Example 235: Expiration Notice

Phishing targeted at Canvas users

This phishing scam was sent to a short list of UMN individuals with the subject “Expiration Notice”. 

A screenshot of the original message is included below with personal information removed. 

Indicators of Phishing

Embedded Link

The first thing to cause suspicion is the embedded link in the message. When you hover (remember to hover, not click!), you would see the embedded URL is strange -- users[.]urgent[.]be.

Disguised URL

The second thing to cause suspicion is the page where this URL redirects. It is a very believable looking UMN login page, but the URL looks quite strange indeed!

URL of Fake Login page: http://canvas[.]umn[.]vnre[.]me

The attackers here tried to be clever by including “canvas.umn” in the URL of the phishing page. However, we UMN users are wise enough to know that our actual login pages are at ‘login.umn.edu’!

No Security Certificate

The final thing to create suspicion is the lack of a valid security certificate on the login page, leading to the password field displaying a warning when you click on it. All legitimate UMN login pages will have a valid security certificate, but remember a security certificate does not automatically mean authentic! 

What To Do Next

If you filled in this form, change your password immediately!

Before logging in to a link you clicked from an email:

  • Check the URL for authenticity
  • Check the security certificate (click the lock icon in the URL bar) and check the certificate authority to see if it matches what your organization uses

Or, better yet, avoid logging in to pages linked in emails! If the message is legitimate, you can navigate to the resource that requires login from other, well-known means (like from MyU in the case of UMN Canvas).

Stay safe, stay healthy, and if it sounds too good to be true, it probably is!

Original Email

A screenshot of the phishing email message for Canvas