“2020 Anti Virus Protection” Emails are Fake

One of the first things you will notice about these fake “anti virus” protection emails is the odd font in the subject line. A small font, sized at half the height of normal fonts, it looks…odd. This is red flag #1. If you bother to open the email and hover on any of the links, you will notice they do NOT go to either a Norton site or a Symantec (the owner of Norton) site. This is red flag #2. Closely related to this is red flag #3…the email did not come from an address of either company.

The email does contain an image, shown below, which purports that this email came from an “affiliate” of Norton, but does provide a name. All links in the email go to the same domain, flagged as a phishing domain by security company Kaspersky – red flag #4.

You should just delete these emails. If you have opened one and clicked on a link, please let me know so we can discuss the potential impact of this action and what steps you may need to take next. You can email me at infosec@berry.edu.



Featured Image credit: Photo by stephen momot on Unsplash

“Outlook Warning” Email is Fraudulent

Information Security has received reports of phishing emails that try to convince the user they can no longer sign in to their email, and consequently cannot send or receive emails. An example is shown below. Note the poor spacing, grammar and capitalization in the first two lines of the body. The sender address may vary from what is shown, but will not be from Microsoft or Office365. The “Update To Stay Active” button uses a valid capability (web address redirection) on a valid website (LinkedIn in this example) to send the user to a fraudulent website (0793.to), which may attempt to install malware or simply steal the user’s username and password. Please report these emails using the “Report Email As Phishing” button in the email client, if using Outlook or the web version of Outlook.


If you have any questions about these emails, please reply to this email, or if you have clicked this link and entered your username and password, immediately change your password, then contact the Technical Support Desk and report the incident.

Microsoft Update via Email is Fake!

A new scam going around is an alleged Microsoft Windows update delivered via email. The email instructs the recipient to “Please install the latest critical update from Microsoft attached to this email.” The attachment is actually a malware file that will encrypt all the files on the disk and demand a ransom, AKA ransomware.

Microsoft will NEVER email you an update, much less a “critical” update.

Please report these emails using the “Report Email As Phishing” button or simply delete them if that is not available to you.

If you have any questions about these emails please contact Information Security at x1750 (706-236-1750) or at infosec@berry.edu.

If have received one of these emails already and opened the file, please contact the Technical Support Desk at x5838 (706-238-5838) or computing@berry.edu.

“Sextortion” Emails Still Plaguing the Campus

It’s been almost a year since I first posted about “sextortion” emails that attempt to convince you that someone has hacked your computer and recorded you watching pornography. The campus continues to get all kinds of variations on this scam, with changes in subject, wording, tone, threats, and payment amount. Some appear to come from your own account. Some are crudely worded and attempt to shame or frighten you, while others coyly dance around the description of the content of videos, but the one thing they have in common is that they are all fake! I wanted to write an updated post about these emails since we are still receiving them.

For those who haven’t received one of these emails, the scam suggests that the recipient has watched pornographic material online. The scammers sometimes up the validity level by including a password, usually an old one, that the target (you) has used in the past, gathered from online password dumps. They also claim to have installed malware on “the adult site” (which is never named) that grabs all of the user’s contacts and gives them control of the user’s webcam. Most of the emails attempt to convince the recipient that the scammer is not only skilled, but ultimately untouchable and untraceable, and has complete control of the system or account. Ultimately, the scammers threaten to send a video to the user’s contact list showing not only what the user watched on the site, but what they were doing while watching it, unless the user pays them some amount of money (anywhere from $200 to $2000 has been requested) in the form of Bitcoin or other digital currency. Some try to scare the user into not sharing the email with anyone, as they claim that they will release the video immediately if this happens, to discourage them from asking their IT department for help or clarification.

The likelihood of the scam working depends heavily on two things – first, whether or not the recipient has a web cam and two, whether or not the recipient watches pornography online. If the answer is “no” to either qualification, the email is easily dismissed. Unfortunately, with the number of laptops and even desktops that have web cams either built in or attached and the surprising number of people who indulge in viewing pornography online, this crazy-sounding blackmail scheme works, to the tune of millions of dollars. Most of these emails ask for less than $500 in digital currency. Some versions of this scam will include links to a “sample” of the (non-existent) video. Do not follow the links! The downloaded file will infect the computer with malware that will steal credentials and data.

Please continue to report these as phishing emails or simply delete them.


Photo by bruce mars on Unsplash

Emails claiming your Office 365 account is about to be deleted are fraudulent

Emails claiming “your Office 365 account is about to be deleted” are fraudulent. They immediately ask you to pay your invoice and of course, the college provides these accounts to you out of the college budget. You are not expected to pay for these accounts. The email looks official and even the sending address looks legitimate, but the links do not go to Microsoft.

Please report these emails using the “Report Email as Phishing” button.

If you have received one of these emails and clicked on any of the links, please contact computing@berry.edu.

“Urgent Action Required” Emails are Fraudulent

Many users are receiving emails with the subject of “Urgent Action Required”. These emails are fraudulent. The content of the email suggests there is a problem with their account and incoming emails will be “placed on hold”. Various methods are used to convince the user the email is valid. A green banner in the body of the email says “From Microsoft Office365” and in a large font before the main text it says “Berry Account Service”, which is never a term used by OIT. Oddly, the email address is partially obscured with asterisks, but the first two letters are left exposed.

Some emails are poorly crafted, as the button which says “Review Your Recent Activity” which should be a link, is not, but the “Berry Account Service” and the partially obscured email are.

Please report these emails using the “Report Email as Phishing” button.

Employee Audit/Review Emails are Fraudulent

The end of the year saw a rash of fraudulent emails arrive on campus suggesting that an employee review or audit document was attached to them. The subjects varied from “Employee Audits” to “Employee Review” to “Employee Performance Appraisal”. These are fraudulent and the attachments are either malware infected documents or are in reality links to malicious websites. The college will never send an employee review document via email. All such documents are accessed via the EAD Toolbox on VikingWeb.

Please report these emails using the “Report Email as Phishing” button.