Phish Tank

These are examples of recent Phishing emails the Office of Information Security and Privacy has seen attacking the campus.

Date: 8/22/2025

Subject: Re: North building project Q4 2025

Comments:

• External Tag
• Sender Address is a different school, not Towson
• Link leads to a phishing page to steal login credentials
• Never click attachments or links from unknown senders

Date: 8/17/2025

Subject: URGENT ACTION REQUIRED

Phishing Reverse Proxy Page

Fake Duo Code Page

Comments:

• External Tag
• Unrecognized Sender Policy Tip
• Sender Address is not Towson
• URL is not Microsoft or Towson
• Link leads to a phishing page that hosts a reverse to pass your login credentials to Microsoft which will prompt a Duo Authentication.  The login page will then change to put your duo code in.  If you put in your duo code you will have then given your MFA code up and the attacker will then have access to your account 
• Never click attachments or links from unknown senders

 

 

Date: 7/22/2025

Subject: HR Assessment Report

Comments:

• External Tag
• Sender Address is not Towson
• Attachment leads to a phishing page to steal your login credentials
• Never click attachments or links from unknown senders

Date: 6/16/2025

Subject: Invitation to Bid - <RANDOM ORG NAME> - RFI-32-7613-125.pdf (Preview)

When you click the link you go to a wordpress page....Notice the URL 

If you click download selected items you get another enticing popup to enter your email address

If you enter your email address you then get a spoofed microsoft login page...Once again notice the URL

Comments:

• External Tag
• Sender address is from a legit organization that the sender has been compromised
• This very well could look identical to how the bidding process works for projects
• URLS in all the webpages are very suspicious
• Always check URL's when clicking links in emails even if it is someone you may have been doing business with.

Date: 6/8/2025

Subject: STUDENT INTERNSHIP OFFER, STUDENT RESEARCH POSITION, RA OFFER, RA POSITION

Comments:

• External Tag, Infrequent sender Policy tip
• Sender address is from another university or random gmail address but wants you to email some other domain
• Offer is to good to be true
• Malicious Actor sends you a fake check by email and wants you to print it out and mobile deposit it

Check out the "Fake Check Scam" on the FTC website

https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types

Date: 5/8/2025

Subject: (TOWSON) :Required Verification Of 2Factor Authentication For All Recipients

Comments:

• External Tag is on 
• Sender Address is not Towson
• QR Code goes to a phishing page to steal your login credentials
• TU will never use a QR code for official communication

Date: 4/17/2025

Subject: Missed Call Notification 28135729ce0c59a2 Duration-00:02:78

Comments:

• External Tag
• External Sender
• "Towson LLC"
• Never click attachments or links from unknown senders

Date: 3/25/2025

Subject: Receipt Confirmation - Thank you!

Comments:

• External Tag
• External Sender
• Message directs user to click attachment, which directs user to click a link
• Never click attachments or links from unknown senders

Date: 11/25/2024

Subject:  Various Subjects - towson

edu.towson

Microsoftoffice365

Comments:

• Sender is Gmail Address
• No body to the emails only the external tag and the exchange policy tip that you dont often get email from this person
• Attachment
• 
• Tells you to click a link to a wordpress site.  
• 

Date: 11/1/2024

Subject:  Various Subjects all relating to docusign

***Test Document***Thank you for your order

Complete with Docusign: Thank You for Your Subscription Payment

Complete with Docusign: Order Reference 764803 : Payment Successfully Processed

Excellent work! Your subscription has been successfully renewed!: Invoice # 857805854.pdf

Comments

• Docusign is being leveraged to carry out this attack
• The text in docusign email is trying to get you call a phone number
• The to address is usually something odd

Date: 9/2/2024

Subject: New Financial Support Program

Comments:

• External Tag, Unusual sender policy tip
• Not a TU sender
• Hyperlink goes to a external URL

 

Date: 9/23/2024

Subject: Advanced Leadership Membership Membership Payment [PastDue]

Comments

• This is one continuous email, the attacker sends this email that is all made up to look like a chain of emails to trick you
• It tries to get your confidence up that this is legit.  The attached invoice could either be malware or trick you to enter your credentials
• Check with the user in the email thread to make sure it is legit, check sender address for validity of domain
• Check for spelling, punctuation and grammatical errors

 

Date: 12/1/2024

Subject: Two-factor authentication registration

Comments:

• Sender address is similar to microsoft but isn't
• Requests user scan a QR for security, which we do not do
• Mouse over link, leads to a third-party website (not Microsoft)

 

Date: 8/27/2024

Subject: BANKMBOILE DISBURSEMENT- Your $9,436.00 from Towson University

Comments

• Towson University will not contact you via Gmail addresses
• The subject has spelling mistakes
• Policy Tips about you dont often get email from that address
• Most likely was in the junk folder
• Mouse over link was to a google form that was poorly formatted

Attachment: Towson University Finainace 

Malicious Form

 

Date: 7/11/2024

Subject: Critical Update: Health Exposure Incident Reported - Action Required

Comments:

• External Tag is on but it says its from the University
• Policy Tip that says you dont often receive email from the sender, which is another .edu
• Scare Tactics to get you to click
• External Link is to a law firm. Always check the UR!

Date: 5/27/2024

Multiple Subjects impersonating Bankmobile

Subject: Vibe Account; BMTX Services, BMTX Disbursements, BMTX Inc; Select Refund Option, Vibe Account; BankMobile Services, Refunds from BMTX

Comments:

• EXTERNAL TAG IS ON, UNUSUAL SENDER TAG IS ON
• Scam Impersonating Bankmobile, Attached document has a an external link to a fake bankmobile form that asks for login information
• PLEASE LOOK AT SENDER ADDRESS they are all random GMAIL ADDRESSES

Date: 4/26/2024

Subject: HR and Employment Relations Information Session

Comments:

• External Tag, Infrequent sender Policy tip
• Sender address is from another university but wants you to email some other domain
• Offer is to good to be true

Check out the "Fake Check Scam" on the FTC website

https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types

Date: 4/25/2024

Multiple Subjects:

Subject: S.R.A Remote

Subject: REMOTE JOB PLACEMENT

Subject: Notice for Towson students

Comments

• Please look at policy tips - this one said "You dont often get email from <senderaddress>
• External Tag is on
• Always be suspicious when emails pursuade you to move the conversation to text message
• The job offer tries to get you deposit money, then send money to the attacker using Zelle, Venmo, etc

 

Date: 3/24/2024

Subject: Dr. Mark R. Ginsberg shared a document with you

 

Comments:

• Fake sharing document from the President
• Sender is external
• External Tag is on 

Date: 3/22/2024

Multiple subjects like the ones below

Subject: Document form HP LaserJet ProScanner

Subject: Towson Signature Required"Cyrus Cronin" <Cyrus_Cronin4@hagenes-zulauf.com> - 3/25/2024

Subject: Scanned image from MX-M565N

Comments:

• External Tag
• Attachment is a document that tells you to click on a malicious link
• Sender is also external

Date: 2/12/2024 

Multiple Subjects and varieties like below

Subject: Notice of Portal Termination

Subject: Notice of Termination

Subject: Opportunity for All

Subject: Job Opening for All

Subect: Work at your convenience

Comments: 

• Compromised TU student sending the messages
• Link goes to a google form that is asking for email addresses, phone numbers, Words of Identification? (Passwords)
• You will then receive a text message if phone number is submitted

Date: 2/13/2024

Multiple Subjects and varieties like below

Subject: FTP Billing and Financial Aid Update 2/13/2014

Subject: Financial Aid Update

Comments:

• Compromised student sending the email
• attachment tells you to email an address and wait for more instructions

 

Date: 2/12/2024

Subject: You have got an urgent message from Towson University 

Comments:

• External Tag
• Generic greeting
• Attacker trying to move conversation off of TU resources

Date: 2/9/2024

Subject: TOWSON administrator has started the procedure. 

Comments:

• Compromised student account sending email so no external tag
• Link was to an external site

Date: 2/6/2024

Subject:  W: TOWNSON UNIVERSITY NEWSLETTER!!!

Comments:

• External Tag
• Subject has Towson spelled wrong
• Attachment has a link that is broken

Date: 2/6/2024

Subject: Introducing the 2024 Assistance Program: Secure Financial Support for Families and Employees

Comments:

• External Tag
• External Sender
• External Link brings up a fake login page and tells you to check for MFA prompts
•  
• 
• 

Date: 2/3/2024

Subject: Updated Pay Dates

Comments:

• Very Good Phish
• External Tag, Sender is from a different domain
• Link is to an external site that is a cloned Towson Page
• Asks for Duo Codes 

Date: 1/29/2024

Subject: Payroll schedule 2024!

Comments:

• External Tag External Sender
• Link has non standard characters
• link goes to a Non TU URL which then impersonates our login page and then a fake Duo MFA page
• Eventually you end up with a fake payroll calendar from 2022

Date: 1/11/2024

Subject: SCHOOL UPDATE

Comments:

• External Tag, external sender
• Offer too good to be true
• Link is to a form that requests personal information, see example below

 

 

Date: 1/07/2024

Subject: Total compensation statements for towson Staffs/Non-Staffs

Comments: 

• External Tag
• Sender Address is from another .edu
• Link is to a google form
• Grammar and Punctuation is incorrect

Date: 1/3/2024

Subject: MESSAGE FROM ADINM 

Comments:

• Sender address is a towson student, so why would official email to change something come from that
• No external tag because of student address
• Grammar and Spelling is bad

Date: 12/14/2023

Subject: Today@TU - 12/14/2023 | Release MessagesComments:

• This was a good one
• External Tag is on
• Sender Address is Random characters @ another .edu 
• link goes to a Non TU URL which then impersonates our login page
• If credentials are entered a duo page will appear
• 

Date: 12/11/2023 --Multiple Emails same tactics

Subject: YETI_30 OZ TRAVEL MUG Confirmation

Subject: Re: 2nd attempt for <Username>

Subject: Important for <Username>, congrats You Are Our <Month> Winner

Subject: Dicks Sporting Goods Surprise: You Are Our Today's Winner , You've been selected!

 

Comments:

• External Tag
• sending address is suspicious random characters @ randomcharacters.onmicrosoft.com YETI-Surprise <info_cIrOIHKUREp@xv917y1.onmicrosoft.com>
• Embedded link in the image to suspicious random characters.blob.core.windows.net/random characters https://sgqfdghqsfdtyzrt[.]blob[.]core[.]windows[.]net/sgqfdghqsfdtyzrt/url[.]html
• Random email giving away free items?
• We have seen this done with other giveaways but tactics are the same, random onmicrosoft.com sending address and random blob.core.windows.net URL and some sort of congratulations on winning something

 

Date: 11/6/2023

Subject: The Care Employment Opportunity

If you open the attachment

Comments: 

• Not from official TU Job boards
• Offer is too good to be true
• Body of the email tells you to move the communications to a personal email platform

Date: 10/19/2023

Subject: Banks, Sean shared "Faculty Application for Employment " with you

Comments:

• Sender shared the file, but the description has a different name.
• Link is not to TU SharePoint

Date: 10/19/2023

Subject: Document for Dr. Melanie Perreault

Comments:

• External Tag
• Google Sharing
• Sender and description have a different name
• Sender is not from Towson

Date: 10/13/2023

Subject:  PASSWORD RESET REMINDER

Comments:

• External Tag

Date: 9/20/2023

Subject: Attention: Re-authenticate 2 Factor Authentication (2Fa) for <USERNAME> on Friday-September-2023 11:28 AM

Comments: 

• OTS will not ask you to scan QR codes in emails
• External Tag is at the bottom
• Sender address is not Towson

Date: 9/19/2023

Subject: About Piano

Comments: 

• Offer is to good to be true
• There are various different versions of this email

Date: 9/6/2023

Subject: I Recorded You

Comments:

• Very common scam email, attackers send this to thousands and try to get one or two to send money
• The request is absurd
• Bitcoin is used all the time during scams
• If you think your account is compromised please reach out to phishing@Towson.edu

Date: 9/2/2023

Subject: Administrative Assistant/Project Coordinator

Comments:

• Offer is too good to be true
• Reply email is not associated with the University
• If you reply the attackers will try to move to another means of communication, like SMS or personal email

Date: 8/17/2023

Subject: Kindly provide your cell number that i can reach you at 

OR

Subject: Available, Cell Phone Number?

Comments:

• Email address does not match name of sender
• External Tag
• The main hook is to get this conversation to another means of communication where security controls do not exist
• 
• End game is for the user to go and buy gift cards and send the numbers to the malicious actor
• Grammar in the text message is poor

Date: 8/17/2023

Subject: Required | Towson Multi-Factor Auth

Comments: 

• This is a pretty good one, there is no external tag
• If you actually did scan the QR code there were multiple redirects that ultimately ended on a malicious credential capture page
• TU does not use Microsoft MFA

 

Date: 7/24/2023

Subject: Gary  Spencer shared "ATHLETICS INFORMATION REPORT SUMMARY" with you.

Comments

• Subject sharing name is different from the body of the email.  Urgency in the body of the email
• Punctuation in body of email
• URL when you mouse over the link. 

Date: 7/24/2023

Subject: Retirement Planning Sessions for the University System of Maryland Employees

Comments

• External Tag
• From Address