A Scam "Phishing" Email and How to Spot It

I've written previously about data breaches in companies, but of course, the same thing happens every day at a personal level with scams.

Quick reminder: phishing (this term is hacker-speak for "fishing for someone they can trick into handing over their username and password") is a much more common route to serious data breaches than any other kind of breach.

Here is a reasonably good phishing email example:

They've done a fairly good job of making this email look legit, although there are some minor formatting issues towards the bottom that registered with my subconscious.

As always, the easiest way to spot this as a scam is to look at the sender's email address – which in this case is clearly not PayPal.

In the olden days, it was easy for scammers to mask this email address and make it appear like a PayPal address – but in the last decade, the big ISPs have banded together and introduced various protocols to prevent that masking.

My first thought after seing this email was "what the?".

This is the reaction the scammers are looking for because it puts people on the back foot. Interestingly, this is the same physiological reaction that humans have to varying degrees – that on-stage hypnotists use to "snap induce" those of us who are more susceptible to suggestion. It turns out that in a moment of confusion we are even more susceptible to the power of suggestion. Derren Brown does a great explainer of this in one of his many awesome videos.

I was surprised that this got through Google's spam filter, and then on closer inspection, I noticed that they had substituted a capital O for the zeros in the telephone numbers. This is apparently a strategy to avoid being detected by some of the spam filters and security/protection products.

You can see that, unlike the previous example, I'm not asked to go to any website and enter any usernames/passwords – they want me to ring in.

I phoned the number to see if there might be a hint towards the type of scam this was.

It became obvious pretty quickly that it was a "refund scam" when they asked me to install TeamViewer so that they could "look into the problem for me."

From previous experience with a family member (I will write about next), I know that the next step is for them to manipulate my computer to make it look like I've had a large amount refunded into my bank account when I visit online banking.

After that, it's all about "returning" the money to them to avoid being arrested.

Of course, returning this money is never by means of a bank-to-bank transfer that the authorities can trace – it's always non-identifiable mechanisms like wire transfers and gift cards.

In almost every case, the scammers are overseas, so there's no point in trying to bring the perpetrators to justice. Yes, it's easy these days (ever since Skype, actually) to have an "(03)" area code number routing to anywhere on the internet, without being traceable by any telecommunications providers.  

Andrew Walker
Technology consulting for charities
https://www.linkedin.com/in/andrew-walker-the-impatient-futurist/

Did someone forward this email to you? Want your own subscription? Head over here and sign yourself right up!

Back issues available here.