Information Technology Services
Information Technology Services

Phishing Samples

Phishing SamplesThe best way to avoid being a victim of a phishing attack is to know what to look for. 
Here are just a few examples of phishing emails seen in circulation at Queen's.

This is not meant to be a definitive list, so don't assume a suspicious-looking email
is safe if you don't see it here.

If you're not sure of a message's authenticity, you can see
Reporting Suspicious or Unwanted Emails for more information.


April 18, 2017

  1. The email has been sent from a non Queen's email address.
    • This indicates that the sender's account has most likely been compromised.
  2. The email has been sent and copied to a non-Queen's email account.
    • If the alternate email address was being sent to, the Queen's account would also be sent to
  3. The wrong terminology is used.
    • If this were a valid email, the correct terminology would be used (i.e. NetID).
  4. Hover over the link included in the message to reveal where the link is going to
    • The link leads to a http not a https: site.Queen's would only use an https: URL.
    • The link does not direct to a Queen's page.
  5. The wrong terminology is used again.
    • ITS signs correspondence with the correct name.


April 13, 2017

  1. Hover over the senders name to see their identity
  2. We will not include a hidden link for you to click
    • if a link is included hover over the link to see where it is really going
    • IP address are DHCP not static.  There is no database of individual's IP address
  3. Passwords are not changed through Office 365
  4. Signature is incorrect and badly formed.

sample of phishing attempt

March 28, 2017

  1. The From: address is a Queen's email address.
    • This indicates that the sender is within the Queen's network and has had their account compromised and "spoofed."
  2. The hyperlink in the message does not lead to a legitimate Queen's webpage.
  3. This is the threat. Following the link WILL compromise your account.
  4. There is no such position within ITS and this is not how ITS will sign official email correspondence.

sample of phishing attempt

March 27, 2017

  1. The From: address is not a Queen's email address (the sender is from outside the university).
    • The sender has probably had his account "spoofed" or his credentials have been stolen by the phisher. 
  2. The link in the message appears valid, but when you hover over the link, the address does not match the text.
    • This is indicative of a bogus or malicious destination page. 
  3. The note does not contain any useful information and grammar and spelling are inaccurate. 
  4. This is the threat: following the link WILL compromise your account. 

Note:  if Queen's was to introduce two-factor authentication, it would be widely publicized through the channels that ITS already uses to bring awareness to new services. You would be able to verify via the ITS website.

screenshot illustrating phishing attempt

March 16, 2017

  1. A threat that if you do not update your information that your account will be limited.
  2. a "tiny URL" that hides its true path
    • would take you to a login page that has been designed to look like Apple's login page.
    • your credentials would be captured, and then you would be punted to the real site to login.  You would probably not realize your account was compromised.

Note:  Always navigate directly to a site; don't follow a link within an email unless you are expecting the link and trust it.

March 16, 2017

  1. Hover over the senders name to reveal more about them
    • This email came from within Queen's, probably from a compromised account.
  2. The email was personalized. When access is available through a compromised account there are different ways that hackers can gain access to the email addresses of staff. 
  3. Urges you to use the attached PDF to stop or cancel the order
    • Never follow a link to a site
    • In this case, go directly to Amazon and log into your account to verify your order history.

March 15, 2017

This phishing attempt takes you to a page requesting you to log in with your Queen's NetID and password.  If you do, then your account is compromised.  If you received this message and followed the link please contact the IT Support Centre immediately.

  1. This phishing attempt came from an individual on campus who's account has been "spoofed".  Hovers over the senders name to see their full name, department, etc.
  2. The email was personalized.  There are different ways that hackers can gain access to the email addresses of staff. 
  3. Choosing to tell you that a high ranked official for the University has sent a message is a good lure.  When you hover over the link you see it goes to a blog site.  An unsuspecting person could be tempted to follow the link.
    • following this link would take you to a login page that requests your NetID and password.  Once provided you would have access to the message,
    • unfortunately you have given up your NetID and password to read the message. 
    • Your account has been compromised.  Change your password immediately and contact the IT Support Centre.
  4. The note that the message will expire soon leads an urgency to the email. 

March 14, 2017

  1. From a non Queen's address
  2. The From:, To: and Date: field would be part of the email
  3. Just because someone tells you it is 100% authentic doesn't mean it is!
  4. ITS would not ask you to "validate" your email account; we would not shut down your account permanently; and we wouldn't give you 8 hours to comply.  If you are not sure what ITS would do - contact the IT Support Centre.
  5. Any important emails are signed.  You would be able to verify where they came from.

February 6, 2017

  1. Not from a Queen's email address
  2. Wrong name in banner
  3. Queen's does not use case ID numbers
  4. The server name is incorrect
  5. Hover over the Here link and you see it is not from Queen's
  6. The threat is implied that you will lose email or your calendar will not work.

screen shot of phishing attempt


January 27, 2017

It is very easy to be fooled by this phishing sample. Whenever in doubt, contact the ITSC to verify if an email is valid or not. We have highlighted the parts of the email that caught our attentions. 

  1. The picture leads us to believe the email is from a valid person.  Unfortunately this time it is from a compromised account.  Even though the email address is from Queen's doesn't make it valid.
  2. When you hover over the to address you see the real address.  In this case the From and the To has the same email address
  3. The message contains an urgency to update your account. 
  4. The URL that is provided in the email is not the real URL.  Hover over the URL and you will see where it is really going. 
  5. The signature block contains very generic information. not a real name or position or department.

screenshot illustrating phishing sample

January 23, 2017

  • The From address is not a valid Queen's account
  • the Threat is there that your account will be deleted
  • the link to follow is not a vaild Queen's link

screen shot of phishing attempt