Phishing Scam Targets Bank Info

A picture of a hoodie hacker

What happened

Earlier today, some people at the University of Illinois received copies of an email that had an attachment pretending to be a fax message. Here is a screenshot of the email:

A screenshot of what the phishing email and the attachment name.

If you received this email, DO NOT OPEN THE ATTACHMENT.

The attachment was actually a Word document that attempted to install malware known as TrickBot onto Windows computers.

TrickBot is a "banking Trojan” that tries to steal passwords for various banking websites by injecting malicious DLL files into web browsers.


How to remove TrickBot

TrickBot is detected and removed by MalwareBytes, and likely by other anti-malware programs as well. Cleaning an infected computer with anti-malware software and rebooting should be sufficient to remove TrickBot.
If you need assistance, please contact your local IT support staff or the Technology Services Help Desk at 217-244-7000 or by emailing


Other important remediation steps

Anyone who opened the attachment should be aware of the possible compromise of any passwords that were entered during the time since the attachment was opened. Passwords that are stored in any browser may also have been compromised.  In order to be entirely safe, these passwords, particularly banking passwords and University NetID passwords, should be promptly changed. Your NetID password can be changed by visiting