Phish: You have been sent new employee benefits/salary

Published: March 6, 2025

This phishing email attempts to trick recipients into downloading an attachment containing a virus. The attachment can be used to steal personal information and login credentials and gain unauthorized access to the user’s account.

Once an attacker has acquired login credentials, they may attempt to access the account by triggering multiple MFA notifications, hoping the user will approve one. If you receive an unexpected Duo, UTORMFA or another MFA request that you did not initiate, do not approve it. Report suspicious MFA notifications to security.response@utoronto.ca immediately.

Email details

Subject:

You have been sent new employee benefits/salary

Hello,

Your employee benefits/salary have been updated for the upcoming fiscal year.

To confirm these benefits, please complete the attached form and reply with the filled-out document.

Scan the QR code using your phone to begin submitting the form.

Malicious QR code included

Attachment:

Utoronto Benefits_Salary-(jane.smith).docx (Zero KB)

Phishing cues

Poses as a trusted or legitimate source

The sender impersonates U of T to manipulate the recipient into acting.
Unprofessional design or formatting

The email lacks standard professional formatting, including a legitimate signature and contact information.
Generic greeting

The email does not specify the recipient’s name, making it less personal and more suspicious.
Unsolicited attachments or links

The email includes an unexpected QR code and instructs recipients to scan it, which is not a standard U of T communication practice.

Report phishing

If you receive a suspicious email, do not open attachments or click on links. Report phishing attempts to security.response@utoronto.ca.

Phish Bowl

Phish Bowl

Phish Bowl