Wait, That Was a Test!
You clicked a simulated phishing link as part of our Security Awareness Program. We want to help you learn how to spot these in the future.
Do not worry! This was only a simulation. Nothing bad happened and you do not need to change your password. We are here to help you learn, not to punish.
Let Us Break Down This “Pending Message” Phishing Email
| From: Secure Message System <swaim@doctorican.org> |
Red Flag Number One: Mismatched Sender Address
The display name shows Secure Message System, but the actual sending address is swaim@doctorican.org. A legitimate system notification from the university will originate from an official internal domain, not an unrelated .org address.
| |
External Email: This email was sent from outside VIU. Treat links and attachments with extra caution.
|
Red Flag Number Two: System Warning Banners
The email client displays two warning banners at the top of the message. The banners notify you that the sender is external and unfamiliar. A legitimate internal email delivery system from the university will not trigger an external warning banner.
Failure Delivery Messages
Email Delivery Reports For your.name@viu.ca
| Status |
Subject |
Date |
Time |
| Pending |
Urgent: Invoice Overdue |
05/18/2026 |
08:14 AM |
| Pending |
RRSP Statement and Contributions |
05/19/2026 |
11:22 AM |
Red Flag Number Three: Psychological Manipulation
The subjects of the pending emails are Urgent: Invoice Overdue and RRSP Statement and Contributions. Attackers choose these subjects to trigger anxiety and financial curiosity. They want to pressure you into acting quickly without thinking.
Red Flag Number Four: The “Move To Inbox” Button
This button is the payload delivery mechanism. Hovering your mouse over the button without clicking would reveal a link pointing to a credential-harvesting site. Real university systems do not request you to move files directly to your inbox.
Let Us Break Down the Fake Login Page
◀ ▶ ↻
🔒 securembly.com/can/128dfef5-fdd5-4cfc-be19-3679ed0f3679d0...
★
Red Flag Number Five: The Web Address Does Not Match
The most important place to look is the address bar at the very top of the browser.
What to look for: A real Microsoft login will always have a recognizable address, like login.microsoftonline.com.
What is wrong here: This address says securembly.com, which has nothing to do with Microsoft. It is also followed by a massive wall of random letters and numbers. Scammers use these long, messy links to hide their true location and track who clicks.
What Is the Number One Thing I Could Do
The number one thing you can do is treat your Inbox(es) like a school zone. Slow down when reading and acting on email.
We are all used to driving 10 km/hr over the speed limit on the highway. That behaviour can translate into our work. We are all super busy, and our attention is split. It is easy to be on autopilot without taking a moment to pause and think about what we are doing. However, I suspect none of us speed in a school zone. We slow down because of the heightened risk and greater impact of making a mistake on that stretch of road.
Email is the highest risk area of your job for being exploited and manipulating you into granting access to or sharing sensitive information.
What Should You Do Next Time?
Tips for identifying fake system notifications:
- Stop and read the banners. Treat external email warning banners as yield signs. If an email claims to be internal but has an external warning banner, it is almost certainly malicious.
- Verify the browser address bar. Before typing your password on a login screen, always check the URL at the top of the browser. A real Microsoft login page will always show login.microsoftonline.com.
- Do not trust branding alone. Visual components like logos, colors, and fonts are easily stolen by scammers. A professional-looking design is not a guarantee of security.
- Verify via the official route. Never use the links in the email if you are worried about your account status. Manually open a browser, navigate to the official portal or contact the IT Helpdesk directly.
- Report, do not delete. Use the Report button in Outlook for suspicious emails rather than deleting them. This action allows the security team to protect other employees.
- When in doubt, contact IT. We are here to help!