Phishing Examples

Scams constantly evolve in attempts to bypass security measures. While CUIMC regularly blocks phishing and other scam email messages, some still get through to our inboxes. Review examples below of recent phishing attempts to know what to look for and how to tell if you are being targeted.

Spot and Report Scams has more phishing examples and security tips, or see how to Report Junk, Spam, Phishing, and Other Unwanted Messages at CUIMC.

Paid Humanitarian Job Offer

This pretends to be a professor or colleague suggesting a remote position. Clicking on the link leads to a job application form. Once you complete the form the scammer will offer you the job and send you a fake check to deposit into your bank account. They will then request for you to purchase gift cards and take photos of it for the orphanages. The check will eventually bounce and leave you hanging. 

Security Alert for your linked Google Account

This appears to be a message from Google to alert you of an attempt to sign in to a gmail account.
Note: We blurred part of the email addresses to hide the identity of the recipient.

Phishing message claiming a new sign-in to your linked gmail account
  • It looks very similar to alerts you would see from Google for a new sign in to gmail, showing the phishers "did their homework" in making it appear legitimate. Remember that anyone can see and mimic this type of official message.
  • The sender's address, no-reply@​accounts.google.com, spoofs what appears to be an official Google address. There is not an easy way to detect this.
  • Instead of clicking a link in a message, go to your account via a known, good website address. Look for information there on how to see any new sign-ins to your account.
  • Right-clicking or hovering over a link in the message shows more information and may let you know whether the link is for a known site. 

Similar phishing attempts to get account and password information often rely on urgency and fear, and may even state your account will be deleted if you don't take action quickly. If you are asked for your password, remember that NO ONE, IT staff included, should ask you to share it as it would violate University policy.  There are ways to assist with forgotten passwords, locked accounts etc. without needing your full login credentials and password.

Work From Home and Personal Assistant Position

The past few years saw a rise in unsolicited messages for job opportunities, many targeting University students - see School of Hard Knocks: Job Fraud Threats Target University Students for more examples and details. The image below shows phishing messages received by CUIMC accounts.

Work From Home Position email screenshot for a part time job with UNICEF for up to $500 per week
  • The messages appear to be from someone with a CUIMC email address. Remember that unsolicited messages from within the organization, or from an address/sender you recognize, is not a guarantee that it is valid. It could mean that a hacker "is spoofing" (mimicking) the email address, or that the sender's account may have been hacked so a malicious party could send phishing messages from it.
  • Always suspect unsolicited offers, especially if they seem too good to be true.
  • Using links in the message or responding to it verifies your email account (in a mass phishing attempt), and provides personal details they can use for identity theft or to contact you directly.
  • Legitimate organizations will post job notices or use something other than mass emails to find qualified employees. Look for valid ways to contact a sender, such as a company's directory or job board, instead of details from an unsolicited message. 

Phone and Text Message Phishing Reports

Phishing attempts via phone call and text message are referred to as Vishing and Smishing respectively. CUIMC has had reports of both, including the following.

Vishing Report

A CUIMC staff member received a phone call from someone claiming to be a health insurance provider with a new benefit offered by Columbia University. The caller asked for personal details to confirm the CUIMC staff person's identity, such as date of birth. Fortunately the staff realized it was a social engineering attempt, hung up, and reported the incident without providing any personal information.

Always be suspicious about giving out information when you did not initiate contact. For more help on visihing see FraudWatch International's What is Vishing? page.

Smishing Report

A text message advertising free Netflix due to the pandemic with a link to find out more; the link goes to a malicious website.

Text message "smishing" attempt for free Netflix due to the pandemic

If it sounds too good to be true, it usually is. Instead of clicking a link in an unsolicited message, go to the company's known website to find information.