Welcome to the Phish Bowl

About phishing

Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information. This is usually done by including a link that will appear to take you to the company’s website to fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the scam.

The term ’phishing’ is a spin on the word fishing, because criminals are dangling a fake ’lure’ (the email that looks legitimate, as well as a website that looks legitimate) hoping users will ’bite’ by providing the information the criminals have requested – such as credit card numbers, account numbers, passwords, usernames, and more.

How do I spot a phishing email?

  • The email doesn’t specify your name.

"Dear Customer" or “Dear” isn’t an identifier. If you receive an email like this, there is a very high chance that this is a phishing email.

  • The email asks you to confirm personal information.

Keep an eye out for emails requesting you to confirm personal information that you normally do not disclose.

3 signs you are possibly being scammed:

1. You are being pressured to act immediately. Scammers may pose as someone or an organization you know and say there is a problem that needs immediate attention. DO NOT act unless you have verified the person who has contacted you is legitimate.

2. You're asked to provide personal information and/or verification codes. When in doubt, DO NOT disclose this type of information. Most organizations will not ask for this information when conducting business with you.

3. You're asked to pay or submit payment in an unusual way. Be wary if you are asked to pay by gift cards, payment apps, or digital currency.

These are the latest campaigns seen by the Information Security Office. If you receive any other kinds of scamming or phishing messages, please forward the message to phishing@rice.edu.

2026/03/16 - 13:45:38 (UTC -05:00)

SJSU Financial Aid balance Reason: Owes Balance UVA Financial Aid balance

This phishing email was sent from the compromised accounts and attempts to trick users into entering their credentials through a fake Rice University portal hosted on a fake domain.

From: <ad96@rice[.]edu ak233@rice[.]edu>
2026/03/16 - 13:45:38 (UTC -05:00)
Subject: SJSU Financial Aid balance Reason: Owes Balance UVA Financial Aid balance
To: undisclosed-recipients

2026/03/15 - 12:14:57 (UTC -05:00)

[Not Virus Scanned] Rice University Payroll Notice: 16.89% Salary Increase

The email includes an attachment with instructions for bypassing Duo requests, as well as a form requesting credentials.

From: <wwsy.wang@mail[.]utoronto[.]ca>
2026/03/15 - 12:14:57 (UTC -05:00)
Subject: [Not Virus Scanned] Rice University Payroll Notice: 16.89% Salary Increase
To: undisclosed-recipients

Sat Mar 14 2026 11:45:20 GMT-0500 (Central Daylight Time)

Reason: Owes Balance Rice Financial Aid balance

This phishing email was sent from a compromised account and attempts to trick users into entering their credentials through a fake Rice University portal hosted on a fake domain.

From: <ahp@rice[.]edu>
Sat Mar 14 2026 11:45:20 GMT-0500 (Central Daylight Time)
Subject: Reason: Owes Balance Rice Financial Aid balance
To: undisclosed-recipients

Thu, 19 Feb 2026 13:58:39 PM

HIRING APPROVED JOB OFFER

The email was a fake job page sent out to rice emails.

From: <sinskids@thai1.onmicrosoft[.]com>
Thu, 19 Feb 2026 13:58:39 PM
Subject: HIRING APPROVED JOB OFFER
To: undisclosed-recipients

2026/02/24 - 17:34:28 (UTC -06:00)

RICE RA POSITION

This is a job scam where the attacker pretends to be a member of Rice University.

From: <mukul@bmionline[.]in developer@scriptrix[.]net crm@bmionline[.]in softworld108@gmail[.]com kumarachyutha@gmail[.]com welcome@posplus[.]net info@bdayfy[.]com>
2026/02/24 - 17:34:28 (UTC -06:00)
Subject: RICE RA POSITION
To: undisclosed-recipients

Thu Feb 19 2026 21:42:00 GMT-0600 (Central Standard Time)

IMPORTANT TAX RETURN DOCUMENT AVAILABLE

This is a brand impersonation phishing attack that uses the urgency of tax season and a fake "statement" link hosted on an external cloud service to steal your login credentials.

From: <no-reply@paperlessemployee[.]com>
Thu Feb 19 2026 21:42:00 GMT-0600 (Central Standard Time)
Subject: IMPORTANT TAX RETURN DOCUMENT AVAILABLE
To: undisclosed-recipients

2026/02/16 - 19:06:58 (UTC -06:00)

A Gift For You ( 840 213 9050 )

A fake “free gift” scam asking for shipping fees via irreversible payment methods to steal money and personal information.

From: <ec160@rice[.]edu>
2026/02/16 - 19:06:58 (UTC -06:00)
Subject: A Gift For You ( 840 213 9050 )
To: undisclosed-recipients

2026/02/16 - 12:31:15 (UTC -06:00)

Review of Individual Performance Summary Report

It pretends to be an official school message and uses a Google Forms link to steal information.

From: <abarani@olhca[.]org>
2026/02/16 - 12:31:15 (UTC -06:00)
Subject: Review of Individual Performance Summary Report
To: undisclosed-recipients

02/09/2026-02/11/2026

Important :Staff Performance File Available for Review Staff Performance File Available for Review

Google form asking for credentials, for access to a staff performance review

From: <vickie.bonner@austinisd[.]org>
02/09/2026-02/11/2026
Subject: Important :Staff Performance File Available for Review Staff Performance File Available for Review
To: undisclosed-recipients

46064

Musical Instruments Available – Contact: +1 731 443 0304 Musical Instruments Available – Contact: +1 612 583 6670 Musical Instruments Available – Contact: +1 434 398 5770 Musical Instruments Availabl​e – Contact: +1 612 583 6670 -- Musical Instruments Available – Contact: +1 612 583 6670

The attacker claimed to send free musical instruments and asked recipients to contact a phone number provided in the subject line.

From: <gc56@rice[.]edu>
46064
Subject: Musical Instruments Available – Contact: +1 731 443 0304 Musical Instruments Available – Contact: +1 612 583 6670 Musical Instruments Available – Contact: +1 434 398 5770 Musical Instruments Availabl​e – Contact: +1 612 583 6670 -- Musical Instruments Available – Contact: +1 612 583 6670
To: undisclosed-recipients

46055

FLEXIBLE PART TIME JOB OPPORTUNITY

This email is a job recruitment scam that uses a high weekly stipend and "flexible" remote work to lure victims into providing personal data. It is clearly fraudulent due to the mismatching institutions (claiming both Rice University and a school district) and the use of a personal Gmail address for official business.

From: <sj106@rice[.]edu>
46055
Subject: FLEXIBLE PART TIME JOB OPPORTUNITY
To: undisclosed-recipients

2026-01-28 19:15 - 19:29

"FLEXIBLE JOB OPPURTUNITY", "IMPORTANT UPDATE #RICE UNIVERSITY"

Two campaigns from the same compromised account. One Job Scam, one account phish.

From: <vi5@rice[.]edu>
2026-01-28 19:15 - 19:29
Subject: "FLEXIBLE JOB OPPURTUNITY", "IMPORTANT UPDATE #RICE UNIVERSITY"
To: undisclosed-recipients

2026-01-26T08:12:30-06:00

RICE RA POSITION

Senders pretend to be adjunct professor Dr. Maher to offer a job scam to recipients.

From: <mukul@bmionline[.]in crm@bmionline[.]in muqs@themarasports[.]com bakhtawarkhan399@gmail[.]com udev544@gmail[.]com knockitcontact@gmail[.]com>
2026-01-26T08:12:30-06:00
Subject: RICE RA POSITION
To: undisclosed-recipients

2026/01/24 - 17:11:02 (UTC -06:00)

Remote Research Practicum – Department of Psychology, Rice University

The email claims to offer a remote research practicum at Rice University paying $400 per week under Professor Philip Kortum

From: <vip9818@v.of365[.]online Nehal.Seif@bmschools[.]net>
2026/01/24 - 17:11:02 (UTC -06:00)
Subject: Remote Research Practicum – Department of Psychology, Rice University
To: undisclosed-recipients

2026/01/21 - 15:47:55 (UTC -06:00)

Update on Employee Reward and Benefit

A fake HR notification and a trusted Google Drive link to lead users to a spoofed login page that steals their credentials when they attempt to "view" their benefits statement.

From: <jmaples376@gmail[.]com>
2026/01/21 - 15:47:55 (UTC -06:00)
Subject: Update on Employee Reward and Benefit
To: undisclosed-recipients

2026/01/04 - 19:19:35 (UTC -06:00)

$600 REMOTE WORK ACCESS

The email content is empty; it only includes an attachment.

From: <l43876693@gmail[.]com>
2026/01/04 - 19:19:35 (UTC -06:00)
Subject: $600 REMOTE WORK ACCESS
To: undisclosed-recipients

46017

ATTN: Mailbox Expires today, 12/26/2025 -refID:*

This email aims to create urgency that credentials for office O365 need to be changed, then takes you to a fake office O365 sign in.

From: <Falsified Header.>
46017
Subject: ATTN: Mailbox Expires today, 12/26/2025 -refID:*
To: undisclosed-recipients

2025/12/16 - 10:16:31 (UTC -06:00)

Invitation: 💳 Scheduled Automatic Payment: $489.99 USD in 12 Hours @ Date Time NetID 💳 Scheduled Automatic Payment: $489.99 USD in 12 Hours

This email aims to create urgency with a false high-cost invoice, tricking users into calling a fraudulent number to reveal their personal or financial information.

From: <s1602491@edu[.]moe[.]om s1600023@edu[.]moe[.]om s1602398@edu[.]moe[.]om s1602220@edu[.]moe[.]om s1602388@edu[.]moe[.]om s1600111@edu[.]moe[.]om s1602163@edu[.]moe[.]om s1602159@edu[.]moe[.]om s1600089@edu[.]moe[.]om s1601855@edu[.]moe[.]om s1602338@edu[.]moe[.]om s1601819@edu[.]moe[.]om s1602078@edu[.]moe[.]om s1602052@edu[.]moe[.]om s1601241@edu[.]moe[.]om s1601780@edu[.]moe[.]om s1601202@edu[.]moe[.]om s1601198@edu[.]moe[.]om s1601181@edu[.]moe[.]om s1601436@edu[.]moe[.]om s1601631@edu[.]moe[.]om s1537208@edu[.]moe[.]om s1601933@edu[.]moe[.]om s1601930@edu[.]moe[.]om s1601594@edu[.]moe[.]om s1536972@edu[.]moe[.]om adegbenle.o.2004009019@eksu[.]edu[.]ng adeosun.o.158214062@eksu[.]edu[.]ng adedapo.o.2002003014@eksu[.]edu[.]ng adeewi.a.2005002012@eksu[.]edu[.]ng afolayan.o.158867030@eksu[.]edu[.]ng adebayo.e.1905004003@eksu[.]edu[.]ng afolayan.a.178867148@eksu[.]edu[.]ng adeogun.d.2007002061@eksu[.]edu[.]ng adebayo.a.2007001015@eksu[.]edu[.]ng adabiri.b.158974005@eksu[.]edu[.]ng adebayo.a.158751008@eksu[.]edu[.]ng adedoja.m.158212004@eksu[.]edu[.]ng afolalu.a.1903002025@eksu[.]edu[.]ng akinwumi.a.2001003002@eksu[.]edu[.]ng ajetunmobi.o.2009002044@eksu[.]edu[.]ng adeleke.o.158427011@eksu[.]edu[.]ng adeitan.a.2009004019@eksu[.]edu[.]ng adegoke.a.158433022@eksu[.]edu[.]ng abdulsalam.f.2009006001@eksu[.]edu[.]ng abiola.m.158977004@eksu[.]edu[.]ng epum.d.1909006036@eksu[.]edu[.]ng komolafe.m.2009011050@eksu[.]edu[.]ng ojo.o.1904001006@eksu[.]edu[.]ng adekanbi.g.2002004032@eksu[.]edu[.]ng fagbamigbe.i.158431068@eksu[.]edu[.]ng>
2025/12/16 - 10:16:31 (UTC -06:00)
Subject: Invitation: 💳 Scheduled Automatic Payment: $489.99 USD in 12 Hours @ Date Time NetID 💳 Scheduled Automatic Payment: $489.99 USD in 12 Hours
To: undisclosed-recipients

Thu Dec 11 2025 10:49:14 GMT-0600 (Central Standard Time)

Payroll Update - Revised Salary & Performance Bonus

The email seemed to be from HR, requesting that the recipient view their compensation statement by clicking a link.

From: <Falsified Header.>
Thu Dec 11 2025 10:49:14 GMT-0600 (Central Standard Time)
Subject: Payroll Update - Revised Salary & Performance Bonus
To: undisclosed-recipients

46008

Chief Human Resources

The email appeared to be from HR asking to view compensation statement by clicking a link, which appears to be for credential harvesting

From: <lk18@rice[.]edu>
46008
Subject: Chief Human Resources
To: undisclosed-recipients

2025/12/09 - 11:20:31 (UTC -06:00)

Student Report Notification

This is a phishing email disguised as an official notification about a Student Support Form concerning a student in the recipient's class. The goal of the attacker is to trick the recipient into clicking the malicious link.

From: <jmahon@williams[.]edu>
2025/12/09 - 11:20:31 (UTC -06:00)
Subject: Student Report Notification
To: undisclosed-recipients


Other Scams

If you receive any other kind of scamming or phishing message, please report it to phishing@rice.edu.