Back to Fred Mac Donald's Blog
How to Recognise Spam, Scam and Phishing Email How to recognise Spam, Scam or Phishing email.
By pure chance I noticed a warning on the news the other day about a PayPal phishing scam doing the rounds. It is no secret that 1000’s of people still fall for these scams and lose £££ every year.
It did not take long for my expected copy of the PayPal phishing email to arrive...
The main reason is because they do not take the minimum precautions to keep themselves save while doing business on the internet.
Think you are save? Think again. Follow this link to see what the internet knows about your computer http://browserspy.dk/fonts-flash.php
You might be surprised to see that we can even detect the total number of fonts and their names. Feel free to click some of the links on the left of the link above.
I am going to keep this article as simple as possible so readers with more knowledge than the average users please do not shoot me down for not mentioning something.
- Know who you will receive e-mail from
If you do not recognise the person or email address the email is coming from it's probably a scam
- Do not display Images
Configure your email client to “Not show images” by default. Images are not normally sent with the e-mail but stored on the internet somewhere. When you view the e-mail the images get downloaded from the internet and displayed in the email. No matter what your security settings are the person sending you the email could potentially get a lot of information from your pc.
- Do not open the e-mail
E-mail could have “tracking bugs” hidden in them. When you open the email this “tracking bug” is "activated" and a report sent to the spammer confirming your email address is active
- Do not open attachments
For someone to hack into or hijack your pc, they need to instal a small program on your computer or mobile device. The easiest way to do this is by sending you an email with an attachment disguised as something else. This attachment, when opened, might instal a program turning your computer into a “bot” or instal a “key logger” recording everything you type and sending it back once you log on to the internet again.
A “bot” is a computer used by the scammers to send spam email to other computers or hides the location of the hacker by using your computer as a “gateway” to the next computer.
- Do not simply click links
When it comes to spam the link will always be masked to hide the fact that they are using a hacked computer to get you to download or give away your information.
- Do not unsubscribe
If you find an unsubscribe link in the email it probably points to a location where you will be downloading the virus/bot software. At the very least you will confirm to the spammer that your email address is active and you can expect more of the same type of email or e-mail inviting you to stock up on your Viagra.
- Do not reply to the e-mail
Replying to the email is pointless. Usually the email address would not even exist or at the very least is "stolen" from some unsuspected user.
- Do not blacklist the sender e-mail
Blacklisting it and thinking you are doing your bit is pointless as the e-mail address is probably fake or stolen. A better idea is to blacklist the IP address of the sender. That will block all e-mail sent to you from that specific IP address regardless of the e-mail address used
No matter what you do you will probably be targeted at some point. If you are targeted follow the next couple of steps to figure out where to go before you click any links or download any attanhments.
How to check if the e-mail is spam.
Now lets presume you have a PayPal account. Let's farther presume you clicked on any ads, links, attachments or bought any Viagra online and you receive an email from PayPal telling you to check your PayPal account by clicking on the supplied link. How do you know if the e-mail is legit?
I am not going to go into details discussing what a PayPal e-mail should or should not look like. They can change the e-mail layout anytime when they want. Showing you what to look for in general is more important.
My example is based on the PayPal phishing email I received this morning, what I checked and what I did about it. If you know your email client it should not take you any longer than a couple of seconds.
In my example I have a red rectangle around the suspect information.
- The e-mail I received
- First thing I noticed was the “Subject” line “check your information” a “;” and then “invoice 258233”. One would expect at least proper capitalisation
- The sender name is correct as “PayPal” however the email address has nothing to do with PayPal.
- One would also expect proper grammar
- Check the “Verify Now” link
I am using the email client supplied by my ISP. Your e-mail client will most probably slightly different.
- By hovering my mouse over the link I can see in the bottom left hand corner the URL the link is pointing to.
For a “PayPal” link I would expect it to be something starting with “https://paypal”. Not “bit.ly” as is the case
- At this point I already know it is a phishing e-mail and now links are to be clicked.
- Report the e-mail to PayPal, delete it and move on…
- Still not sure? Check the e-mail headers
E-Mail headers are information, normally hidden by your e-mail client, sent with each email. Is contains a lot of information useful to those who want to take the couple of seconds to study them to save themselves a lot of hassle.
If you not sure how to find the email headers in your email client, follow this link to learn how to get your email headers.
You can use this form to Analyse the email headers. Simply copy and paste the headers into the form.
- Here are my email headers
A quick scan shows me exactly where them email originated from.
- It turns out to be ISP in the Netherlands.
Reporting the phishing email
PayPal, like all legit companies doing business on the internet have an “abuse” policy in place with an email address where you can contact them.
PayPal asks you to forward the email to firstname.lastname@example.org
Forward the complete email to the proper address. You can expect some response from them at some point.
- PayPal response
Not exactly the layout you would expect from PayPal. Thats why I said earlier I am not going to discuss the layout of the email but rather the specifics to the company.
- Properly constructed title
- email address clearly from PayPal
- Link points to paypal.com
- Headers all points to PayPal
What your Internet Service Provider (ISP) is doing to keep you save
ISP in general maintain their own blacklists based on results of internal scan of email messages. These scans are done by “bots” living on the e-mail servers and scan for certain “patterns” in the email. For example if the e-mail has the following content “...save on viagra...” then it is probably spam and marked as such. It also scan for certain “types” of attachments and will block an email if the attachment is an executable file for example.
Further ISP’s would use published blacklists to check if the sender IP address is listed and block the email. Usually the block will be as a result of a combination of factors, i.e. the initial scan combined with the blacklist check.
The problem with checking blacklists is that unless you pay a monthly fee to your ISP for a dedicated IP address you are using an IP address that has been used by someone else before. Every time you disconnect from the internet or reboot your BT, Sky, Virgen… router you get issued a different IP address.
You can check what your IP address is here at whatismyipaddress.com. If you scroll down a bit on that page you will see a field with your IP address in it. Click the “Check Blacklists” button to see if your IP address are listed anywhere. Do not be surprised if it is.
Staying save on the internet is becoming more and more of a problem as our lives become more entangled and dependent on our mobile technology. If you suspect you have been scammed, contact your local law enforcement agency immediately. If funds has been taken from your bank account or you transferred funds somewhere contact financial institution immediately.
Stay save and do not click those links no matter what you do!!!