Fake FNB e-mail being circulated

Monday, June 19th, 2017

Our week starts off with the latest spam e-mail, one from FNB requesting that you activate your card. Of course this isn’t legitimate, even if it looks fairly convincing. Note the :-) in the subject line. This alone should be a dead giveaway. No bank will (we hope) communicate with emoticons.

The link in the e-mail will lead you to a temporary file in your browser where you have to fill in your details.  Please ignore and delete this e-mail if you receive it. If you are a FNB customer and at any time, receive any e-mails you are not sure about, rather phone your bank directly and confirm.

If you receive any similar phishing e-mails, please forward then to as an attachment. This way we can add it to our spam filter and ensure no-one else receives them. 

See the example of the FNB e-mail below. (Malicious links were deactivated)

Date: Thu, 15 Jun 2017 23:41:08 +0000
From: inContact <>
To: Recipients <>
Subject: FNB :-) Account Card Activation Request   16Jun 00:00
x-spam-score: -89.7 (—————————————————)

[– Attachment #1 –]
[– Type: text/plain, Encoding: base64, Size: 0.7K –]

Dear  Valued Card Holder,

As Directed by South African Credit Card Authorities, All card holders as advised to register their FNB cards on the new security platform to avoid your account from being compromised and also

To reactivate your Credit / debit Card Kindly click on the below ATTACHED and follow instructions.


*NOTE: Failure to do this will lead to suspension of your ATM Card.*

Copyright c 2017 Inter-Switch Limited

Thank you.



SARS phishing e-mail

Monday, June 12th, 2017

Take note that a phishing e-mail promising a SARS payback is circulating on campus. Below is an example of the e-mail sent from a legitimate looking e-mail address with a web page attached which the receiver should click on and complete. 

Please do not click on the html file or enter any personal information. SARS would contact you via SMS if (in the unlikely event) they want to pay you money.  

Also look out for the telltale signs of a phishing e-mail below:

  1. Addressed to a generic name – “Dear Taxpayer”. SARS would at least include your full name and tax reference number.
  2. Grammar, spelling or punctuation errors. 
  3. SARS won’t ask you to complete any forms. They already have your information.

Dear Taxpayer,


After calculations of last year annual fiscal activities,we realised that you are eligible to receive a Tax refund of R9,250.75. please download the attached Tax refund form REFUNDSARS.html and complete the process of your Tax refund. Note:the refund will take 48hours to reflect in your account.


Thank you,


South Africa Revenue Services (SARS)

Tom Moyane Commissioner

How to avoid ransomware attacks

Friday, June 2nd, 2017

Ransomware is a type of malware designed to encrypt users’ files or lock their operating systems so attackers can demand a ransom payment. According to a 2016 Symantec report, the average ransom demand is almost $700 and “consumers are the most likely victims of ransomware, accounting for 57 percent of all infections between January 2015 and April 2016.”

Similar to a phishing attack, ransomware executes when a user is lured to click on an infected link or e-mail attachment or to download a file or software drive while visiting a rogue website. Sophisticated social engineering techniques are used to entice users to take the desired action; examples include

  • an embedded malicious link in an e-mail offers a cheap airfare ticket (see figure 1);
  • an e-mail that appears to be from Google Chrome or Facebook invites recipients to click on an image to update their web browser (see figure 2); or
  • a well-crafted website mimics a legitimate website and prompts users to download a file or install an update that locks their PC or laptop.

Figure 1. Phishing e-mail with ransomware embedded in a link

Figure 2. A fake Google Chrome e-mail

To avoid becoming a victim of ransomware, users can follow these tips:

  • Delete any suspicious e-mail. Messages from unverified sources or from known sources that offer deals that sound too good to be true are most likely malicious (see figure 3). If in doubt, contact the alleged source by phone or by using a known, public e-mail address to verify the message’s authenticity.
  • Avoid clicking on unverified e-mail links or attachments. Suspicious links might carry ransomware (such as the CryptoLocker Trojan).
  • Use e-mail filtering options whenever possible. E-mail or spam filtering can stop a malicious message from reaching your inbox.
  • Install and maintain up-to-date antivirus software. Keeping your operating system updated with the latest virus definitions will ensure that your security software can detect the latest malware variations.
  • Update all devices, software, and plug-ins on a regular basis. Check for an operating system, software, and plug-in updates often — or, if possible, set up automatic updates — to minimise the likelihood of someone holding your computer or files for ransom.
  • Back up your files. Backup the files on your computer, laptop, or mobile devices frequently so you don’t have to pay the ransom to access locked files.
Figure 3. An example ransomware e-mail message

Figure 3. An example ransomware e-mail message


Dangerous phishing scam disguised as a University salary increase notice

Thursday, May 18th, 2017

With the criminals first partly successful spear-phishing attack in April with an email about a salary raise and directing their victims to go to a forged webpage that looks EXACTLY like the e-HR website, they are at it again with a few variations: 

The subject is now “URGENT: Your May Salary Issue” and says the following: 


In accordance with the Fiscal Year 2017 Salary Allocation Guidelines, this is to inform you that your monthly salary starting May 31st, 2017 will reflect a 13.98% (percent) merit increase.

Your new salary is as analyzed herewith. The documents are attached below: (attached link to the forged website)

This is an EXTREMELY dangerous e-mail, because its earlier version fooled a number of university personnel into giving the scammers their login details and passwords. 

Clicking on the link will take you to a forged version of the SUN e-HR site. If you enter your username and password (because the site looks like the SUN e-HR site), the criminals will have been given access to your personal details on SUN e-HR. 

Here is what the forged site looks like:

Note the forged address marked in yellow at the top. IT blacklisted and blocked access to that site from within the university, but please support them by following the procedures on the following page:



Compromised student account used for phishing

Tuesday, April 18th, 2017

Just because mail seems to come from a university address, doesn’t mean to say that it is legitimate.

The latest phishing scam making its rounds at the university is being sent from a compromised student account. The subject line is all in capital letters and is meant to frighten you into clicking on a link and filling in your details. This is probably how the student account that is now sending it was originally compromised.

This is a typical phishing scam. Do not respond or click on any of the links. Many thanks to all the observant students who picked it up and pointed it out to us.

Below is an example of the mail (with the dangerous bits removed)


From: Compromised, Student account <>
Sent: Monday, 17 April 2017 12:19 PM
To: fake@email.address


Certify Your email HERE



© 2013-2017 Disclaimer: The views and opinions expressed in this page are strictly those of the page author(s) and content contributor(s). The contents of this page have not been reviewed or approved by Stellenbosch University.