Go to the U of M home page

Friday, December 8, 2017

Example 210: Warning Your EMail Will be Shut Down After 24 Hours!

Bogus Shutdown warning tied to a PDF linking to a very good copy of Gmail login pages. Note, other subjects were seen, like "Update Notice"


Graphical letter with Google branding warning users they will be shut down
Graphical letter with Google branding warning users they will be shut down
PDF attachment displays form with a link:

PDF attached to warning letter - with link to Brazilian fake Google login
PDF attached to warning letter - with link to Brazilian fake Google login

Fake Google login form (hosted in .br, brazil - NOT google.com)

Good copy of Google login - filling it in redirects to REAL Google login page
Good copy of Google login - filling it in redirects to REAL Google login page

Things to Note:

  • No University of Minnesota branding
  • No link in email - you're expect to download and open a PDF
  • PDF contains link to a Brazilian (.br, NOT google.com) login page
  • Fake login site will redirect you to a real Google site.

Tuesday, November 21, 2017

Example 209: Library Notifications

Bogus warning forged as from UMN library - links to a clone of UMN login page via wisc.edu quicklink.

Message text
From: University of Minnesota Libraries <libraries@ umn. co> <<--NOTE "UMN.CO" senderDate: Tue, Nov 21, 2017 at 7:39 AMSubject: Library NotificationsTo: 

Dear Library User,
Our records show that your access to University of Minnesota Libraries System is about to expire. Due to security precautions established to protect University Libraries System, you have to renew your library account on a regular base, so please use the following link
(Note: this fake link in TEXT, really links to a go.wisc.edu quicklink to a fake UMN login)
After your successful authentication, your access will be restored automatically and you will be redirected to the library homepage. If you are unable to log in, please contact the library help desk for immediate assistance. We apologize for any inconveniences this may have caused.

Thank you,

University of Minnesota Libraries 309 19th Ave S, Minneapolis, MN 55455libraries@umn.edu  <<---NOTE non-existent "libraries@umn.edu" address
Web Form

Forged UMN login page
Forged UMN login page
Things to Note:

  • Email comes from "umn.co," not "umn.edu" 
  • Displayed URL appears to be a umn.edu address, 
  • BUT goes instead to a wisc.edu URL-shortener service 
  • Final URL includes "umn.edu" but ends in "citt.cf"
  • IF you "logged in" you will be redirected to the UMN library site - if you did this change your password ASAP!

Friday, November 17, 2017

Advisory: Fake "Invoice" and "UPS" notices come bearing malware!

Multiple versions of "Invoice" or UPS delivery notices have been received, linked to malware aimed at stealing financial information.

Example messages:
From: UPS.com <some.name @some.domain.org>
Date: Mon, Nov 13, 2017 at 7:15 AM
Subject: UPS Ship Notification, Tracking Number 0IT41910520287451
You have a parcel coming.
The physical parcel may or may not have actually been tendered to UPS for shipment.
Current status of the delivery is available here.
Scheduled Delivery Date: Monday, 11/13/2017
Shipment Details
From: eBook on Leukemia: Causes, Symptoms & Treatment
Tracking Number: 0IT41910520287451
Number of Packages: 8
Thank you for your business.

From: Some Name < some different email@someplace.com>Date: Fri, Nov 17, 2017 at 12:02 PMSubject: Invoice number 00744297 issueTo:

This is your invoice dated 17 Nov 17. If you have questions or concerns, just let me know at 01382 844946.
http://xxxx .yyy/New-invoice-3498177/
Yours Truly,Some Name

Things to Note:

  • The name in the "From:" field usually does not match the email address
  • In some cases the "sender" name IS known to the recipient (though it is NOT from their email)
  • The URL addresses have been in multiple countries, none of them apparently related to UPS or the purported business
  • Do not download (and open) unexpected "invoices" 
  • If you have downloaded and opened this malware - contact your tech support immediately to assess and determine next steps
  • Report and forward any such mail to phishing@umn.edu

Friday, October 20, 2017

Example 208: [ATTENTION REQUIRED] University of Minnesota Employee Organizational Internal Communications

Forged mail "from" President Kaler, with a PDF that leads to a fake login page aimed at stealing passwords.

Message Text:

Date:Fri, 20 Oct 2017 15:45:47 +0000
From:"Theresa" <txxxxx@xxxxxx>
Subject:FW:[ATTENTION REQUIRED] University of Minnesota Employee Organizational Internal Communications
Dear Colleagues,
Integrity has long been a hallmark of our success. It characterizes everything we do. In fact, when we talk about the core values of our company, we start with integrity. Integrity means being straight forward, honest, and transparent in our professional and business relationships. This means doing what we say and saying
what we do.
Each of us makes a wide range of business and ethical decisions every day in the execution of our responsibilities on behalf of University of Minnesota. We are fully committed to ensuring that such decisions comply with the letter and spirit of the law and are ethically above reproach.
This Code of Ethics and Business Conduct is a guide to making the best possible decision in situations affecting your fellow employees or our shareholders, customers, and partners, as well as the communities in which we live and work. In simple terms,  our Code contains the guidelines we must all follow to do business
the only way we should: the right way.

NOTE: It is fundamentally Urgent that all staffs read attached.

University of Minnesota
202 Morrill Hall l 100 Church Street S.E. l Minneapolis l MN l 55455 l USA
Email: upres@umn.edu l Website: www.umn.edu
Phone: 612-626-1616 l Fax: 612-625-3875

PDF content:

PDF with link to fake document
PDF with link to fake document

Web Form

Web form to get document - with login to steal credentials
Web form to get document - with login to steal credentials
Things to Note:

  • Letter forged as "from the President."
  • Email delivers a very simple PDF which has one purpose - a link to a login page.
  • Login page WILL deliver an innocuous PDF of  a "code of ethics."
  • Anyone who filled in the form should immediately change their password.

Monday, October 2, 2017

Example 207: You have an Important message to review

Fake health message email directs to a forged UMN login site in Russia

Message Text:

 From: UMN - Health Care <xxxx @ Some-other-school.edu>
 Subject: You have an Important message to review
 Date: October 2, 2017 at 1:58:48 PM CDT
 You have an important Health message from University of Minnesota Health Center. Click  Here
      hxxp:// news-xxxxx.ru/login.umn.edu/
  authentication is required to read this message
  We apologize for any inconvenience.
 Thank You.. 
 Allen Brianna
 Health Care Center
 University of Minnesota
Login Form:

Russian hosted forged umn login site
Russian hosted forged umn login site

Things to Note:

Thursday, September 21, 2017

Advisory: FTC Releases Alerts on Protecting Against Identity Theft

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

09/20/2017 04:58 PM EDT

The Federal Trade Commission (FTC) has released two alerts to educate consumers on recommended protections against identity theft after the recent data breach at Equifax. Users should consider placing security freezes with the three major credit reporting agencies: Equifax, Transunion, and Experian. Alternative security recommendations include using fraud alerts and free credit monitoring from Equifax. 
US-CERT encourages users to refer to the FTC alerts on Equifax credit freezes and fraud alerts vs. credit freezes. See the US-CERT Tip on Preventing and Responding to Identity Theft for more information.

Thursday, September 7, 2017

Advisory: Potential Hurricane Harvey Phishing Scams

Reminder from US-CERT that recent disasters will lead to scam "fund-raising" emails.

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

09/08/2017 01:56 PM EDT

Original release date: September 08, 2017
As the peak of the 2017 hurricane season approaches, US-CERT warns users to be watchful for various malicious cyber activity targeting both disaster victims and potential donors. Users should exercise caution when handling emails that relate to recent hurricanes, even if those emails appear to originate from trusted sources. Disaster-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, or door-to-door solicitations relating to the recent hurricanes.
To avoid becoming a victim of fraudulent activity, users and administrators should consider taking the following preventive measures:

Tuesday, September 5, 2017

Example 206: Urgent Notice

Fake "warning" leads to forged UMN login page aimed at stealing passwords.

Message text:

From: UMN Admin <noreply@xxx.edu>
Date: Tue, Sep 5, 2017 at 4:52 PM
Subject: Urgent Notice
To all staffs/employees and UMN users, we have observed that there are some
non-active email address in our database recently serving as a loop to
hackers trying to hijack our server. User are advised to CLICK
<hxxp://umn-edu.xxxx.biz/index.html> here to login and validate their email
address and continue with their normal activity as their login information
will not be altered or shared.
If you receive this message as spam, kindly move message to your inbox
before you click. Failure to comply with this demand will be regarded
as non active user and will lead to deletion after 48 hours of
reception of this email.
Sorry for the inconveniences.
Web Form

Fake UMN login hosted at .biz address
Fake UMN login hosted at .biz address

Things to Note:

  • Email forged as coming from a .edu address - but NOT umn.edu
  • Web form hosted at a ".biz" address - NOT umn.edu
  • Filling in the form redirect to the login.umn.edu web page

Monday, August 14, 2017

Example 205: ITS Support/Help desk

Fake support message leading to deceptive login page to steal name and password.

Message text:

From: Help Desk Support [mailto: non-UMN.EDU address]
Sent: Monday, August 14, 2017 10:09 AM
To: undisclosed-recipients:
Subject: ITS Support/Help desk

Dear Faculty and Staff,

Important information from Web Access Security Service.

An upgrade was made to the university’s authentication structure. The upgrade was required to prepare systems for compliance with State Security Standards, and the implementation of multi-factor authentication. Now, when you lo-gin. You will be required to enter your Network Username and password into the link that will be provided below.

Due to the upgrade that was made. Your lo-gin page will be changing. However, to avoid loss of your email address and password LOGIN your account now.

Thank you for your cooperation and patience as we take steps to further protect university data.

Thank you,
Division of Information Technology.
Login form:

fake login page aimed at stealing account credentials
fake login page aimed at stealing account credentials
 Things to note:

  • No UMN branding in message or webform
  • Email not from umn.edu address
  • Web form not hosted at a umn.edu site

Wednesday, August 2, 2017

Example 204: Notice ! Notice !!

Fake warning "from" google leads to a well crafted fake google login page

Message Text:

Spam Warning email - attached to PDF containing link to Fake Google login
Spam Warning email - attached to PDF containing link to Fake Google login

Web Form

Fake Google Login page
Fake Google Login page

Filling it out redirects to a REAL Google account login:
Real Google Login - with CORRECT "Google" text font
Real Google Login - with CORRECT "Google" text font

Things to Note:

  • Link not in email text - you have to open a PDF to find link
  • Link is hosted at an advertising website, NOT Google.com
  • Forged login uses an older font for "Google" - real google.com uses a san serif font
  • Filling in the form redirect to a REAL Google login page, with CORRECT font

Monday, July 31, 2017

Example 203: Unrecognized Login Location Alert For xxx@umn.edu

Spoof security alert message aimed at capturing login credentials.

Message Text
Date: 29 Jul 2017 18:27:07 -0400
Subject: Unrecognized Login Location Alert For xxx@umn.edu
To: xxx@umn.edu
From: " E-mail Security Alert" <xxx@xxx.xx.cn
(note: EMAIL From Non-UMN.EDU address!)
for - Account User: xxx@umn.edu 
This is to notify you that someone from an unrecognized location tried logging into your e-Mail (xxx@umn.edu ) few minutes ago. 
Was this done by you? 
For your account security, we strongly recommend that you verify your account now, else you account will be blocked without further notice. 
Click here to Verify your E-mail account now
After verification, extra security features will be activated in your email settings and your account will be safe for use again.
Source: Email Security Team

Things to Note

  • No University of Minnesota text or branding
  • Email source NOT @umn.edu 
  • Personalized report includes recipient email, which is also embedded in the form link (this lets the form come up with your ID already filled in)
  • Form link NOT at UMN.EDU (it was actually on a doggie day care website)
  • Sorry, no picture of the form, which was already removed by the time it was reported

Monday, July 10, 2017

Example 202: umn.edu

Simple message leading to a fake UMN login page on a free web service

Message Text
From: helpdesk>support <xxxxxxx14@gmail.com>Date: Fri, Jul 7, 2017 at 3:31 PMSubject: umn.eduTo: 

Your umn.edu e-mail account have exceed its limit click the below linkhxxp://umn-xxxxxxxx.myfreesites.net/ to re-validate. UMN<help-surport> Thanks
Login Form
Fake UMN login page hosted at freesites.net
Fake UMN login page hosted at freesites.net

Improved version included in some spam messages
Improved version included in some spam messages

Things to note

  • Email sent from a gmail.com email address
  • Some copies sent from compromised UMN.EDU addresses
  • Mild branding with UMN logo, but not hosted at UMN.EDU
  • Web page advertises free web page building service
  • Password entry displays passwords in the clear

Wednesday, June 21, 2017

Example 201: Library Services

Well crafted email directs recipient to a forgery of the UMN login page.


 Dear User,
 This message is to inform you that your access to your library account
 will soon expire. You will have to login to your account to continue to
 have access to the library services.
 You need to reactivate it just by logging in through the following URL. A
 successful login will activate your account and you will be redirected to
 your library profile.

 If you are not able to login, please contact Emily Bonnell at
 enbonnell@umn.edu for immediate assistance.
 Emily Bonnell
 University of Minnesota Libraries
 (612) 624-xxxx


Forged UMN login page - NOT hosted at UMN.EDU
Forged UMN login page - NOT hosted at UMN.EDU

Thing to Note

  • Email comes from a Gmail account, not UMN.EDU
  • "Emily Bonnell" is not a real UMN staff member - the umn.edu email referenced does not exist
  • Forged web page NOT hosted at umn.edu
  • Logging into page redirects to the real login page (or a UMN service page if you ARE logged in)

Tuesday, June 20, 2017

Example 201: Security Updrade Strongly Required

Phish with security warning, going to very good copy of UMN login.


From: Help Desk <compromised user@umn.edu>
Date: Mon, Jun 19, 2017 at 6:20 PM
Subject: Security Updrade Strongly Required
University of Minnesota Account Help Desk  is having a problem with your Account.You will not be able to receive any new emails until you Upgrade your account  to avoid suspension.
Kindly be informed that we'll not be held responsible for your account deactivation once you fail to upgrade your account after this Final Warning. To remove your account from our deactivation list kindly click Upgrade below: 
Upgrade <hxxp://xxxxxxxxxx.ru/love.php>
- Identity Management Team
Web Form
Forged MyU login page - hosted at a .com site
Forged MyU login page - hosted at a .com site

Things to Note
  • Email comes from a compromised UMN account
  • URL in email points to a Russian (".ru") URL, but redirects to a .COM site for login
  • Logging into the page redirects to the REAL MyU login page (nearly identical to their fake page)

Tuesday, June 13, 2017

Advisory: Logging into University Google resources.

Note: This is an updated reminder of what logging into Google resources should look like (June, 2017). 

From time to time, you will see phishing schemes that claim to be a Google Doc. Most recently, many have received a scam letter titled "I've shared an item with you." The "google link" in the email doesn't go to Google, of course - and it may present a login that looks like this:

Currently, a REAL Google login should look like this:

Current Google App Login (May 2017)
Current Google App Login (June 2017)

But, be careful. Looking like this is not enough.

(PLEASE note - if you are  already logged in to gmail, following a link to a google doc should NOT present you with a login - you're already logged in.)


  1. You ARE prompted to login to a resource for the University, 
  2. AND you receive the Google prompt,
  3. DO NOT enter your password.
  4. Just present your email address, e.g. internet-id@umn.edu
Like this:
Logging into Google with an @umn.edu account
Logging into Google with an @umn.edu account

If it's legitimate, you may next see:
(You'll see this if Google thinks you have two versions of NAME@umn,edu, Choose "Organizational")
You'll be sent to the U's authentication system where you will do your real Internet ID + Password login on this screen: 

University Login page

Remember, if legitimate, THIS login page will be hosted at an address that ends in "umn.edu." If it isn't, it is unlikely to be a real login page and you should report it to phishing@umn.edu.

(note: We present this post on a regular basis so that it reflects the current user experience for logging into Google resources. When there are updates to the Google or University experience, we will update it. The current version will be linked at http://z.umn.edu/RealLogon)

Monday, June 12, 2017

Example 201: Your email (name)@umn.edu, has low storage.

Scam email sent to steal user passwords with "low storage" warning.

Message text:

To (name)@umn.edu 
You are running out of email storage space and this could prevent you from
receiving other important mails!
Please Click Here to verify your email to lift your email storage limit.
Yours Sincerely,
Account Team
Web form:

Things to Note:

  • Email to "name@umn.edu" embeds email address in form
  • Nothing related to UMN.EDU in email, or form

Friday, June 9, 2017

Example 200: All Faculty and Staff Must Read

Notes: From a non-UMN address, tinyurl resolves to a site with a fake UMN login page.
Text of message:

From: Health Care Center <xxxxxx@students.towson.edu>
Date: Fri, Jun 9, 2017 at 9:41 AM
Subject: All Faculty and Staff Must Read
Dear Faculty and Staff
You have an important Health message from University Of Minnesota Faculty and Staff Health Center. Please Click [hxxp://tinyurl.com/y8ng5sxf] Here to read it
[Real UMN Professor Name]
xxx Morrill Hall
100 Church St. S.E.
Minneapolis MN 55455
Web Form:
Fake UMN.EDU login, hosted at a .com site
Fake UMN.EDU login, hosted at a .com site
Things to Note:
  • Close, but not exact, copy of the UMN login page
  • Webform linked using tinyurl.com link to hide true location
  • Email comes from a different EDU, not umn.edu

Friday, June 2, 2017

Example 199: Kindly Verify Your Account!!

Spam email with link to non-branded, simple form claiming to "upgrade" accounts.

 Message Text

Subject: Kindly Verify Your Account!! 
From: umni@xxxx.be
Information and Communication Technology Accessibility Policy, Verify your email below to avoid the lose of your  account.
Account Verification
 ©2017 The University of Minnesota Terms of Use.

Web Form

Web form aimed at stealing passwords - note password not obscured
Web form aimed at stealing passwords - note password not obscured
 Things to note:

  • No UMN branding
  • Not from a UMN address (although the username sprinkles umn in the sender's ID)
  • Password not obscured

Wednesday, May 31, 2017

Phishing Alert: Lawsuit Phone Scam

Scam phone calls deliver an automated lawsuit threat.

We've had reports from our community that match this scam reported by the University of Pittsburgh:

....a new phishing phone scam that has been received by members of the University community. The scam uses an automated voice message that instructs you to call a phone number before a lawsuit is filed against you with the county courthouse.
The following is a transcript of the fraudulent phone scam. If you receive this message (or any message similar to it), delete the voice message without replying or calling back the number. 
We are calling you about a lawsuit, which has been filed on your name. So before we go with legal matter and send this case to the local county courthouse, kindly call us back on our number which is [number removed]. Thank you and goodbye.

Friday, May 12, 2017

Krebs: U.K. Hospitals Hit in Widespread Ransomware Attack

A timely reminder to make sure your computer is updated.

The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.
The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.

U.K. Hospitals Hit in Widespread Ransomware Attack

At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware, a type of malicious software that encrypts a victim’s documents, images, music and other files unless the victim pays for a key to unlock them.
It remains unclear exactly how this ransomware strain is being disseminated and why it appears to have spread so quickly, but there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft.

In a statement, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks.
“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said. “At this stage we do not have any evidence that patient data has been accessed.”
According to Reuters, hospitals across England are diverting patients requiring emergency treatment away from the affected hospitals, and the public is being advised to seek medical care only for acute medical conditions.
NHS said the investigation is at an early stage but the ransomware that hit at least 16 NHS facilities is a variant of Wanna Decryptor (a.k.a. “WannaCry“), a ransomware strain that surfaced roughly two weeks ago.
Lawrence Abrams, owner of the tech-help forum BleepingComputer, said Wanna Decryptor wasn’t a big player in the ransomware space until the past 24 hours, when something caused it to be spread far and wide very quickly.
“It’s been out for almost two weeks now, and until very recently it’s just been sitting there,” Abrams said. “Today, it just went nuts. This is by far the biggest outbreak we have seen to date.”
For example, the same ransomware strain apparently today also hit Telefonica, one of Spain’s largest telecommunications companies. According to an article on BleepingComputer, Telefonica has responded by “desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.”
An alert published by Spain’s national computer emergency response team (CCN-CERT) suggested that the reason for the rapid spread of Wanna Decryptor is that it is leveraging a software vulnerability in Windows computers that Microsoft patched in March.
According to CCN-CERT, that flaw is MS17-010, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another.
That SMB flaw has enabled Wanna Decryptor to spread to more than 36,000 Windows computers so far, according to Jakub Kroustek, a malware researcher with Avast, a security firm based in the Czech Republic.
“So far, Russia, Ukraine, and Taiwan leading,” the world in new infections, Kroustek wrote in a tweet. “This is huge.”
Abrams said Wanna Decryptor — like many ransomware strains — encrypts victim computer files with extremely strong encryption, but the malware itself is not hard to remove from infected computers. Unfortunately, removing the infection does nothing to restore one’s files to their original, unencrypted state.
“It’s not difficult to remove, but it also doesn’t seem to be decryptable,” Abrams said. “It also seems to be very persistent. Every time you make a new file [on an infected PC], it encrypts that new file too.”
Experts may yet find a weakness in Wanna that allows them to way to decode the ransomware strain without paying the ransom. For now, however, victims who don’t have backups of their files have one option: Pay the $300 Bitcoin ransom being demanded by the program.
Wanna Decryptor is one of hundreds of strains of ransomware. Victims who are struggling with ransomware should pay a visit to BleepingComputer’s ransomware help forum, which often has tutorials on how to remove the malware and in some cases unlock encrypted files without paying the ransom. In addition, the No More Ransom Project also includes an online tool that enables ransomware victims to learn if a free decryptor is available by uploading a single encrypted file.

Tuesday, May 9, 2017

Advisory: FTC Promotes Privacy Awareness Week

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

05/08/2017 10:39 PM EDT

Original release date: May 08, 2017
The Federal Trade Commission (FTC) has released an announcement on Privacy Awareness Week, celebrated this week in the U.S. The theme of this year’s initiative is “Share with Care,” and the FTC is offering privacy tips, including how to safeguard your information online, improve your computer security, and limit unwanted emails.
US-CERT encourages users and administrators to review FTC’s post on Privacy Awareness Week and these related resources from US-CERT:


Monday, May 8, 2017

Example 198: Email Update!

Scam email update sent from a compromised UMN account

Message text
Subject:    Email Update!
Date:   Mon, 8 May 2017 20:03:37 +0100
From:   compromised UMN account <xxx @umn.edu>
Reply-To:   gmail account

We are using this opportunity to notify the Students, Staffs and Alumni
of University of Minnesota that an update is being done on all accounts.
We strongly advise that you update <hxxp:// tinyurl.com/ xxxxx > your
account promptly to avoid closure/inconvenience on your account, kindly
do this immediately.
IT Admin
Login form

Minnesota bogus branded simple login form
Minnesota bogus branded simple login form

Things to note

  • Form uses tinyurl to mask non-umn login address
  • Form is modestly branded
  • Form shows password in the clear

Example 197: Your Edu Webmail Expired on 05.08.2017,Update

 Non-branded email and form claiming to warn about email account.

Message text

Subject:    Your Edu Webmail Expired on 05.08.2017,Update
Date:   Mon, 8 May 2017 12:40:19 +0000
Your Webmail Edu account certificate expired on 05.08.2017, it may
interrupt your email delivery configuration, and POP account settings
page error when messaging. To re-new your webmail certificate, please
take a moment to update your records per link below or copy and paste link.
Account will function as normal after the verification process, webmail
and your certificate will be re-newed.
Web form

non-branded, simplistic phishing form
non-branded, simplistic phishing form

Thursday, May 4, 2017

Advisory: NO, no one has shared a document on Google Docs with you

Email Attack Hits Google: What to Do if You Clicked


A screen shot of an email received by a New York Times reporter on Wednesday that included a link that appeared to be for a Google document. (Identifying information has been redacted.)

Google said it was investigating an email scam winding its way through inboxes across the country and had disabled the accounts responsible for the spam.
The scheme emerged Wednesday afternoon, when spammers dispatched malicious email, appearing to come from people the recipients knew, beckoning them to click on what appeared to be a shared Google document.                    ........
If you receive suspicious email, here are some tips:
1. Do not click, even when the email is from your mother.
2. Turn on multifactor authentication.
       (this is coming for all UMN users soon, stay tuned)
3. Shut it down.
Go to https://myaccount.google.com/permissions
Revoke access to “Google Docs” (the app will have access to contacts and drive).
4. Change your passwords ... again.
5. Report it.
Report any phishing attacks to Google by clicking the downward arrow at the top right of your inbox and selecting “Report Phishing.” Companies count on those reports to investigate such scams and stop them.

See also: