Tag Archives: email

Defeat phishing attacks with bookmarks

Email phishing attacks are improving.

I mean the attackers are improving. They’re wising up to the fact that actual financial institutions and social networks send emails that are (at least mostly) intelligible, and adjusting their approach accordingly.

You still see plenty of phishing emails with atrocious spelling and weird grammar bordering on word salad, but there is a growing trend toward messages that could be mistaken for legitimate communications, even by someone who is well-informed. As potential victims become more sophisticated, so do the criminals.

One way to defeat phishing attacks is to set yourself up to never use links at all. For every single site you log into – financial institutions, credit cards, social networks, online shopping – create a bookmark in your web browser, and get in the habit of always using that link to log into the website.

That way, if you get an email that looks like it might be real, instead of clicking on a link (or even spending time wondering if you should or not), simply open your web browser and use your already-created bookmark to log into the website of whomever the email purported to come from. If there’s a real message or problem, you’ll find out about it there.

Email Hoax Update: Bill Gates is Still Not Giving Away Free Money in 2017

I recently began tracking stats for this website again after a long stretch of not doing so. I hadn’t really been posting new articles very often, and when the program that I was using to track page views and the number of site visitors stopped functioning for whatever reason, I didn’t bother looking for a replacement.

This year, however, I started posting more regularly, and decided it was time to find a new stats plugin so I could at least see if I was putting out something of value. I got it all set up in early March, and recently I noticed that an article I wrote in 2009 about a certain email hoax was suddenly getting about ten times the usual daily traffic for the entire site. That could only mean one thing: it’s baaaaack.

This email chain letter hoax is a bona fide antique, dating back to at least 1999: forward this email and Bill Gates from Microsoft will give you something like $241 for each person you forward it to. It was supposed to have something to do with AOL and Intel, neither of which are affiliated with Microsoft.

Since this hoax is making the rounds again, I felt it was time to revisit the topic: Bill Gates is not giving away huge amounts of money to random people just for forwarding emails. For one thing, Microsoft doesn’t track every email sent. For another, would you? You do know how people get rich, right? Trade secret: it doesn’t involve giving millions in free money away to random strangers in return for nothing.

(I also wanted to write an update because the old article is simply brimming with corny attempts at humor. Not that I’m suddenly above that sort of thing. I’ve probably actually only gotten worse in eight years.)

Anyway, the full, error-ridden text of this ancient email hoax is here:

THIS TOOK TWO PAGES OF THE TUESDAY USA TODAY – IT IS FOR REAL

Subject: PLEEEEEEASE READ!!!! it was on the news!

To all of my friends, I do not usually forward messages, But this is from my good friend Pearlas Sandborn and she really is an attorney.

If she says that this will work – It will work. After all, What have you got to lose? SORRY EVERYBODY.. JUST HAD TO TAKE THE CHANCE!!! I’m an attorney, And I know the law. This thing is for real. Rest assured AOL and Intel will follow through with their promises for fear of facing a multimillion-dollar class action suit similar to the one filed by PepsiCo against General Electric not too long ago.

Dear Friends; Please do not take this for a junk letter. Bill Gates sharing his fortune. If you ignore this, You will repent later. Microsoft and AOL are now the largest Internet companies and in an effort to make sure that Internet Explorer remains the most widely used program, Microsoft and AOL are running an e-mail beta test.

When you forward this e-mail to friends, Microsoft can and will track it ( If you are a Microsoft Windows user) For a two weeks time period.

For every person that you forward this e-mail to, Microsoft will pay you $245.00 For every person that you sent it to that forwards it on, Microsoft will pay you $243.00 and for every third person that receives it, You will be paid $241.00. Within two weeks, Microsoft will contact you for your address and then send you a check.

 thought this was a scam myself, But two weeks after receiving this e-mail and forwarding it on. Microsoft contacted me for my address and withindays, I receive a check for $24,800.00. You need to respond before the beta testing is over. If anyone can affoard this, Bill gates is the man.

It’s all marketing expense to him. Please forward this to as many people as possible. You are bound to get at least $10,000.00. We’re not going to help them out with their e-mail beta test without getting a little something for our time. My brother’s girlfriend got in on this a few months ago. When i went to visit him for the Baylor/UT game. She showed me her check. It was for the sum of $4,324.44 and was stamped “Paid in full”

Like i said before, I know the law, and this is for real.

Intel and AOL are now discussing a merger which would make them the largest Internet company and in an effort make sure that AOL remains the most widely used program, Intel and AOL are running an e-mail beta test.

When you forward this e-mail to friends, Intel can and will track it (if you are a Microsoft Windows user) for a two week time period.

Yep. It was a hoax in 1999, just like it was a hoax in 2009, and just like it’s still a hoax in 2017 and will be forever. If you get it, don’t believe a word of it. Don’t forward it “just in case” or because “it doesn’t hurt to try.” Delete it, and let whoever forwarded it to you know that it is a hoax.

Don’t let ‘em coax
You with a hoax, blokes
Make one keystroke:
Hit ‘delete,’ folks.

An example of the exact type of email you should NOT open

Here’s a screenshot of something that appeared in my inbox recently:

2015-12-21-spam

I spend a lot of time trying to describe the kinds of emails you should avoid, but this one illustrates those concepts perfectly. Let’s look at a few warning signs:

  1. The message wasn’t expected (I’m not a USAA member, but even if I was, this isn’t a usual email)
  2. The subject line is intended to provoke a fear reaction
  3. The subject line is kind of weird, grammatically; are they saying that a “New Document” has been prevented? If “Due to Suspicious Sign-in” modifies the subject of the sentence, which in this case is “New Document,” then…okay, you get it;  it just reads weird.
  4. There is a file attached (the little paperclip icon)

What is supposed to happen with this kind of email is that the victim sees “Suspicious Sign-in” and immediately opens the message, which is most likely blank or contains instructions to open the attached file. Once the victim does that, some form of malicious software, anything from spyware to ransomware, will be installed on their computer.

What actually happens, when the recipient knows some of the warning signs, is that the message is immediately deleted and causes no harm.

Also note that this message slipped past some pretty burly anti-spam and anti-malware software. Those tools are important, but sometimes a dangerous email still makes it through. Stay vigilant!

Nigerian 419 email scams live on

I saw this one just today. It’s a doozy:

From: The Desk Of Mr. James Dike
Reference: GTBank Plc.
Address: 402, Lagos-Abeokuta Expressway, Abule-Egba, Lagos State, Nigeria.

Attention: $10.5M ATM Fund Beneficiary,

I am Mr. James Dike, the new appointed ATM Head of Operation Department Guaranty Trust Bank Nigeria PLC, I resumed to this office on the 1st of this month and For your information i have been empowered and instructed by the new elected President Federal Republic of Nigeria Gen. Muhammadu Buhari to pay all outstanding debt payment to the rightful beneficiaries and summit my payment report to his office with immediate effect and any payment that is not paid before the end of this month will be cancelled and the fund will be returned to the Federal Reserve Oil Account.

So, during my official research last week I discovered an abandoned ATM Master card valued sum of $10.5Million with card number 5321452123409380 belonging to you as the rightfully intimate beneficiary. I tried to know why this card have not been released to you but I was told that the formal ATM head of operation who left this office two months ago withhold your card for his own personal use without knowing that I will not approve or support him to take your card.

Now that your ATM Master card is still available for you to pick it up here in our bank. I want to know how you wish to receive your ATM card along with your four digits pin code number. You can come down here in our bank to pick up your card direct from my office or alternatively it can be send to your address through any registered reliable courier service company that you will take care of the courier charge. I don’t know the cost of shipping the card to you but if you permit me I can make an inquiry from the courier shipment company to find out the cost, but in that case you will be required to forward to me your shipment address to enable me find out the shipment cost to your location.

Your direct telephone number and address will be needed and more details of your ATM Master card payment will be made known to you as soon as I receive your swift positive response, to enable you know the amount programmed for your ATM Master Card daily withdrawal.I will send your ATM master card information including your Card Pin Code as soon as you declare your choice of receiving your ATM card so as to enable you receive your card and start making use of it to withdraw at any ATM card machine all over the world as programmed.

Do not hesitate to call me on +234 802-850-0459 as soon as you read this mail.

Thanks for your co-operation.

Yours Faithfully,
Mr. James Dike
ATM Head of Operation Department
Guaranty Trust Bank Nigeria Plc.
Tel: +234 802-850-0459.

A lot of us have become jaded when it comes to the old Nigerian 419 scam. Even though this one takes a different angle and doesn’t mention an exiled prince, for many of us, it’s easy to see through. We probably wouldn’t even read it…”$10.5M” in the subject line would be enough to trigger our “delete” reflex.

But somebody still falls for it. If they didn’t, these emails wouldn’t happen anymore. So while you may have become almost flippant about the Nigerian 419 scam, remember that there are still people who haven’t heard about it yet. If someone you know starts talking about an impending payout from a mysterious source, or mentions their plans to wire money overseas, it might be time to educate him or her.

Play Along at Home: Fake Target ‘Order Confirmation” Email

Here’s a picture of a fake “Order Confirmation” email I received recently. How many clues can you spot that indicate something is not quite right?

2014-12-08-spam-01

Here’s what comes up if you hover the mouse over the word “link”:

2014-12-08-spam-02

How many fraud indicators did you find?

Here are the ones I found:

  1. Very vague subject line: if this were an actual delivery confirmation, the subject line would usually refer to it in some way. It wouldn’t just say “Order Info.”
  2. The “From” information: support@yummy.cookiesmadeeasy.com is not a Target email address.
  3. The logo is wrong. No bullseye anywhere.
  4. “As Thanksgiving nears…” Thanksgiving was a couple weeks ago. Wrong holiday, dummies.
  5. The (attempted) conversational tone of the email: if you had an actual order to pick up, the email would begin with this information. Whichever holiday is approaching is absolutely irrelevant (for the store) to the fact that they’ve got merchandise they want you to pick up as soon as possible.
  6. The excruciatingly bad grammar. Go ahead, read it out loud. It’s beyond horrid.
  7. This isn’t even how in-store pickup orders work…the customer chooses which store to have their purchase shipped to, and that’s where it goes. That’s the only place it goes. You don’t just go to any random location because they don’t ship one to every single store when an order comes in.
  8. And what happens if I don’t “pick it” within four days? Again, not how online orders work.
  9. The stores aren’t called “Target.com.”
  10. When you get a real order confirmation email, the order information is almost always included in the message. You don’t have to click a link to get to it.
  11. Speaking of links: makingteamsrock.com? Not a Target website.
  12. “Always yours, Target.com.” Pretty sure they don’t refer to themselves as “Target.com.” Or use “Always yours” as a closing.
  13. Not one single item in the “privacy policy” line at the bottom is an actual link.

So, I found thirteen. Did you catch any that I didn’t?

How to spot a disguised link in an email message

I’ve written quite a few posts about phishing over the last few years, and I’ve probably been guilty at times of assuming everyone knows what is meant by “mouseover,” or that everyone knows offhand how to spot a disguised link in an email message.

I made this graphic to clarify. The email example here was a run-of-the mill “Your debit card has been deactivated, click here to verify” phishing attack (extremely easy to see through if you happen to NOT have an American Express debit card, which I don’t). Some phishing attacks aren’t as obvious, but the method to spot a disguised link (one that says “americanexpress.com” but actually leads to a look-alike website designed to harvest account numbers, passwords and other personal information) is the same:

2013-10-01-mouseover

Not every email program will have this exact same layout, but for the most part the actual link will be seen somewhere near the bottom of the page, on the left.

Beware LinkedIn phishing emails

Here’s a screenshot of an email message I got the other day (click to enlarge):2012-10-17-fpu-01

There are a total of five links within this message, all of which lead to a different website and none of which lead to a page hosted at LinkedIn.com. The links were located in these places:

  1. The yellow “Accept” button
  2. The white “Ignore Privately” button
  3. “Marva Leonard”
  4. “Unsubscribe”
  5. “Learn why we included this”

Of course, the real issue here is that this looks like it could be a real email from LinkedIn (and hey, the VP Operations from Allstate wants to know you, wow!). But look what happens when I hover the mouse over the “Unsubscribe” link, for example (detail):

2012-10-17-fpu-031

I’m not sure what’s on that site (I didn’t click to find out), but I can promise you it’s not a real LinkedIn page. Most likely it’s a hacked website that will attempt to infect your computer with malicious software.

If you’re a LinkedIn user, it’s important to be careful with email messages that appear to be from the network. Hover your mouse over any links before you click. Better yet, just visit the site directly and log in to your account; if you’ve got pending invitations, they’ll show up.

Also, most email clients these days don’t display embedded images unless you manually tell them to (note the red “X” and the word “LinkedIn” in the upper right corner of the message). There’s usually a box or a bar that says something like this:

2012-10-17-fpu-02

Unless you know who the message is from and what it contains, never click on that box.

Email Scam/Malware Alert: “Corporate eFax message”

I received this message yesterday afternoon (links have been removed, but are shown in blue):

*   *   *

From: eFax <[redacted]@coderbit.com>
Subject: Corporate eFax message – 9 pages

Fax Message [Caller-ID: 680-973-3656]

You have received a 9 pages fax at Wed, 03 Oct 2012 22:22:19 -1000.

* The reference number for this fax is min1_20121003222219.1055179.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home | Contact | Login

© 2011 j2 Global Communications, Inc. All rights reserved.

eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

*   *   *

eFax is a real company, and the whole thing looks right, with the footer and all. So how did I know this message was bad news?

By mousing-over the links. I’ve used that term before but I’ve never explained it, so here it is: to mouse over (or mouseover) is to move the cursor (the arrow, usually) on your screen over a link without clicking on it. In most web browsers and email clients, this action will show you where the link actually leads, usually in the lower left corner of the window. If the text of the link says one thing, but the information that shows up when you mouseover, that’s a good indication of foul play.

In this case, every single link was disguised. Here are the links and where they actually led, in order. Do NOT visit any of the sites listed!

  1. min1_20121003222219.1055179: www.bathroomdesignstafford.co.uk/SAMiMyXq/index.html
  2. Click here to view this message: gurkan.bae.com.tr/1ttCGhGq/index.html
  3. www.eFax.com/en/efax/twa/page/help: webview360.net/Zn3VbH/index.html
  4. Home: egelisanfen.com/v2WPTAhV/index.html
  5. Contact: christianharfouche.net/Q1uRBnn/index.html
  6. Login: teknoturkbilisim.com.tr/5UTrCN5/index.html
  7. eFax® Customer Agreement: happlications.com/phjbPEB/index.html

You’d think a legitimate message from eFax would have at least ONE link that led to eFax.com, wouldn’t you? You’d also think the “from” address would contain “@efax.com.”

Instead, we’ve got web pages from all around the globe, including the UK and Turkey (.tr). Every single one of these pages has likely been compromised with malware.

Word on the street is that the linked sites will try to infect your computer with the BlackHole exploit kit, which takes control of your computer and adds it to a worldwide network of compromised (“zombie”) computers used to traffic illicit data, launder money and other criminal activity.

Like I said, bad news. If you get this message (the number of “pages” in the subject line may be different), don’t click. Delete it on sight.

Mary, Mary, why ya buggin’?

Maybe it’s just the specific spam email lists I’ve ended up on, but of late I’ve noticed an inordinate amount of garbage email coming from people named “Mary,” with all different last names. Here’s a sample of my deleted items folder over the last several weeks (I photoshopped out a few messages from legit business contacts named “Mary” that were interspersed with these…this is just the spam):

2012-05-14-marymary

This isn’t even all of them. Is it just my inbox, or have you noticed this as well?

Virus/Scam Email: BEQUEST NOTICE

From: Harry Lucas (Advocate) [mailto:harry-lucas@lawyer.com]
Sent: Saturday, April 28, 2012 4:22 PM
To: undisclosed recipients:
Subject: BEQUEST NOTICE
Attach: bequest.pdf

Attention! BEQUEST NOTICE, open attachment for details.

I’m going to venture an informed guess here and say that, should you receive a message like this one, whatever else you do, you really, really should not open that attachment. Whatever is in it, you don’t want it.