Zero-day phishing email is rarely detected in time by automated tools. So sometimes dangerous email ends up in your inbox.
Our Email Security Training (EST) program is a simple, easy way to learn about and stay updated on phishing emails and build safe email reading habits while you read your normal email.
Below are some examples of phishing email and how to recognize them. These examples contain names of real companies. It is important to know that these companies are innocent and NOT to be blamed for these scams. They could not stop them any more than you could stop someone from putting your return address on a postal mail letter to make it look like it was from you.
This is an email that might LOOK like it is from your credit card company. Except it is NOT from your card company. Here is how you tell.
- First, if you did not expect to get the email, there is a VERY good chance it is BOGUS. Always be suspicious of surprise emails from your bank, credit card company or anyone in the government. For example, the IRS NEVER USES EMAIL FOR OFFICIAL BUSINESS.
- Spamming is high volume and fast-paced. Often the spammers make mistakes or do not have full information to make the best forgery. Notice the account number is missing from the example below.
- Hover or roll (do NOT click!) your mouse over the links that you would normally click on and look in the lower left part of your email window to see where the link will actually take you. IGNORE the link text in the email itself. Go ahead, try it with the email below. The most important part of the link is the text immediately to the left of the first single /. A link like "http://americanexpress.asgdk.ru/" is NOT safe. The ".ru/" is the key. A legitimate link will have something more like "americanexpress.com/" We changed the example below to point to antespam.com/. Bottom line, if you do not recognize the text to the left of the first single '/', do NOT click on it. If you are not sure but think the email could be important, take the time to make a good old fashioned phone call to customer service.
Confirmation | |||
|
| | |
Verify Your Request | | ||
| Your Account Number Ending: | ||
|
| |
| Dear Customer, Did you recently verify your User ID or reset the password that you use to manage your American Expressâ Card account online? If so, you can disregard this email. To help protect your identity online, we wanted to be sure that you had made this request. If not, please click here, or log on to https://www.americanexpress.com/ so we can protect your account from potential fraud. Thank you for your Cardmembership. |
| Sincerely, American Express Customer Service |
| P.S. To learn how to protect yourself on the internet and for information about Identity Theft, Phishing and Internet Security, please visit our Fraud Protection Center at http://www.americanexpress.com/fraudprotection. |
| www.americanexpress.ca/privacy View Our Privacy Statement Add Us to Your Address Book This customer service email was sent to you by American Express. You may receive customer service emails even if you have requested not to receive marketing emails from American Express. Copyright 2012 American Express Company. All rights reserved. |
| AGNEUMYC0001001 |
Do you belong to LinkedIn? I do. LinkedIn is a popular site for professionals to network with other professionals....and scammers try to take advantage of that. Below is a convincing example.
- First, this example is complete on the surface. No way to tell if it is a scam just by looking at and reading it, except that it is from someone you probably do not know. That should make you suspicious.
- Your mouse is your friend again. Watch the lower left corner of your web browser (or email program) when you hover your mouse over the name "Julian Murphy", the number of messages, the "Go to InBox now", or the unsubscribe link at the bottom. You can see that the links do NOT take you to linkedin.com. Again we have changed the links to point to AnteSpam.com instead of the original malicious web site.
REMINDERSInvitation reminders: From Julian Murphy (LinkedIn Member)PENDING MESSAGESThere are a total of 3 messages awaiting your response. Go to InBox now. This message was sent to webmaster@cornhuskers.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe. LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2013, LinkedIn Corporation. |
WOW! Microsoft accidentally sent me someone's remit file! It even has a Confidentiality Notice! All I have to do is open the attached .zip file and read it.
- First off, NO! No one is going to "ACCIDENTALLY" send you a confidential remit file, and definitely not as a .zipped excel file.
- A great rule to always follow is: IF YOU DO NOT EXPECT IT, BE SUSPICIOUS! If you know the sender, call to confirm they sent it. If you do not know them and cannot call them, toss the email in your trash.
To: ME
Subject: FW: Last Month Remit
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_009_4Y80986A2B9UVD0X5S39F1U3EM47D18CPY6OWMQRM81I265MUC5PEQV_"
Sender: PAYVESUPPORT@AEXP.COM
--_009_4Y80986A2B9UVD0X5S39F1U3EM47D18CPY6OWMQRM81I265MUC5PEQV_
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: quoted-printable
File Validity: 04/05/2013
Company : http://mycompany.com
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the
exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information
protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified
that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly
prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any
copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
--_009_4Y80986A2B9UVD0X5S39F1U3EM47D18CPY6OWMQRM81I265MUC5PEQV_
Content-Type: application/zip; name="Remit_canes.com.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Remit_canes.com.zip"
...
OMG! My bill payment failed! I have to investigate and fix this right away! But, WAIT! and think and look closer...
- First, your bank or a real payment processor will NEVER send you a .zip file...NEVER! The government won't even do official business over email.
- Next, this email LOOKS good. But there is one way you can ALWAYS tell if the email is for real. AND THIS CAN NOT BE FAKED.
Use your email program to look at the email header or the email "source". Once you have the header, look carefully starting at the TOP going down for the 3 lines that start with "X-AnteSpam-" (see the example below). Once you find those 3 lines, look at the next line down. THAT line and no other tells you the name of the mail system that REALLY sent this email. We KNOW that line can be trusted because AnteSpam wrote it.
As you can see below, in the case of the Bill Payment failed scam, the line is "
Received: from fiserv.com (unknown [38.86.160.180])
" AnteSpam writes that the sending mail system claims it's name is "fiserv.com" and it's IP address is "38.86.160.180"... AnteSpam then checks the Internet DNS for the host name at the IP address, 38.86.160.180, and reports it next to the IP address inside the "( )". As you can see AnteSpam found NO NAME for the computer at 38.86.160.180 and wrote "unknown". This is how you know that computer is probably trying to pretend it is someone it is not.X-AnteSpam-Report: http://antespam.com/missed/d2f5c444d50ed2e5572f3670638c2e7bc703951d1adda3 X-AnteSpam-From: auto-notification@fiserv.com X-AnteSpam-Score: 0.902 Received: from fiserv.com (unknown [38.86.160.180]) by incoming.antespam.com (Postfix) with ESMTP id BA6E7206FEE for myaddress@mydomain.com; Tue, 9 Apr 2013 08:41:38 -0500 (CDT)
- And finally, if you are still not sure, call your bank or payment processor and confirm they are not crazy enough to be sending zip files to you over email.
You have a new e-Message from Bank of America This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill. Please check attached file for more detailed information on this transaction.
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account. If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees. We apologize for any inconvenience this may cause. . Please do not reply to this message. If you have any questions about the information in this e-Bill , please contact your Bill Pay customer support . For all other questions, call us at 800-887-5749. |
Bank of America, N.A. Member FDIC. Equal Housing Lender ©2013 Bank of America Corporation. All rights reserved. |
Please do not delete this section.
Email_ID:#732262168580316675814_
========================================
--------------01030100401090304020703
Content-Type: application/zip;
name="04092013.zip"
Content-Transfer-Encoding: base64
Content-ID: <33b39f7643df$a3f22cd9$0a33a1dd$ATONYND>
Content-Disposition: inline;
filename="04092013.zip"
FedEx could not deliver your package!
- First, the message, "To receive your parcel, please, print this receipt and go to the nearest office.", is a little "terse" and of course not correct. But you don't always know that.
- Most importantly, roll your mouse or hover (do NOT click!) over the Print Receipt link and watch the lower left corner of your browser or email program. If this was from FedEx the link would point to fedex.com/somewhere.
Do not just look for the correct domain name, fedex.com, anywhere in the link URL. To be safe, the correct domain MUST always be followed by the FIRST single "/" (like FedEx.com/, or DHL.com/, or UPS.com/).
A URL like "http://fedex.com.givemeyourpassword.in/gotcha/.krbsvx.php?receipt=854_2201783" is NOT safe.
FedEx | |||
Tracking ID: 2123-28841711 | |||
Date: Monday, 17 March 2013, 11:05 AM | |||
Dear Client, Your parcel has arrived at March 21.Courier was unable to deliver the parcel to you at 21 March 05:48 PM. To receive your parcel, please, print this receipt and go to the nearest office. |
|||
|
|||
Best Regards, The FedEx Team. | |||
FedEx 1995-2013 |
AARP Wants You!
- This one is pretty easy to spot. Just look at where those http: links will take you...NOT to an AARP web page, that's for sure.
REMEMBER, do not just look for the correct domain name, aarp.com, anywhere in the link URL. The correct domain MUST always be followed by the FIRST single "/" (like AARP.com/).
A URL like "http://www.aarp.com.antespam.com/gotcha/.krbsvx.php?receipt=854_2201783" would take you to an antespam.com page if that page existed.
Date: Mon, 08 Apr 2013 13:02:07 -0500
From: "AARP update"
MIME-Version: 1.0
To: you@yourdomain.com
Subject: Enroll today and get a gift on us
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
No one does more for people over 50 than AARP - learn more today:
http://www.aarp.com.antespam.com/1a84611d66a4c4176a64f552cc/C/i=rlsyt/o
AARP, 601 E. Street NW, Washington, DC 20049
To unsubscribe please use the link below:
http://www.aarp.com.antespam.com/r/move/116/6084/5590950
This looks scary. It also looks pretty official with a case number and no suspicious http links. The dangerous part is the attached zip file which will infect your PC (and possibly your entire business network of PCs) faster than you can sneeze.
How do you know it is a scam? Two big things give it away.
- The IRS and Dept of Treasury DO NOT send official notices through email! NEVER! If the Federal or State government wants to communicate with you, they will send postal mail first.
- No one in the Federal or State government is going to send you a zip file out of the blue. They might if you have communicated with them and requested scanned copies of documents or something similar to be sent via email. But that will only happen if you have requested it. So if you did not ask for a zip file to be sent to you, IT IS PROBABLY DANGEROUS! Throw that email in the trash!
Date: Fri, 1 Feb 2013 16:56:06 +0200
From: CustomerSupport@fms.treas.gov
To:
Message-ID: <6945136892.33093629130535826419.JavaMail.wasuser@fmsprap47.bpd.treas.gov>
Subject: Department of Treasury Notice of Outstanding Obligation - Case 5D8EH6CQ
MIME-Version: 1.0
X-TNEFEvaluated: 1
Content-Type: multipart/mixed;
boundary="_007_OH9MPIF0O5PY8OIE5SWZNK90N4J53UBQ6UE138KCN8E4AHLRCDG3TH2_"
Sender: message@securebank.com
--_007_OH9MPIF0O5PY8OIE5SWZNK90N4J53UBQ6UE138KCN8E4AHLRCDG3TH2_
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: quoted-printable
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned contract or
grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at
1-800-304-3107 to address this issue. Please make sure the person making
the telephone call has the Taxpayer Identification Number available AND
has the authority/knowledge to discuss the debt for the contractor/grantee.
Questions should be directed to the Federal Service Desk at:
http://www.bpn.gov/ccr/Help.aspx
Phone : 1-866-606-9695
Int. Phone 1-344-206-1595 for international calls
For DSN, dial 809-463-2714. Wait for a dial tone, and then dial 866-606-7945.
--_007_OH9MPIF0O5PY8OIE5SWZNK90N4J53UBQ6UE138KCN8E4AHLRCDG3TH2_
Content-Type: application/zip; name="FMS-Case-5D8EH6CQ.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="FMS-Case-5D8EH6CQ.zip"
attached zip file
I got an alert from BreakingNews@mail.CNN.com? Not really!
If you made the mistake of clicking on the links in the original scam email, your computer could have been infected with a "drive-by" virus that could capture passwords to your online accounts or worse. Here is how you know the email is a fake and possibly dangerous.
- First and again, your mouse can show you something is wrong. Just move your mouse over (do NOT click!) the different links and watch the lower left of your email program or browser. There you will see the link is NOT going to a cnn.com web site. We have manually modified the links to harmlessly point to antespam.com, but the original was definitely NOT CNN.
- If the forged links are not enough, you can look at the email headers in the source. Once you have the header, look carefully starting at the TOP going down for the 3 lines that start with "X-AnteSpam-" (see the example below). Once you find those 3 lines, look at the next line down. THAT line and no other tells you the name of the mail system that REALLY sent this email. We KNOW that line can be trusted because AnteSpam wrote it.
As you can see below, in the case of the BreakingNews scam, the line is "
Received: from hawk217.t-bird.edu (hawk217.t-bird.edu [192.160.35.217])
" AnteSpam writes that the sending mail system SAYS it's name is "hawk217.t-bird.edu" and it's IP address is "192.160.35.217"... AnteSpam then checks and confirms that. The problem here is the ".edu" in the sending server name means this came from a school computer, NOT CNN.X-AnteSpam-Report: http://antespam.com/missed/c42098b9feb45037a578a0eb7fa9d1fecb68f96920eaf02c60eba33473753b51 X-AnteSpam-From: pantomimingpw50@emalsrv.cnn.com X-AnteSpam-Score: 1.311 Received: from hawk217.t-bird.edu (hawk217.t-bird.edu [192.160.35.217]) by incoming.antespam.com (Postfix) with ESMTP id E715B2070DD; Wed, 17 Apr 2013 11:37:11 -0500 (CDT)
|
Your American Airlines (or any airline) Ticket? No.
If you made the mistake of clicking on the "Download It" link in the original scam email, your computer could have been infected with a "drive-by" virus that could capture passwords to your online accounts or worse. Here is how you know the email is a fake and possibly dangerous.
- First, if you are not expecting a confirmation email for an upcoming flight, it is very likely dangerous, so DELETE IT.
- Again, your mouse can show you something is wrong. Just move your mouse over (do NOT click!) the Download link and watch the lower left of your email program or browser. There you will see the link is NOT going to an American Airlines web site. We have modified the link in this example to harmlessly point to antespam.com, but the original was definitely NOT American Airlines.
- If the forged Download link is not enough, you can look at the email header in the source. Once you have the header, you will see lines that start with "
Received:
" followed by one or two indented lines. These "Received: paragraphs" will look something like the example below and there could be a LOT of them, anywhere from one to thirty. This example shows two "Received: paragraphs":Received: from d307.dinaserver.com (d307.dinaserver.com [82.98.148.182]) by incoming.antespam.com (Postfix) with ESMTP id 17C9B2B08696 for
; Thu, 18 Apr 2013 07:37:48 -0500 (CDT) Received: by d307.dinaserver.com (Postfix, from userid 30265) id 4B77F1889FEE; Thu, 18 Apr 2013 14:37:45 +0200 (CEST) Look carefully near the top of the header for the "
Received:
" paragraph with a second line starting with "by incoming.antespam.com
". THAT paragraph was written by AnteSpam and can be trusted. This paragraph will also usually follow an "X-AnteSpam-Score:" line.As you can see in the example above, in the case of the AA Ticket scam, the AnteSpam "Received: paragraph" shows the email was "
Received: from d307.dinaserver.com (d307.dinaserver.com [82.98.148.182])
". American Airlines email is NOT going to be sent from "dinaserver.com".
American Airlines |
|
||||||||
Customer
Notification Your bought ticket is attached to the letter as a scan document. To use your ticket you should Download It .
|
|||||||||
Electronic Ticket Number | Seat | Date / Time of Departure | Flight Time | Arriving | Ref | Bag | Form of payment | Total Price | |
EH1177583996 | 21F/ZONE 1 | 19 APRIL, 2013, 10:45 PM | 09:35 | Louisville | LE1250 ST / OK | 6PC | CC | 188.88 USD | |
|
|||||||||
Thank you, AA.com Team. | |||||||||
American Airlines 2013 |
|
This looks official with a company logo and shipment number. However, the clickable links will take you somewhere you do NOT want to go!
You know it is a scam two ways.
- You have not shipped a package through DHL and are not expecting one.
- Even if you do use DHL, let your mouse check it out. Just move your mouse over (do NOT click!) the Get Shipment Info and Tracking Page links and watch the lower left of your email program or browser. There you will see the link is NOT going to a DHL web site. We have modified the link in this example to harmlessly point to antespam.com, but the original was definitely NOT DHL.
DHL Ship Shipment Notification
On April 29, 2013 a shipment label was printed for delivery.
The shipment number of this package is 59237976.
To get additional info about this shipment use any of these options:
Get Shipment Info
2) Enter the shipment number on tracking page:
Tracking Page
For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.
Disclaimer:
This message was created by DHL Ship, a product of DHL, at the request
of the sender. No authentication of email address has been performed.