Phishing emails can easily catch you unawares

Phishing Email IconA few days ago, towards end of the working day, I checked my email and found a message from my internet provider. It said that I needed to log in to my account in order to upgrade the options on my account. I was a bit puzzled about which password it wanted and entered my email password for the email account provided by my ISP.

For some reason that – with hindsight – I really don’t understand, I was taken to the genuine login page for my ISP and told that I had entered an incorrect password. After trying the account password and the email password a couple more times, I realised that the email was a phishing scam. This was immediately obvious when I looked at the email address of the sender – nothing whatever to do with my ISP. Here is the email:

Phishing Email Example

This is what I fell for

In these circumstances, it is important to act quickly before the bad guys can take advantage of the information you’ve just stupidly given them. So, I called my ISP (who, being Zen, answered almost immediately and were able to direct me to my password-changing options quicker than I could have found them myself). Just for good measure, I changed the password for both the account and for the email.

Nasty scam emails can have more than one “payload” in each message, so I also ran Malwarebytes and a full antivirus scan. These came out clean.

Now, the morals of this tale are twofold:

  • Over 30 years professional IT experience don’t entirely protect you from doing something daft occasionally – especially, I suppose, towards the end of the day. This is also a good reason for making sure that you take data backups. Some mistakes can be rectified by fishing something out of the recycle bin, but not all.
  • Do not EVER use a password in more than one place. The email password I gave away had been allocated by my ISP when I joined them 14 years ago. I am absolutely sure it has never been used for anything else. Therefore, as soon as I had changed the email password in my Zen account, I was completely confident that I had not exposed any other accounts.

    Phishing Warning

    ..pity I didn’t realise that it WAS from an unknown sender

    Just imagine the grief I’d have been in for if I’d used the same password for Amazon, Youtube, Norton, Apple, Microsoft, Google, etc. It could have taken hours to find all the places where I might have used the same password, and taken corrective action. Indeed, one of my clients had an incident a year or so ago, following which I recommended that she change her passwords, and she later told me that it took more than a day.

I know I keep finding new excuses for making passwords the subject of these blog posts, but the truth of the matter is that this is the area of computing that causes my own clients the single biggest problem. Being rigorous in using unique, strong passwords, and being equally rigorous in knowing where to find your passwords and which one refers to which account, can save a great deal of trouble in the long run. It can also minimise the risk and the hassle if you should happen to have a senior moment late in the afternoon.

At signFrom time to time, I get a phone call from one of my computer support clients asking whether an email they have received is genuine or a scam (eg a phishing email). Quite often, they will forward the message to me for my comments

Checking back on nearly seven years of blog posts, I’m surprised to find that I don’t seem to have covered this issue specifically before, so here’s a list of some of the pointers I look for in deciding whether an email is likely to be genuine or not:

  • The “From” address looks dodgy. If, for instance, you receive an email from “fred@amazon.org” then that’s likely to be fake as the UK domain for Amazon is “amazon.co.uk”. Another common trick is for the domain of the sender to be spelled very, very close to the spelling of a “genune” sender (such as “sales@amazone.co.uk”. Unfortunately, even if the sender’s email address does look correct, it doesn’t need to be as it’s possible for anyone with the right knowledge to “spoof” an email address – ie make it look as if an email has come from an email address other than the actual sender. There’s nothing you can do about a spoofed sender address: just be vigilant.
  • The email includes an attachment. Always be very very careful about opening any attachment that you were not expecting. An attachment can look like anything (eg “Claim Your Prize.pdf”) but, in reality, be something else (eg “nastymalware.exe”). A common way of getting people to open hazardous attachments is to pretend that the attachment contains private information that has been sent to you in error – eg “companypayroll.xlsx”. They are relying on your nosiness to cause you to open something nasty that you think was sent to you in error.
  • The email includes logos, or styles or “house colours” that don’t look quite right in the context of who is supposed to be the sender. A genuine email from a reputable organisation would never get its own logo wrong (eg the shape, or the resolution).
  • Thief

  • The style of the English is stilted or strange, or words are mis-spelt or mis-used. Yes, I know that genuine, national institutions, are far from perfect in their use of English (I’ve seen rogue apostrophes in BBC content!), but I’m talking here of something more blatant. The worse the English, the less likely the email is to be genuine (assuming, that is, that it is purporting to come from a reputable organisation and not an individual).
  • If there appears to be a dire threat either stated or implied, then the email could be suspect. Think about it: if you’ve been spending megabucks with Amazon over the years, they’re hardly likely to want to lose your custom, so an email that threatens “confirm your password now or your account will be closed” would hardly be the best way for Amazon to behave towards a valued client.
  • On the other hand, if an email includes an offer that seems to be too good to be true, then it almost certainly IS too good to be true.

If you have any doubts at all about the bona fides of an email then do not click on any link in that email. Clicking on a link in a suspect email could take you to anywhere in cyberspace that the sender wishes to send you. You could end up downloading malware onto your computer: you could end up on a website that looks genuine but isn’t (where you end up divulging a username and password – or more).

Hooked iPadInstead, contact the supposed sender by phone, or via their website. Access their website in the way that you normally do – not by any link within the suspect email. By the same token, do not ring any phone number quoted in the email. Verify by other means the true phone number of the purported sender. Do not be embarrassed to phone the organisation to check whether the email did come from them. Do not feel that you are wasting their time. If someone is using their reputation to try to con you then they want to hear about it. You look much less daft checking that something is genuine than clearing up the mess if you went ahead regardless and fell into something nasty.

Although I don’t seem to have covered this topic directly before, I’ve come pretty close: there are some links below. I don’t apologise for including the link to my blog post about the “Microsoft Support scam”. People are still getting caught out by unexpected phone calls from scammers pretending to be from Microsoft.

Telephone Scams

Spear Phishing

GameOver, Zeus and Cryptolocker

Is It Safe to Download a File?

Phishing for your information (and money) is becoming more sophisticated

PhishingWe’ve all received phishing emails that pretend they are from trusted sources such as banks. They want us to hand over information that will let them steal money from us. And who among us hasn’t made their fortune by partaking of a Nigerian businessman’s plan to move money from his own country?

When they first started, such email scams were a bit of a joke. The spelling, grammar, and use of English were poor. Over the years they’ve become a lot more realistic, but they all share a big flaw in that they are not personally addressed to the recipient. Anyone asking for personal information or money in an email that begins with “Dear Valued Customer” is a fraud. Just delete it, or, if any doubt remains, phone the person it purports to come from.

But what if you receive an email (asking for money) that you are expecting? Suppose you’ve just spent £5,000 on a conservatory and you get an email with an invoice asking you to pay the money into a specific bank account. This is a perfectly normal way of doing business. I, myself, am being paid more and more often by my computer support clients in exactly this way. The email appears to come from the correct supplier, the recipient’s name and address are correct, and nothing at all appears to be suspicious.

Spear FishingThis is an example of spear phishing. Instead of sending gerzillions of rubbish scam emails to all and sundry (phishing), the bad guy is homing in on a particular individual because he has some information about that individual that may allay that individual’s suspicions about his bona fides.

In this instance, what may have happened is that the supplier’s email has been hacked and the hacker has been watching the correspondence between the supplier and his customers (including you). So, he KNOWS who you are, what you bought, how much, and so on. He just has to jump in at the right time and ask you to pay money into his own bank account.

The above is a very specific form of spear phishing. There are more general kinds whereby someone emails you asking for something confidential from you, posing as a “friend” or a “friend of a friend”. Now, people who know me know how I loathe Facebook and other social media, and their avowed intention to share as much personal information as possible among as many people as possible. This is my chance for a mega-gloat and a smug “told you so”. Remember that thingy you bought on Amazon and Amazon asked you to “like” it on Facebook? You did, and now someone’s emailing you knowing you’ve recently bought it and they could use information such as this to start trying to gain your trust and get you to reveal information they can use to your disadvantage.

Spear PhishingAnother variation of spear phishing is that a bad guy hacks into a database containing customers’ names, email addresses and postal addresses, and then uses that information to convince them (in an email) that their demands for money are genuine even if no credible sale is mentioned. After all, previous rubbish scams asking for money didn’t have any personal information, so could be safely ignored, whereas if someone knows your postal address then they must really know you, right? They needn’t even be expecting you to pay the invoice. The supposed “invoice” attached to the email could be a link that downloads ransomware to your computer and then you really are in trouble.

So, there are lots of ways that the bad guys can lull you into a false sense of security by quoting information that is personal to you in emails that they send you.

I hope that knowing of this increased sophistication of the scammers helps to encourage you to be a little more careful than I am sure you already are when any email sender asks you to part with personal/confidential information or even money.

What do you do (and not do) if an email asking you for information or money arouses your suspicions in any way?

  • Contact the sender, but NOT by replying to the suspicious email.
  • Do not find the sender’s phone number or email address from the suspicious email. Find the contact details from a previous email, your address book, or phone history.
  • Do not open any attachment in the suspicious email.
  • Do not click on any link in the suspicious email.

For a more complete (and authoritative!) exposition, have a look at this article from Norton on Spear Phishing

And for recent examples, have a look at this blog post from Tripwire on spear phishing.

By the way, if you ever suspect that an email message with an invoice sent by me to you is not genuine, then just phone or text me on 07961 387564.

© 2011-2019 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha