Tag Archives: Phishing

“Mailbox full” phishing attacks

When you get an email message telling you that your mailbox is full, or that your “quota has been exceeded,” it’s a good idea to double-check before you respond in any way. It might be a phishing attack designed to harvest your login credentials, infect your computer with malware, or both.

Most email service providers have a limit to how much space incoming messages can take up on the server. The size of this limit often depends on whether or not (and how much) the user is paying for the service (free providers give you less than ones you pay for).

If you leave hundreds and thousands of messages unread because you never check your mail, or don’t set up your email program to remove messages from the server after reading, you can reach this limit and new messages won’t get through.

That said, if you get a “mailbox full” message, chances are it’s not from your email service provider at all, and clicking on any links could lead to trouble. Here are a couple things to look for.

Bad spelling/bad grammar: these days, large internet service companies hire people who know how to spell and write to compose official messages. Strange grammatical constructions or misspelled words are an immediate tip-off that the email isn’t legitimate.

Who is it from? If you were really looking at an official message about your iCloud email account, you would think the sender’s address would be “[username]@icloud.com.” Same with att.net, hotmail.com, gmail.com or any of the others. Yet in a majority of cases, phishing emails appear to come from an address that has nothing to do with the service provider. Keep this in mind, though: some more sophisticated and/or targeted attacks might not have this flaw.

Where do the links go? You can see where a link takes you without clicking on it by hovering your mouse over the link and waiting for the little popup window to display the address. On a mobile device, you can hold your finger down on the link (instead of tapping) and a window will pop up showing the address. Again, if it’s from your actual email provider, that link is going to lead somewhere related to the business (and related to the sender’s address). A message about your Gmail account is going to point to something hosted at google.com, for example. Beware of lookalike addresses, though; the architects of these attacks will sometimes set up websites with addresses like “att.net-verification.com.br” where at first glance it appears to point to an att.net site, but the actual address is “net-verification.com.br.”

The best practice is to never interact directly with this type of message in the first place. If you think there might be a real issue with your email account, go directly to the provider’s website to find out if there really is a problem and how to correct it. If you did click on a suspicious link, run a virus scan to make sure you haven’t been infected with malware, and change any affected account passwords immediately.

Defeat phishing attacks with bookmarks

Email phishing attacks are improving.

I mean the attackers are improving. They’re wising up to the fact that actual financial institutions and social networks send emails that are (at least mostly) intelligible, and adjusting their approach accordingly.

You still see plenty of phishing emails with atrocious spelling and weird grammar bordering on word salad, but there is a growing trend toward messages that could be mistaken for legitimate communications, even by someone who is well-informed. As potential victims become more sophisticated, so do the criminals.

One way to defeat phishing attacks is to set yourself up to never use links at all. For every single site you log into – financial institutions, credit cards, social networks, online shopping – create a bookmark in your web browser, and get in the habit of always using that link to log into the website.

That way, if you get an email that looks like it might be real, instead of clicking on a link (or even spending time wondering if you should or not), simply open your web browser and use your already-created bookmark to log into the website of whomever the email purported to come from. If there’s a real message or problem, you’ll find out about it there.

The ‘Can You Hear Me?’ Scam (Or Maybe Not)

I’ve seen a few recent warnings about something many are referring to as the “Can You Hear Me?” Scam. Basically, someone will call, ask if you can hear them, wait for you to say “yes,” then hang up. Later, they make unauthorized charges to your credit card, and use the recording of you saying “yes” in court to “prove” you agreed to the charges.

Now, any reminder to NOT talk to strangers who call you on the phone or to engage with robocalls in any way is a good reminder, but if you’re like me, you might find a few holes in this specific warning.

For example, unless you have the weirdest credit card in the world and its number is “YES” for some reason, simply saying the word doesn’t automatically give the caller your card information. Despite the existence of Peanut Butter M&M’s, Gus’s World Famous Fried Chicken and the first Doc Watson album, magic isn’t actually real, and nobody can pull your credit card number out of your wallet simply by getting you to say “yes” one time. The scammer would have to already have this information before calling you.

Then, if they’ve already got your card information, why would they bother calling to trick you into appearing to agree to charges? In a vast majority of the cases I’ve seen, scammers aren’t interested in making their schemes complicated. They’re not going to use a recording of you saying “yes” in court because they’re never going to end up in court. If they have your card information, they’re just going to use it. They don’t need to track down a phone number associated with the card in order to get a “yes” they’re never going to need.

So this leaves us with…what, exactly? Is this a real scam? There do not appear to be any documented cases of “said yes/card was charged/disputed the charge/recording ‘proved’ I authorized the charge/no recourse.” But the calls appear to be actually happening, and you have to wonder: what are they up to?

It doesn’t matter. If you get a call and someone just says, “Can you hear me?” hang up. No matter what their intent, it’s not something you want to get involved in.

Even better, stop answering the phone every time it rings. Almost every phone scammer needs you to pick up the phone. If you don’t, you’ve already ruined their scheme. If you recognize a number, go ahead and pick it up, but let everyone else leave a message.

This may be just one of those stories that gets passed around on a better safe than sorry basis, but I like accuracy, and the story being shared by various online sources doesn’t add up. If you do get a call like this, just hang up. But consider letting all unfamiliar calls go to voicemail. It’s the safest method.


  1. The Consumerist: If A Telemarketer Or Robocall Asks “Can You Hear Me?” Just Hang Up; It’s A Scam
  2. Snopes: ‘Can You Hear Me?’ Scam Warning

Anthem Data Breach: Let the scams begin

News of the massive data breach at insurance giant Anthem Inc. isn’t even a week old, and already the phishing scams have begun.

Phone calls and emails are already circulating that claim to represent Anthem and offer free identity theft protection to victims of the breach. These calls and emails are not from Anthem, but scammers attempting to obtain personal and financial information.

Anthem has stated that they will contact customers affected by the breach by mail over the next couple weeks.

That means postal mail, friends. The kind that’s on paper and comes in an envelope, delivered by that person your dog completely freaks out at six time a week. The letters will give you information on identity theft protection, as well as the next steps you should take.

If someone calls you on the telephone, they’re not from Anthem.

If you get an email message, it’s not from Anthem.

If you get a text message, that’s not from Anthem, either.

If some weirdo shows up at your door, they’re not from Anthem.

Okay, I don’t really think that last one is going to happen, but you never know. I’m trying to me preemptive, here.

Watch your mailbox if you’re a former or current Anthem (or Wellpoint) customer. The old-school mailbox. Any other communications that claim to be from Anthem are fraudulent.

You can also get information online here.

Play Along at Home: Fake Target ‘Order Confirmation” Email

Here’s a picture of a fake “Order Confirmation” email I received recently. How many clues can you spot that indicate something is not quite right?


Here’s what comes up if you hover the mouse over the word “link”:


How many fraud indicators did you find?

Here are the ones I found:

  1. Very vague subject line: if this were an actual delivery confirmation, the subject line would usually refer to it in some way. It wouldn’t just say “Order Info.”
  2. The “From” information: support@yummy.cookiesmadeeasy.com is not a Target email address.
  3. The logo is wrong. No bullseye anywhere.
  4. “As Thanksgiving nears…” Thanksgiving was a couple weeks ago. Wrong holiday, dummies.
  5. The (attempted) conversational tone of the email: if you had an actual order to pick up, the email would begin with this information. Whichever holiday is approaching is absolutely irrelevant (for the store) to the fact that they’ve got merchandise they want you to pick up as soon as possible.
  6. The excruciatingly bad grammar. Go ahead, read it out loud. It’s beyond horrid.
  7. This isn’t even how in-store pickup orders work…the customer chooses which store to have their purchase shipped to, and that’s where it goes. That’s the only place it goes. You don’t just go to any random location because they don’t ship one to every single store when an order comes in.
  8. And what happens if I don’t “pick it” within four days? Again, not how online orders work.
  9. The stores aren’t called “Target.com.”
  10. When you get a real order confirmation email, the order information is almost always included in the message. You don’t have to click a link to get to it.
  11. Speaking of links: makingteamsrock.com? Not a Target website.
  12. “Always yours, Target.com.” Pretty sure they don’t refer to themselves as “Target.com.” Or use “Always yours” as a closing.
  13. Not one single item in the “privacy policy” line at the bottom is an actual link.

So, I found thirteen. Did you catch any that I didn’t?

New phishing attack poses as PayPal email…

…and it’s convincing.

I mean, I hate to sound almost impressed by some cruddy email scammer, but as far as “click here to log in and verify your account” phishing attempts go, this one is devoid of broken English, and uses information taken from a recent data breach at eBay to ratchet up the realism by using the target’s actual name. If there is a spectrum of phishing attacks that ranges from “laughable” to “frighteningly realistic,” this one falls much closer to the latter than the former.

The Consumerist blog has a full article that discusses it in greater detail. I strongly suggest you read it. In the example they use, the recipient only used that email address for eBay and PayPal, which added to the realism. It’s a good idea to have separate email addresses used only for online transactions because it helps weed out phishing (if you get a message on your OTHER account that supposedly comes from PayPal, you know it’s fake right away). However, as soon as there is a data breach, your specific-purpose email address can be targeted as well. My guess is that this guy is going to start seeing a ton of spam hitting his eBay/PayPal-only email, and he’ll have to abandon it for a new one.

At its core, this phishing attack was just another “click here to verify” attempt, but by using data from a breach, its success rate is bound to be higher than usual. It’s why you can never stop paying close attention to everything you click on.

Of data breaches and phishing

Pretty much everyone who pays attention to anything is aware that an awful lot* of credit and debit card information was stolen from Target stores by hackers. That card data almost immediately showed up for sale on Internet forums used by cybercriminals.

It is the biggest data breach story to date. A lot of people shop at Target, and even more people shop at Target between Thanksgiving and Christmas.

But, as with everything else, it can’t just stop there. Other scammers have to get their fingers in the pie, too; phishing attacks have begun to surface that mention the Target breach. These messages claim to offer protection from fraud, or ways to see if your card data was one of the compromised few.* And like every other phishing attack, they’re just trying to harvest your account information.

Even if you shopped at Target between November 27 and December 15, 2013; even if you’re really worried; even if you’ve already experienced fraudulent charges…a phishing attack is still a phishing attack. Never trust anyone who contacts you out of the blue and asks for personal or account information, whether by phone, email, text message, telegraph, smoke signal or semaphore.

As for what to do about the actual breach (now that you’re immune to the phishing attacks)? Keep tabs on your credit and debit cards. Get online access to your accounts if you don’t already have it (and use a good, strong password). If your card issuer offers email or text alerts for card activity, sign up for them. If you see something suspicious, report it to the card issuer immediately. Above all, don’t let your guard down when you get emails or text messages the refer to the data breach. Falling for a phishing attack can only make things worse.

*110 million or so.

How to spot a disguised link in an email message

I’ve written quite a few posts about phishing over the last few years, and I’ve probably been guilty at times of assuming everyone knows what is meant by “mouseover,” or that everyone knows offhand how to spot a disguised link in an email message.

I made this graphic to clarify. The email example here was a run-of-the mill “Your debit card has been deactivated, click here to verify” phishing attack (extremely easy to see through if you happen to NOT have an American Express debit card, which I don’t). Some phishing attacks aren’t as obvious, but the method to spot a disguised link (one that says “americanexpress.com” but actually leads to a look-alike website designed to harvest account numbers, passwords and other personal information) is the same:


Not every email program will have this exact same layout, but for the most part the actual link will be seen somewhere near the bottom of the page, on the left.

Beware LinkedIn phishing emails

Here’s a screenshot of an email message I got the other day (click to enlarge):2012-10-17-fpu-01

There are a total of five links within this message, all of which lead to a different website and none of which lead to a page hosted at LinkedIn.com. The links were located in these places:

  1. The yellow “Accept” button
  2. The white “Ignore Privately” button
  3. “Marva Leonard”
  4. “Unsubscribe”
  5. “Learn why we included this”

Of course, the real issue here is that this looks like it could be a real email from LinkedIn (and hey, the VP Operations from Allstate wants to know you, wow!). But look what happens when I hover the mouse over the “Unsubscribe” link, for example (detail):


I’m not sure what’s on that site (I didn’t click to find out), but I can promise you it’s not a real LinkedIn page. Most likely it’s a hacked website that will attempt to infect your computer with malicious software.

If you’re a LinkedIn user, it’s important to be careful with email messages that appear to be from the network. Hover your mouse over any links before you click. Better yet, just visit the site directly and log in to your account; if you’ve got pending invitations, they’ll show up.

Also, most email clients these days don’t display embedded images unless you manually tell them to (note the red “X” and the word “LinkedIn” in the upper right corner of the message). There’s usually a box or a bar that says something like this:


Unless you know who the message is from and what it contains, never click on that box.

Email Scam/Malware Alert: “Corporate eFax message”

I received this message yesterday afternoon (links have been removed, but are shown in blue):

*   *   *

From: eFax <[redacted]@coderbit.com>
Subject: Corporate eFax message – 9 pages

Fax Message [Caller-ID: 680-973-3656]

You have received a 9 pages fax at Wed, 03 Oct 2012 22:22:19 -1000.

* The reference number for this fax is min1_20121003222219.1055179.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home | Contact | Login

© 2011 j2 Global Communications, Inc. All rights reserved.

eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

*   *   *

eFax is a real company, and the whole thing looks right, with the footer and all. So how did I know this message was bad news?

By mousing-over the links. I’ve used that term before but I’ve never explained it, so here it is: to mouse over (or mouseover) is to move the cursor (the arrow, usually) on your screen over a link without clicking on it. In most web browsers and email clients, this action will show you where the link actually leads, usually in the lower left corner of the window. If the text of the link says one thing, but the information that shows up when you mouseover, that’s a good indication of foul play.

In this case, every single link was disguised. Here are the links and where they actually led, in order. Do NOT visit any of the sites listed!

  1. min1_20121003222219.1055179: www.bathroomdesignstafford.co.uk/SAMiMyXq/index.html
  2. Click here to view this message: gurkan.bae.com.tr/1ttCGhGq/index.html
  3. www.eFax.com/en/efax/twa/page/help: webview360.net/Zn3VbH/index.html
  4. Home: egelisanfen.com/v2WPTAhV/index.html
  5. Contact: christianharfouche.net/Q1uRBnn/index.html
  6. Login: teknoturkbilisim.com.tr/5UTrCN5/index.html
  7. eFax® Customer Agreement: happlications.com/phjbPEB/index.html

You’d think a legitimate message from eFax would have at least ONE link that led to eFax.com, wouldn’t you? You’d also think the “from” address would contain “@efax.com.”

Instead, we’ve got web pages from all around the globe, including the UK and Turkey (.tr). Every single one of these pages has likely been compromised with malware.

Word on the street is that the linked sites will try to infect your computer with the BlackHole exploit kit, which takes control of your computer and adds it to a worldwide network of compromised (“zombie”) computers used to traffic illicit data, launder money and other criminal activity.

Like I said, bad news. If you get this message (the number of “pages” in the subject line may be different), don’t click. Delete it on sight.