Members of the University community are receiving phishing emails with subjects like “are you available”, “are you on campus”, and “quick request”. These emails spoof the names of University officials (President, Chancellor, Department Chair, or any UH official), employees, and your colleagues. Their names are being used on email messages to ask the recipient to purchase gift cards or other strange activity. The attackers spoof the email so that it appears that it was sent from the person’s hawaii.edu account. In the past, they used free email accounts (gmail, my.com, etc) with the university employees name to trick you into responding.
Attackers are now changing tactics to include asking directly for your cellphone number so they can continue the conversation through text messages instead of email. Do not reply with your cell phone number or text the number provided in the message.
If you receive a message with this type of request from a UH employee you normally work with (supervisor, co-worker, etc), do not immediately reply. You should verify the legitimacy of the message separately with the UH employee (not by replying to the message) or through someone else who can validate the request.
You should also check to see if there is a non-hawaii.edu “Reply-to” address on the message:
- Log in to Gmail using a web browser.
- Open the message you’d like to view headers for.
- Click on the “three horizontal dots” next to the Reply arrow, at the top of the message pane.
- Select “Show Original”.
For more information about phishing in mobile device applications, please refer to https://www.hawaii.edu/askus/1708.
If you would like to report receiving one of these messages, please refer to https://www.hawaii.edu/askus/898.