This phish attempts to look like a friendly notice warning you that your account was accessed from Nigeria and needs your attention. Going through the messsage section by section, there are several issues that give it away as a phish.
- The “From” address is a pollywood.org address and has nothing to do with Penn State.
- The “To” address is the same as the “From” address, which means anyone who received the message was blind copied (Bcc’d) – something that would not happen with a legitimate warning about your account.
- The time of the supposed access from Nigeria was left in local Lagos time, so it looks as though the account was accessed in the future, compared to the time the message was sent.
- You are given a link to “retrieve your account.” We’re not sure what that means, but it’s not how you would be asked to secure your account and/or change your password.
- The link given has nothing to do with Penn State – it’s a shibuya-denki.com address.
- The site to which the link goes is a generic login page with no mention of Penn State. The only reason it exists is to harvest passwords.
- There is a copyright date of 2014 given in the signature of the message. There’s no reason to copyright an account warning notice, and even if there were, it’s now 2016.
Subject: Unrecognized New sign-in
Date: Tue, 24 May 2016 09:37:46
From: Pennsylvania State University <firstname.lastname@example.org>
To: Recipients <email@example.com>
This is an automated message to notify you that a valid password was used
to login your psu.edu mail account from an unrecognized device, Today
Tuesday, May 24th, 2016 at 1:58 PM , in Lagos, Nigeria
(IP=184.108.40.206) as a result of that your account has been temporarily
If you did this, you can safely disregard this email. If you didn’t do
this, kindly follow our review link below to retrieve your account
http://shibuya-denki.com/http:/www/ (<- This is a generic phishing site that harvests passwords)
The Pennsylvania State University ©2014. All rights reserved.
Please do not reply to this message. Mail sent to this address cannot be