Go to the U of M home page

Monday, August 29, 2016

Phishing Example 158: Fraudulent Wire Transfer Request: Request

Received: August 2016
A true email thread reported to us by a UMN faculty member.
Notes: The Reply-To address is president2009@yahoo.com; there may be many other false reply-to addresses as well. The fact that this email is current shows that attackers are trying to trick finance people into wiring funds. Please be suspicious about these requests. Do not answer, and forward them to phishing@umn.edu

*From:* UMN Finance person <IID@umn.edu>
*Date:* August 29, 2016 at 1:58:08 PM CDT
*To:* UMN Faculty person@umn.edu
*Subject:* *Fwd: Request*

Should I wire the money directly to your international bank account?

Begin forwarded message:

*From:* "UMN Faculty person@umn.edu"
*Date:* August 29, 2016 at 1:53:42 PM CDT
*To:* UMN Finance person@umn.edu
*Subject:* *Request*
*Reply-To:* "UMN Faculty Person" <president2009@yahoo.com>

Hi [Finance Person],

I need a favor, can you help me make a payment of $1400 to a vendor today?
I will reimburse you back your money by Thursday. Please let me know if
this is convenient.

UMN Faculty Person

Wednesday, August 24, 2016

Phishing Example 157: University Of Minnesota

Received August 2016

From: umn.edu Security <xxxxx  @gmail.com> <<- From fake GMAIL address
Date: Wed, Aug 24, 2016 at 9:18 AM
Subject: University Of Minnesota

Inline image 1

Unusual sign-in activity
We detected something unusual about a recent sign-in to the***@umn.edu . To help keep you safe, we required an extra security challenge.
details:Country/region: United States
IP address:
Date: 8/24/2016 09:00 AM
If this was you, then you can safely ignore this email.If you're not sure this was you, a malicious user might have your password. Please review your recent activity  Click Here.

To opt out or change where you receive security notifications,

The University Of Minnesota.


  • Copy of current UMN login page - delivered via javascript load
  • Filling in form redirects to real page

Tuesday, August 23, 2016

Advisory: FTC Releases Alert on Louisiana Flood Disaster Scams

Original release date: August 23, 2016
The Federal Trade Commission (FTC) has released an alert on scams that cite the recent flood disaster in Louisiana. These charity scams take many forms, including emails containing links or attachments that direct users to phishing or malware-infected websites. Donation requests from fraudulent charitable organizations commonly appear after major natural disasters.
US-CERT encourages users to take the following measures to protect themselves:
  • Review the FTC alert and its information on Charity Scams.
  • Do not follow unsolicited web links or attachments in email messages.
  • Keep antivirus and other computer software up-to-date.
  • Check this Better Business Bureau (BBB) list for helping Louisiana flood victims before making any donations to this cause.
  • Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. You can find trusted contact information for many charities on the BBB National Charity Report Index.
  • Refer to Security Tip ST04-014 – Avoiding Social Engineering and Phishing Attacks – for more information on social engineering attacks.

Saturday, August 20, 2016

Tips on Reporting Phishing

When you report a phishing email to phishing@umn.edu, it is extremely helpful if you can give us the complete email, with  headers and all the links intact. This helps us identify the email and put measures in to protect our community members from such scams.

         To view headers in Gmail, click the arrow next to the Reply button in the upper right-corner of the message to open the pull-down menu. Select Show original. Save the result as a text file and send as an attachment.

Other e-mail clients         
 SpamCop offers a page of links showing how to view header information for a large number of e-mail clients:        

        IMPORTANT: Because Google now triggers on the content when you report phishing - you need to send the report as an attachment - see


Friday, August 19, 2016

Phishing Example 156: IMPORTANT

received August 2016

From: University Of Minnesota <help@umn.edu> <<<-FORGED
Date: Fri, Aug 19, 2016 at 8:07 AM

Your mailbox size has reached 14900.93MB, which is over 90% of your 15360.00MB quota. Please click here to Increase your mailbox quota to avoid exceeding your quota.  <<<Multiple versions with different URLs

© Regents of the University of Minnesota. All rights reserved

Directs to a forged copy of our login page:

  1. there IS NO QUOTA on UMN email accounts
  2. comes from multiple email addresses, pretending to come from "help @umn.edu" 
  3. web form has an outdated copy of the UMN login page
  4. web form hosted at multiple URLS, all end with  "/ww/ww.htm"

Thursday, August 18, 2016

Phishing Example 155: Signed Doc Agreement

Received August 2016

Date: Thu, Aug 18, 2016 at 9:50 AM
Subject: Signed Doc Agreement

Please find the letter for your approval and signature.
Kindly sign under your name and return.
View | Download
457 KB

Thank You

  • Email came from a compromised user that had been working with the U on business
  • Link goes to fake google login (below)
  • IF you are logged into google, you shouldn't SEE a login to view the doc
  • Login page doesn't take you to a UMN login screen
  • Fake login page missing "Google" logo at top.

Logging into UMN Google resources: