic interfaces)."