Do you suspect you've received a phishing email? Faculty, staff, and students can visit the Flyer Phish Bowl at any time to cross-check questionable emails and stay up to date and identify the latest scams to hit our UD community and see recent phishing incidents impacting our University.
Phishing scams are designed to trick you into revealing sensitive information like your UD credentials (username and password) or personal details. These emails attempt to impersonate legitimate sources to gain your trust.
Below are examples of phishing incidents reported by the UD community. Each incident highlights key items that can help you identify and avoid these scams in the future. By carefully examining these examples, you can learn to spot suspicious emails and protect yourself from falling victim to phishing attacks.
July 2025 - Action Required Now & Approved Job Vacancy Scams
The following are separate, but likely related, malicious phishing attempts targeting students across campus. Scams like these can put your UD account, personal information, and finances at risk, so knowing what to look for is important.
The first scam, a Google Doc share notification with a .docx attachment, directs recipients to a Google Form link. UDit was able to disrupt this attempt relatively quickly, so the bad guys pivoted to a second scam titled “UNIVERSITY OF DAYTON ACTION REQUIRED NOW," directing recipients to a cloud service. Both of these scams aim to take control of your UD account. Once compromised, the scammers use your account to distribute the third scam, a fake job offer titled "Approved Job Vacancy For Personal Assistant.”
This scam appears more legitimate because now it’s coming from a real UD account. Its primary goal is to trick you into sharing your bank account details or depositing bad checks, then sending some of the money back to the scammer. This tactic can lead to serious consequences. You could not only lose your own money, but also be held financially responsible for the full amount of the fraudulent check, and even face potential criminal charges for participating in what appears to be check fraud.
First Scam
Subject: Google Doc Share Request
This phishing email falsely claims urgent IT maintenance and comes in a familiar Google Doc Share Request format with an attachment directing you to access a link to a real Google Form requesting your:
- Personal contact information (Full Name and Phone Number)
- University credentials (Username and Password)
- Answers to your security questions
Second Scam
Subject: “UNIVERSITY OF DAYTON ACTION REQUIRED NOW"
This phishing email falsely claims that urgent IT maintenance requires you to verify your UD account to avoid deactivation, and directs you to a real Google form requesting your:
- Personal contact information (Full Name and Phone Number)
- University credentials (Username and Password)
- Answers to your security questions
WARNING: Once they have all of this, they can use your own phone number to trick you into approving a Duo login or sharing a 2FA passcode, giving them full access to your account.
Third Scam
Subject: "Approved Job Vacancy For Personal Assistant"
That dream “job offer” with easy work and great pay? It’s a trap. Scammers try to reel you in with promises that sound amazing, but...this “job offer” scam leads to nothing but trouble. How can you tell?
- Vague job duties
- A promise of $650 weekly for minimal work
- A link to a form asking for your personal contact information and your banking information. That one is a major red flag and not how job onboarding works.
WARNING: This scam is designed to steal your identity and your money. Do not provide any information or click any links.
May 2025 - Two scams that end badly
Scams like these can put your UD account, personal information, and finances at risk, so knowing what to look for is important.
The first scam, titled “ACCOUNT VERIFICATION ACT NOW," aims to take control of your UD account. Once compromised, the scammers use your account to distribute the second scam, a fake job offer titled "SEEKING ADMINISTRATIVE PERSONAL ASSISTANT.”
First Scam
Subject: “ACCOUNT VERIFICATION ACT NOW"
This phishing email falsely claims that urgent IT maintenance requires you to verify your UD account to avoid deactivation and directs you to a real Google form requesting your:
- Personal contact information (Full Name and Phone Number)
- University credentials (Username and Password)
- Answers to your security questions
WARNING: Once they have all of this information, they can use your own phone number to trick you into approving a Duo login or sharing a 2FA passcode, giving them full access to your account.
Second Scam
Subject: “SEEKING ADMINISTRATIVE PERSONAL ASSISTANT"
That dream “job offer” with easy work and great pay? It’s a trap. Scammers try to reel you in with promises that sound amazing, but...this “job offer” scam leads to nothing but trouble. How can you tell?
- Vague job duties
- A promise of $700 weekly for minimal work
- A link to a form asking for your personal contact information and banking information. That one is a major red flag and not at all how job onboarding works.
WARNING: This scam is designed to steal your identity and your money. Do not provide any information or click any links.
May 2025 - Fake HR Report
This recent phishing attack recycles familiar tactics, aiming to lure recipients into clicking a malicious link disguised as a fake HR report. While the red flags are relatively easy to spot, the attacker is likely counting on curiosity or inattention to achieve success. To protect yourself, always hover over links to verify their destination before clicking, and stay cybermindful!
2024 Incidents
August 2024 Fake job phishing campaign
The start of a new academic year unfortunately brings about the start of new phishing campaigns. In addition to the illegitimate domains such as arc-careers.com, ymcacareer.org, and careers-hearttoheart.org, scammers are now using career-directrelief.org as phish bait:
To protect you from this scam, UD blocks all email to career-directrelief.org and quarantines all email containing the career-directrelief.org domain name.
If you receive a suspicious email use UD Gmail's Phish Alert button (the fish hook icon) and report it to UDit Security.
June 2024 Phish Scam
On June 25th, 2024, a student reported receiving a phishing attack disguised as a student loan forgiveness offer. The fraudulent message was designed to elicit a response and collect personal information to further exploit the target. The attacker included personal identifiable information that seemed legitimate. Review the red flags displayed below to help protect yourself from similar scams. If you receive a suspicious email use UD Gmail's Phish Alert button (the fish hook icon) and report it to UDit Security.
April 2024 Vishing (voice phishing) Scam
During this attack, a student received multiple threatening phone calls from phone numbers that appeared to be legitimate UD numbers (937-229-****), where the callers claimed to be officials from the university and threatened to take legal action and even call the police to take the student to jail.
This is a VISHING (voice phishing) SCAM. Scammers can make any number appear on your caller ID. These calls are just one more way a cybercriminal tries to steal your personal information and money.
Do not engage with these callers. Here's what to do if you receive a suspicious call:
- Maintain composure and end the call immediately.
- Do not share personal information, including passwords, social security numbers, or financial details.
- Gather details about the call, such as the phone number and any specific threats made.
- Once you hang up, contact the university using the phone numbers listed on the UD website, not the information displayed on your caller ID.
- Report the scam to the IT Service Center: (937-229-3888 or itservicecenter@udayton.edu).
Remember: UD will NEVER ask for your password or two-factor code. Calls like these are always scams.
For more information on vishing scams, check out the cisecurity.org article: Vishing and Smishing: What You Need to Know.
February 2024 Phish Scam
During this February 7th phishing attack, several students gave up their Duo codes. This enabled the attacker to log into their accounts and send multiple emails throughout campus - allegedly from the Office of the Registrar, IT Service Center, and Udayton Employee Self-Service. The attacker employed a wide range of tactics and common tricks to get a user to take action so they could steal their information, i.e. urgency and threats of account deactivation and attachments and links to an external Google Form tricking a user into providing their personal information and furthering the attack.
January 2024 Phish Scam
This basic internship scam attempted to trick the recipients into opening a malicious attachment. Note the red flags below to help spot other similar scams in the future.
2023 Incidents
November 2023 Phish Scam
A successful phishing attack on November 21st posed as an urgent IT notice requesting email account closure. This attack was set to trick recipients into entering their passwords and Duo two-factor codes into a web form, allowing the attacker to compromise their UD account and spread the phish internally. The University of Dayton and UDit will NEVER ask for your password or Duo code. Take note of the red flags to better prepare yourself for potential future attacks.
September 2023 Phish Scam
On September 14th one of our campus users fell victim to a sophisticated phishing attempt. The user received an email with an encrypted attachment from “Payroll Department" - outside the University of Dayton:
The user then opened the attachment (a PDF redirecting to a Google form) purportedly from the university, requesting sensitive user information:
Similar to the phishing attack this summer, one of our members provided their personal information into the Google Form, unknowingly providing access to their UD account, which resulted in a new and separate phishing campaign targeting students, sent directly from the victim’s UD email account:
Avoid this and future Phishing Scams:
Protect your Password: UDit will NEVER ask for your password or DUO code via email or form. If you receive an unsolicited email or text asking for such information, it's a scam.
Be Skeptical of Urgent Requests: Scammers often create a sense of urgency to pressure you into making hasty decisions. If you receive a message demanding immediate action or threatening consequences, take a step back and verify its authenticity.
Verify the Sender: Check the sender's email address closely. Cybercriminals often use consumer Gmail accounts (ending with @gmail.com) or official-sounding email addresses but with slight variations or misspellings. Do not be fooled by descriptive names like udcio@gmail.com, “Help Desk,” or “udayton” anywhere besides the “@udayton.edu”
Beware of attachments: The body of the message should contain context and a signature block. Cyber attackers often share a message's body or text as an attachment to get it past our spam filters. If you open an attachment asking for your username or password information or receive a warning within Microsoft Office, stop and report it to UDit.
Report Suspicious Activity: If you received either of the emails above AND entered your data, contact the IT Service Center immediately (937-229-3888, itservicecenter@udayton.edu), and we will work with you to change your password and secure your account.
If you received a suspicious email other than those we shared here, please share that email with the IT Service center (937-229-3888, itservicecenter@udayton.edu), and we will take measures to stop its delivery.
August 2023 Phish Scam
This August 8th phish scam attempted to trick the recipient into replying to further a social engineering ploy around fake Covid relief money. The vigilant recipient did not bite. Notice the red flags below and utilize this resource for tips on spotting and avoiding similar scams in the future:
7 Ways to Avoid Employee Retention Credit Scams
July 2023 Compromised Google Account
This July 24th attack email went to a student’s personal account with the goal of compromising his UD account. He clicked the link and ended up giving them enough Personally Identifiable Information (PII) via the web form below to be able to answer password reset challenge questions. The bad guy got the help desk to reset his password, but not to reset his DUO device.
When the user clicked on the Click to apply link this page appears and is attempting to harvest PII (it's displayed in two columns due to the length of the page):
July 2023 Compromised Google Account
This July 18th attack used a compromised Google account by the bad guys trying to collect usernames and passwords. Note the red flags to help spot future attacks like this one:
June 2023 Fake Job Offer - Check Fraud Scam
This June 16th phish is attempting to get recipients to hit their malicious web site and / or submit personal information via a resume. Those who bit on this phish were then sent a check and asked to spend what they needed and return the rest electronically before the check bounced. The attacker would get money "back" while the victim was on the hook for funds that didn't exist. This was sent from an internal account which had been compromised earlier to make it seem more official and get past external flagging. Note the red flags which indicate it's an attack:
June 2023 Credential Harvesting Scam Attack
This scam attack happened between 6/8/23 and 6/14/23 and attempted to get users to go to a fake site with UD branding and enter in their credentials to compromise their accounts. Notice the red flags called out in the screenshot of the email:
Malicious Credential Harvesting
This is a malicious credential harvesting site. The red flags are called out here as well:
May 2023 Malicious Document Attack
This phish attack occurred 5/19/23 sent to multiple users in an attempt to get them to download a malicious document to infect their systems. Note the red flags below indicating why it's suspicious:
April 2023 Fraudulent HR Tax Document Scam
This phishing attempt happened 4/24/23 and attempted to trick the recipient into going to a malicious site to compromise their system under the guise of fixing "tax forms" sent from "HR". Note the red flags below:
