Phish Tank - Fresh Phish

Welcome to Oakland University's Phish Tank. This page provides examples of phishing messages. To report possible phishing attempts please visit "Phishing (Phish Tank)" located on the right side of the screen below "Related Services / Offerings". For general phishing information please visit "UTS Phish Tank" located on the right side of the screen below "Related Articles".

Who is Eligible?

Active Faculty, Staff or Students

Phishing Examples:

Spear Phishing \ Impersonating an OU Employee

Email screenshot showing a request for five $100 eBay gift cards, stating reimbursement will be provided. The sender's email is highlighted in red.

  • Phishing Indicators:
    • Although email appears to be from an OU employee it is from a standard Google gmail account
    • Sense of Urgency
    • Unusual financial request

General Phishing

A phishing email mimicking an Oakland University payroll message about tax forms. It includes a suspicious link highlighted within a red box.

  • Phishing Indicators:
    • Although email appears to be from an OU Department it is from a non OU domain hr-adm.net
    • Link points to a non-OU domain

General Phishing

Phishing email alert with highlighted text warning of NetID deactivation and email data loss. Includes a suspicious cancel button and URL.

  • Phishing Indicators:
    • Sense of Urgency
    • Although email appears to be from an OU Department it is from a non OU account hr-adm.net
    • Link and email address point to a non OU Domain

Fresh Phish

08/04/2025: Credential Harvesting Phish via Fake SSO Page

In this phishing attack, the attacker uses a compromised account from another university to send a communicable illness phishing campaign targeting OU students.

A formal letter from Oakland University notifying colleagues of a confirmed communicable illness case, urging portal login for contact checks.

The link in this email leads to a spoofed SSO page that attempts to replicate our legitimate one, but a key giveaway that this is a credential harvesting phish is that hovering over the URL in the email reveals a redirect to a Google Slides presentation.

Gold interlocking 'O' and 'U' logo on a black background. Below is a button labeled 'CLICK HERE TO CONTINUE,' suggesting navigation.

Oakland University login page with fields for NetID and password. Includes 'Continue' button, links for password recovery, and quick links like SAIL and course catalog.

03/04/2025: Updating/Authorizing 2SV

In this phishing scam, the perpetrator is disguising their attack to look like official campus communication. The email is attempting to get users to scan a malicious QR code and provide their phone number to try and gain access to more data through communication with the recipient.

Oakland University announcement on implementing 2-Step Verification (2SV) for email security. Includes a QR code with a red 'X' over it.

11/7/2024: Fake Benefits Statement Form

In this phishing attack, the attacker, using a schoolcraft.edu address, attempts to get the recipient to fill out a form that they believe will give them a statement on their OU benefits. The recipient is taken to the Google Form on the right after clicking on the "View Your Statement" link in the email on the left. The Google Form importantly asks for a time based token from the DUO app.

Oakland University letterhead with a message about total compensation statements for staff and non-staff, emphasizing benefits and access via login. 

Login screen for "Work or School" with fields for email, password, and passcode. Features a welcome message and "Submit" button on Google Forms.

4/30/2024: Credential Harvesting

In this phishing attempt, the attacker tries to solicit usernames and passwords by tricking the target into filling out a Google form.

A deceptive webpage mimicking a Microsoft Account login form. It requests an email address and password, with a warning about not submitting passwords.

04/11/2024: Yearbook

In this phishing attempt, the attacker tries to solicit personal information and money by claiming that they are distributing yearbooks for Oakland University. They charge a registration fee in addition to charging you for the "yearbook'

Online countdown for the Oakland 2023/24 yearbook registration. Deadline in 2 days, 20 hours, 52 minutes, and 27 seconds, set for April 14, 2024. Website header includes 'My-Yearbook.us' and navigation links 'Home,' 'Contact,' and icons.

 

Oakland University 2023/24 Yearbook Registration instructions. Emphasizes using only English or Latin letters, avoiding special characters, and ensuring required fields are marked. Process takes 3-5 minutes to complete. Highlights editing submissions post-registration.

 

Yearbook registration details. Section 2 outlines a registration fee of $6 or $12 for profile inclusion. Section 3 explains how to purchase the 2023/24 yearbook either through the registration form or via a confirmation email. Contact email and links for more information are provided.

10/11/2023: STUDENT EMPLOYMENT OPPORTUNITY

In this phishing attempt, the attacker tries to recruit students for a job. In the email, the attacker created a Google Form to have you fill out personal information. Notice that it appears from a legitimate organization and that the recruiter is in another country and cannot meet you. It also mentions unspecified tasks and purchases you will have to make on their behalf.

Screenshot of a webpage titled "ADJUNCT JOB PLACEMENT, PERSONAL ASSISTANT NEEDED URGENTLY" from International Medical Corps. Text details a job offer.

A computer screen displaying a browser with a scam job offer for a personal assistant position. The email promises $500 weekly for part-time work, highlighting tasks like scheduling and errands. The tone of the message seems suspicious and likely fraudulent.

Screenshot of a job posting for a personal assistant role. Responsibilities include managing emails, phone calls, supplies, and errands. Requirements include experience, communication skills, and proficiency in Microsoft Office. Benefits include AD&D insurance and a 401(k). Application details emphasize accuracy and verification via email.

A Google Form with blue background showing fields for full name, home address, email addresses, and cell phone number. Browser tabs and tools visible.

Google Form Phish 5

7/20/2023: Undelivered message error

In this phishing attempt, the attacker poses as the university and is attempting to have you click on the link inside the email.

Email from Oakland University about undelivered messages pending in the inbox. Includes a 'Retrieve Messages' button and date July 20, 2023.

6/19/2023: Benefits Review

In this phishing attack, the attacker poses as a financial institution that tries to have the victim contact them under the guise of reviewing the benefits. You can verify this type of email's legitimacy by contacting OU's Benefits Department.

Announcement for Oakland University employees offering retirement benefits analysis with a Michigan expert. Blue button labeled 'Book An Appointment.' Key concerns include pension vs. investment, retirement timing, and savings options. Mentions assistance with various accounts.

12/13/2022: Invoice for antivirus software renewal

In these phishing attempts, an attacker is attempting to make you believe you have been charged to renew an antivirus product subscription. The emails attempt to solicit contact by providing a number to call for support and/or to cancel the transaction. The sender email addresses are personal and not affiliated with the company or reputable reseller.

Email scam alert: Fake McAfee invoice for $499.99 from a suspicious email address. Claims payment for antivirus renewal, urging contact via obscured numbers.


An email screenshot showing sender "saxweas" on December 9, 2022, with the subject "Subscription Renewal Plan RECEIPT of Norton security" to undisclosed recipients. The message says "HELLO."

10/31/2022: Document shared with you:

In this phishing attempt, an attacker is attempting to make you believe a legitimate document has been shared with you. If you attempt to access the document it then requests you to disclose you NetID credentials and Duo MFA information in a Google form.

Fresh SharedWithYou1


Impersonation of Microsoft logo with a message prompting DUO factor authentication and to verify account via a suspicious link in red text.


A login screen requires Duo authentication for access. Fields for email and password must be completed, with "Required" noted by an asterisk.

10/03/2022: !mportant

In this phishing attempt, an attacker is attempting to create a sense of urgency regarding a denied PayPal claim. There is a poorly crafted initial message which does not appear to be from a legitimate company. Attached is a semi-official looking PDF document back lacks personalization even though the name field is supposed to be populated.

Forwarded email screenshot with subject "Check your Important mail 9380632" and sender as "Binleyalley4789." Includes a PDF attachment named "OF9MOOH2H7.pdf" sized 36.2 KB.


An email from PayPal addresses a claim filed by a user on October 3, 2022, with transaction details. The claim was denied. Contact info is included.

09/30/2022: VP Requesting Assistance

In this phishing attempt, an attacker is attempting to impersonate an OU VP in an effort to start a dialogue with OU Staff member. If viewed in webmail you can see that Google marked the email as suspicious. Additionally you can see the email is coming from a non-OU account.

Fresh Phish-Quickbooks

08/30/2022: Quickbooks

In this phishing attempt, an attacker is attempting to impersonate multiple companies, Quickbooks and Geek Squad in an effort to get the recipient to click on a link and/or download a file. In this instance the email was received at an OU email address despite the email appearing to be addressed to a Gmail address.

Scam email claiming a Windows subscription renewal with a charge of $969.61 for three years. It asks to view an attachment for invoice details.

08/02/2022: Transfer Big Files

In this phishing attempt, an attacker is impersonating an OU user and attempting to get them click a link \ download a file.

creenshot of an email from "Boyun Kim" with a subject about a file document. The email includes a link to "Click here to review documents" and a note about link expiration on 9/3/2022.

5/31/2022: Silent Librarian: Attempt to steal NetID credentials via cloned SSO page

In this latest iteration of the Silent Librarian phishing attempt, an attacker used a compromised Oakland University email account to send an illegitimate notification to a group of users.

Email notification from Library Services about account expiry. Includes login URL and contact details for assistance, indicating urgency.

Unlike the previous post from 3/14/2022, the link in this email redirects to a cloned SSO page that is identical to our actual SSO page. The only noticeable difference between the two is the incorrect URL. This is a fairly sophisticated phishing attack.

Oakland University login page with fields for NetID and password. Quick links on the right offer access to academic and financial services.

  • Credit to @TeamDreier on Twitter for the screenshot

If you filled out this form, please contact uts@oakland.edu immediately!

  • Phishing Indicators:
    • Sense of urgency
    • Hovering over the link shows this directs to a non OU site
    • Phone number in signature belongs to a different department
    • Cloned OU SSO sign in page with incorrect URL

3/14/2022: Attempt to steal NetID credentials via imitation SSO page

An unsolicited email is received from an external sender, claiming to be the OU Technology Center, that requests the user to follow a link to re-activate an online certificate.

Email screenshot labeled "External," from "Oakland University" with address noreply@emailserver.com. It warns of expired email certificate, urging user action.

The link redirects to a poor imitation of OU's SSO page where the attacker is looking to steal NetID credentials that are entered.

Login page labeled "Oakland University" with fields for NetID and password. The form is hosted on Jotform, indicated in a browser window.

If you filled out this form, please contact uts@oakland.edu immediately!

  • Phishing Indicators:
    • Email appears to be from an OU Account but is from an account outside OU
    • Sense of urgency
    • Hovering over the link shows this directs to a non OU site
    • Imitation OU SSO sign in page
      • Poor imitation
      • Grammatical errors
    • Request for personal information

3/7/2022: CoS impersonation attempt to steal credentials using imitation sign in page

This phishing attack is similar to the campaign we wrote about on 1/27/2022, except this message appears to come from OU's Chief of Staff.

An email screenshot showing a document shared from ameliaeve92@gmail.com titled "(March) Faculty Re-Scheduled Transcript.docx". The sender is indicated as outside the recipient's organization.

The shared (March) Faculty Re-Scheduled Transcript.docx document contains a link to a web page that is an imitation of a Microsoft sign in page.

Phishing attempt mimicking OneDrive branding. The image includes a message: 'Kindly view this secured document I sent to you.. Check now' with a suspicious link.

The attacker wants the user to enter their OU credentials into the web page so that they can steal them.

Login phishing page mimicking Microsoft, with URL "officeteam.weebly.com." Notable MISSPELLING of "password" as "passvord" and simple layout.

If you filled out this form, please contact uts@oakland.edu immediately!

  • Phishing Indicators:
    • Email appears to be from an OU Account but is from a personal Gmail account outside OU
    • Hovering over the link shows this directs to a non OU site
    • Imitation sign in page
      • URL does not match official Microsoft URL
      • Typo
    • Request for personal information

2/14/2022: Tutoring scam attempts to steal bank funds

The phishing attack starts with an unsolicited email requesting a tutor for the sender's child or relative. In this instance, the sender referenced and contacted an actual OU professor in order to make the request seem as legitimate as possible.

Email screenshot titled "Tutoring" from Sean Canfield seeking a private high school economics tutor. It conveys a polite, professional tone.

After some correspondence between the sender and the recipient, the sender attempts to act on their objective.

Email screenshot titled "Mailing Address Needed" from Sean Canfield requesting personal details for a payment. Possible scam with red flags.

  • Phishing Indicators:
    • Emotionally charged
    • Obscure payment method
    • Request for personal information

Should the recipient have went along with the sender's obscure request, a fraudulent check would be sent in which the funds don't exist. So when the money is returned to the relative, it would be removed from the recipient's bank account.

Reference: https://blogs.baylor.edu/phishing/2019/06/04/tutor-over-payment-scam/

01/27/2022: Attempt to steal a user's Email Address and Password using a form

Email notification from Google Docs. Document titled "Faculty Evaluation_.docx" shared by Trish Endorf, who is outside the recipient's organization.

The shared Faculty Evaluation_.docx has a link to a fillable form

A white page with the OneDrive logo at the top left. Text reads: 'You have received a secured document. Click HERE to view shared file.'

The form tricks the user into giving away their Email Address and Password

Login form for a Microsoft school account. Includes email and password fields, with a submit button. Colorful stationery and a coffee cup decorate the top.

If you filled out this form, please contact uts@oakland.edu immediately!

01/19/2022: Users targeted to update personal information in SAIL using a non OU Account

Email screenshot titled 'Action Required!' in bold. The message urges students and staff to update their MySAIL account before a deadline.

  • Phishing Indicators:
    • Email appears to be from an OU Account but is from a personal Gmail account
    • Sense of Urgency
    • Simultaneously to multiple recipients (vs a mailing list or individual notifications)
    • Request for personal information
    • Hovering over the link shows this directs to a non OU site

05/11/2021: Users were targeted with a cryptocurrency scam from a compromised OU account

Fake job opportunity email claiming to offer weekly pay for visiting Bitcoin ATMs. Sender is masked, includes scam warning signs like using personal emails.

  • Phishing Indicators:
    • Email appears to be from an OU Account but is signed by a 3rd party
    • Sense of Urgency
    • Request for personal information

03/22/2021: We received a phishing impersonating an OU account offering a tax refund

An email preview shows a suspicious sender claiming to be "IRS" from an "oakland.edu" address, highlighting potential phishing.


Email scam impersonating IRS claims eligibility for a $1400 tax refund. Includes a fake link to "Claim your refund now." Advises not to reply.

  • Phishing Indicators:
    • Although email appears to be from an OU Accountit is not
    • Sense of Urgency
    • Too Good to be True

11/30/2020: We received a phishing email impersonating the VP of Finance & Administration

Email message titled "Quick Request" from John W. Beaghan, asking for an available text number. Contact details at the bottom.

  • Phishing Indicators:
    • Although email appears to be from an OU Vice President it is using a personal Google Account
    • Sense of Urgency
    • Request for non-standard contact message
    • Grammar and capitalization errors

11/24/2020: We received a phishing email from a staff member claiming that their NetID would become deactivated unless they followed a suspicious link to reset their account.

Screenshot of a phishing email claiming to be from University NETID. It urges the recipient to click a suspicious link to reactivate their ID.

  • Phishing Indicators:
    • Although email appears to be from UTS it is from another Higher-ED institution
    • Sense of Urgency
    • URL is obfuscated and does not point to OU (netid.oakland.edu)

Additional Support

  • OU Technology Center
  • 44 Oakland Center
  • Rochester, MI 48309-4479
  • (248) 370-4357
  • Office Hours: M-F 8:00am - 5:00pm
Print Article

Related Articles (1)

Phish Tank - Explaining Phishing
An explanation of phishing along with a guide on how to protect yourself and what to do if you receive a phishing attempt.

Related Services / Offerings (1)

Phishing (Phish Tank)
Report phishing attempts or report a suspected successful phishing attempt.