Phishing Campaign Examination

Recently a number of Bucknellians gave their account credentials away as part of a phishing campaign. 

Phishing: "Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information." Wikipedia

Phase 1 - Job Offer to Gain Personal Information

In the first phase of the attack, the bad actors sent an email that offered an enticing job for a high rate of pay. This is an attempt to steal your name and other personally identifying information. You filled out a form or replied via email with your name, email, address, telephone number and other information that was used in phase 2. 

Subject: Re: You have a NEW MESSAGE

PT Remote Admin Asst

Job Title: Children’s Care Support & Personal Aide
Job Type: Part-Time
Hours: 2-3 hours per day, 2 days a week
Compensation: $50 per hour (approximately $300-$450 per week)
To Apply:

Email your resume to {####@gmail.com } using your personal email (e.g., Gmail, Yahoo, Outlook/Hotmail).

If you don’t have a resume, simply reply with "I’M INTERESTED", including your full name and phone number.

Do not use a .edu email — applications from school emails will not be considered.

Job Placement & Student Services

Employment 03701-3421

Subject: REMOTE OFFICE / ADMINISTRATIVE ASSISTANT

Dear Applicant
An administrative assistant to perform various administrative tasks like making or receiving payments and sending gifts, keeping records, and processing paperwork, when necessary, with good weekly pay is needed, please find the position and some basic information below.

Position: Personal Assistant

Type: Part-Time Job
Pay: $550 weekly

Hours: Average of 10-12hrs weekly

This position will be home-based and it's a flexible part-time job, you can be working from home, School, or any location.


CLICK HERE TO APPLY   


 Or send your resume to ####@gmail.com

I offer You An excellent Total Compensation package, including a Competitive Salary, Excellent Benefits Package, and Growth Opportunities. We Believe in Our team and you to do excellent work.
Job Placement & Student Services
Bucknell University
Employment 01701-9101. All rights reserved.

Subject: Re: Exciting Part-Time Administrative Assistant Opportunity!

Dear Students and Staff,
We have a great opportunity for students who are interested in becoming a Personal Assistant (Remote).
As part of this position, you will enjoy a fantastic working environment, growth, and a CEO who values and celebrates their employees. To qualify for this position, you should have strong service skills, a flexible attitude, and strong teamwork skills. Excellent benefits are also available.

There will be only 11 hours needed to do this part-time job per week. This part-time job is fun, flexible, and rewarding, with fair wages.

* Position: Personal Assistant
* Type: Part-Time Job
* Hours: Average of 11hrs weekly
* pay: $550 weekly.

CLICK HERE TO APPLY for this great opportunity to make extra money. Anyone can apply without affecting their current (Full-time) job. or send a copy of your resume to
 ( #####@gmail.com ) using your alternative email  
 
Best Regards,
Student coordinator
Bucknell University

Phase 2 - Account Threats to Steal Username and Password

In the second phase of the attack, the bad actors sent an email that appears to be unrelated, but threatens that your account will be deleted unless you fill out a form. This is an attempt to steal your username and password.

Subject: Re: Action Needed: Please confirm

General System Maintenance 1 / 17 / 2026

Dear User,

We are unable to process incoming emails to your school account because your Google account verification has failed. If this issue is not resolved within the next few hours, your account may be permanently deleted from our system.

Please take immediate action to verify your account to avoid any disruption.

Additionally, alumni and former students are also required to complete the verification process using the link provided.

To avoid losing access, please verify your account immediately by clicking the link :  

re-verify Here     . Failure to do so may result in permanent loss of access to your account.

If the link is not working, copy and paste the URL below into the address bar of your web browser to cancel the request:  https://forms.gle/####

“PUSH-WORD" on the form means PASSWORD (the one you use to log in to your email account)

Please answer all your questions. If you do not have an answer to a particular question, write 'Nil'.  

Thank you for your prompt attention to this matter.

Sincerely,
--
CONFIDENTIAL NOTICE: This e-mail transmission may contain confidential or legally privileged material that is only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or reliance upon the contents of the e-mail is strictly prohibited. If you have received this e-mail transmission in error, please reply to the sender, so that the proper delivery can be arranged, and then please delete the message from your inbox.

Subject: Re: [STUDENTS] Update

General System Maintenance 1 / 17 / 2026
This is the last time we will notify you that we'll stop processing incoming emails in your school account, and the reason is you failed to verify your account which may lead to the permanent deletion of your account from our database in the next few hours. Kindly take a minute to complete our email verification below. 

If your account remains unverified within the next few hours, incoming emails may be blocked, and your account — along with all associated data — could be permanently deleted.

To prevent any loss of access or information, please verify your account now and confirm that all details are entered correctly before submission.

To visit the link, click OR  copy and paste the URL below into the address bar of your web browser to verify: 
https://forms.gle/####
“PUSH-WORD" on the form means PASSWORD (the one you use to log in to your email account)

Please answer all your questions. If you do not have an answer to a particular question, write 'Nil'.  

Thank you,
OIT Service Desk

Subject: Bucknell University, Act Now.

This is the last time we will notify you that we'll stop processing incoming emails in your school account, and the reason is you failed to verify your account which may lead to the permanent deletion of your account from our database in the next few hours. Kindly take a minute to complete our email verification below. 

If your account remains unverified within the next few hours, incoming emails may be blocked, and your account — along with all associated data — could be permanently deleted.

To prevent any loss of access or information, please verify your account now and confirm that all details are entered correctly before submission.
To visit the link, click the button above or paste this link into your browser:
https://shorturl.at/####

Important Notice-   On the form, there’s a field labelled “OKBU" This actually means your email password — the one you use to log in to your email account. 
“OKBU" on the form means PASSWORD (the one you use to log in to your email account)
If you only have one account, only fill in the only account. and fill " None; Nil; NA " in the rest of space.

Thank you,
OIT Service Desk

Phase 3 - Text Message Request to Steal Duo Authentication

In the third phase of the attack, the bad actors sent a text message asking you to provide your Duo Authentication code to confirm that you do not want your account to be deleted. 

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

Final Result

At this point, the bad actors have complete control of your account and can begin using your email address to send thousands of phishing messages to other Bucknell email users. They can also take any of the actions listed here, including stealing your Social Security Number or redirecting your paycheck.

Compromised Account FAQ

Explanation

There is no job. No one is offering a job for an extremely high rate of pay for very little work.

There is no threat of account deletion for current students, faculty, or staff.

There is no threat of account deletion on a holiday weekend or on a Friday or Saturday night. 

There are no circumstance where legitimate IT staff will text you to request your Duo Authentication code.

All the messages - job offers, account threats, text messages requesting Duo - come from the same team of bad actors. They use different email addresses, but this is a coordinated attack.

There are numerous signs that the email and text messages are fake:

  • The senders are students and alumni.
  • The messages are filled with grammatical and spelling errors.
  • The messages do not use an established communication channel.
  • The messages do not use the identity of any Bucknell departments or organizations.
  • The messages threaten immediate account deletion.

If you fall for a phishing scheme change your password immediately and contact the Tech Desk. DO NOT WAIT to report the incident to the Tech Desk. The faster you report, the faster IT staff can lock the attackers out of your account. 

 

Print Article

Related Articles (2)

Compromised Account FAQ
This article details every step you need to take if your account has been compromised.
Phishing FAQ
This article is all about phishing. It explains what phishing is and has additional information on what to look for and how to report phishing emails.