"Pending Message" Phishing Scam

Wait, That Was a Test!

You clicked a simulated phishing link as part of our Security Awareness Program. We want to help you learn how to spot these in the future.

Do not worry! This was only a simulation. Nothing bad happened and you do not need to change your password. We are here to help you learn, not to punish.

Let Us Break Down This “Pending Message” Phishing Email

 
External Email: This email was sent from outside VIU. Treat links and attachments with extra caution.
 
  From viu.ca Server

Red Flag #1: Conflicting Sender Information

Notice the contradiction: The top banner correctly identifies the email as External, but the message body claims it is “From viu.ca Server”. Legitimate internal system notifications will not be flagged as external. Always trust the system-generated “External Email” banner over what the email body claims.

You have "14" messages pending on your email storage server as at 01/12/2026

 User ID:   your.email@viu.ca

Red Flag #2: Fake Urgency and Specifics

Phishing emails often use oddly specific details, like “14 messages pending”, to make the threat feel urgent and real. They want you to react quickly without checking if the problem exists. If you truly had pending messages, Outlook would alert you, not a random email.

Red Flag #3: Suspicious Actions

Be wary of buttons asking you to “Authorize” or “Release” messages. Hover over buttons before clicking. These ones lead to unknown, suspicious addresses, not trusted sites.

Message Encrypted by viu.ca    All Rights Reserved.

Red Flag #4: Fake Security Claims

Attackers try to build trust by adding technical-sounding footers like “Message Encrypted by viu.ca”. Real encryption notifications typically come from specific systems (like Microsoft 365 Message Encryption) and look different. Do not let a “secure” label lower your guard.

What Is the Number One Thing I Could Do

The number one thing you can do is treat your Inbox(es) like a school zone. Slow down when reading and acting on email.

We are all used to driving 10 km/hr over the speed limit on the highway. That behaviour can translate into our work. We are all super busy, and our attention is split. It is easy to be on autopilot without taking a moment to pause and think about what we are doing. However, I suspect none of us speed in a school zone. We slow down because of the heightened risk and greater impact of making a mistake on that stretch of road.

Email is the highest risk area of your job for being exploited and manipulating you into granting access to or sharing sensitive information.

What Should You Do Next Time?

Tips for identifying fake system notifications:
  • Check the External Email banner. Real VIU system messages will never be flagged as external emails
  • Hover over links. Legitimate VIU links should always go to viu.ca domains
  • Question urgency. Ask yourself: Is this really urgent, or is someone trying to rush me?
  • Verify through official channels. Check your actual email client or contact IT directly rather than clicking email links
  • Look for inconsistencies. Pay attention to conflicting information like “external” vs “from VIU server”
  • Report it. Use the Report button in Outlook for suspicious emails
  • When in doubt, contact IT. We are here to help!
Print Article