How To Spot Phishing Scams

While servicing my email queue, on the way to finding the account information to pay something, I ran into Yet More SPAM and some of it clearly “phishing”. I decided that rather than my usual “click SPAM” and move on, or “delete and move on”; I’d make an example out of some of it.

Now the first thing to do is realize that before you ever open that email, the “from” and topic can give it away as crap. I’d already decided this was crap before I even opened it. And I only opened it since I’m running on a non-windows machine so the bulk of all exploits, mostly aimed at Windows, will fail. Also, links are off by default in my mail reader, so hidden active links to web sites will fail. Before ever looking at Email, I have three levels of defense, (this one got through the SPAM filter, though…).

So I get this email claiming I’m due a refund on my New Zealand Taxes. Only I haven’t been to New Zealand for 40 years… Right there is your first phishing flag. “To good to be true” or “something for nothing”. So first thing to do is click on the “show details” or “show mail headers”. Here’s the email text:

Inland Revenue -Tax Refund Notification

Inland Revenue NZ to you (Bcc)show details

After the last annual calculations of your fiscal activity, we have determined that you
are eligible to receive a tax refund of $41978.50 NZD. Please submit the tax refund
request and allow us 2-3 days in order to process it.
Your TRN (TAX REFUND NUMBER): NZ/811869-2015

Click link below to submit your tax refund request

https://www2.e-services.ird.govt.nz/secure/login.html

Note : A refund can be delayed a variety of reasons, for example submitting invalid
records or applying after deadline.

Best Regards

Inland Revenue – Te Tari Taake

Now the details of the headers show:

Inland Revenue -Tax Refund Notification
From Inland Revenue NZ malameid@sfsu.edu hide details
To Undisclosed recipients:;

Two big “tip offs”. First off “undisclosed recipients”. Ah, why?

Second, and far more interesting, the actual email address of the sender: malameid@sfsu.edu

A .edu account is at a school somewhere. Turns out that http://sfsu.edu/ is San Francisco State University. So someone has either hacked an SFSU account, or as a student there is indulging in some particularly stupid phishing attempt.

As this isn’t the first SPAM I’ve had from an SFSU.edu account, I suspect they are just subject to hacking and pwning…

Doing an “inspect element” on that link to “gvt.nz” gives what sure looks like suspicious garbage:

[a removedlink__e205d1b8-8eff-4968-b567-3fc2220c4a7e__href=”https://www2.e-services.ird.govt.nz/secure/login.html” target=”_blank”]https://www2.e-services.ird.govt.nz/secure/login.html[/a]

I’ve replaced the angle brackets with [] so wordpress doesn’t steal the text…

One must fish around a lot in the large body of crap that now makes up active email to find the few bits that matter in this kind of investigation…

“removedlink” is kind of a clue that this link doesn’t take you there anymore…

Furhter UP we find: “a style=”COLOR: #333333″ target=”_blank” removedlink__7b0fcf8d-50be-4f3c-83f9-6a6a851bc31b__href=”http //introsimpactantes.com/unosoter/sot.php”

A lookup of the site via a “whois [their site name}” brings up:

Intros Impactantes | Aprende como crear intros impactantes …
http //introsimpactantes.com essay writing diagrams get homework done online buy biology reserach papars how write a good essay skeletal system essay …

where I’ve broken the link so it doesn’t connect.

So this looks like it is just redirecting to some advertising site, maybe… but at this point I’ve lost interest. It’s clearly a scam of some kind, and I have other things to do…

But that’s the kind of thing I get to do a few dozen times when reading email. And why, over the years, I’ve become a bit averse to dealing with email.

Yes, I still use it. For some things it is still “usable”. But frankly, it is a cesspool full of disease in many ways and coping with it is not something I like to do. Oh Well.
I must, so I do.

But that is why email to me can sometimes take weeks to be read, and longer for a response. I’m busy doing other things and it just makes me feel so “tainted”…

It is also the kind of thing everyone ought to be doing for any email they get from anyone they do not know, and for any email they get from someone they DO know that “looks wrong”.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , . Bookmark the permalink.

7 Responses to How To Spot Phishing Scams

  1. I’ve been getting a few more of these recently too. The most recent was telling me it was from an international courier saying a parcel was on its way to me from Italy. Since I recently bought a small lathe from Italy this had a bit of credibility, but the source IP was in Khazakstan and there was no corroborative detail anyway. There have also been a few bequests and charitable donations available to me if I sent my bank details to the sender, and one even asked for a copy of my passport. A friend in the UK got invoices for stuff she hadn’t ordered and asked me about it – turned out the attached invoice was executable and not a text. I wonder what the response rate is on these types of emails, but of course they cost nothing to send so a small percentage of dupes will supply a steady income. It’s a reasonable argument for making a charge for sending emails so spammers and phishers are priced out.

    Telephones enabled spam telephone calls, and I even get prerecorded spam calls so they don’t need to pay someone to sit at the other end. Cheap and fast connectivity has a cost associated. The various unwanted emails are just an extension of the leaflets that used to get put through your letterbox. Most people probably largely ignore the advertising hoardings, that have to try ever harder to get noticed (so expect video and 3D holograms in future).

    I suppose the main thing is for us all to be aware of where links in emails head to and to treat any emails as untrustworthy. Even from friends/family I’ve had spam where someone cracked in to their account. It’s a pain in the butt.

  2. H.R. says:

    I’m paranoid about e-mail because it really is out to get you. So many accounts get taken over so the most likely way to be had is when you get something from someone you know.

    I’ve spotted takeovers of coworkers accounts at work because I don’t participate in sharing jokes, cute videos, funny images, etc. So when I get a forwarded email or even a direct email of the “Check this out” or “Too funny” type, I just walk over and ask if they sent me an email. They used to be incredulous that someone was that paranoid. I’m the only one at work now who has never had a hi-jacked e-mail account. Heck! I even call my wife and my brothers to verify that they personally sent an email.

    Slowly, I’m getting people trained to write subject lines that have unique characteristics that only the sender and myself could or should know, unless they want yet another call from me asking if they sent something.

    For example, if I were to write E.M., the subject line would be something like “Hey! How are the bunnies and I want to discuss – such and such.” It’s not very hard to slip in a few lines that show an email is not spam or phishing.

  3. When I used Eudora for my email there was some spam.

    Since I started using Thunderbird the spam constitutes 99% of incoming emails. While Thunderbird has spam filetrs like Spamassassin I can’t get them to eliminate unsolicited emails as the basic approach relies on a “Black List”. The spammers are all too well aware of this so they seldom use the same email address twice.

    What I need is a filter that only admits mail from addresses that are on my “White List”.

  4. David A says:

    I know little to nothing about computers, but received this message.
    “Another computer on this network has the same IP address as this computer. Contact your administrator for help resolving the issue. More details available in the Windows system event log.”
    =======================????

  5. J Martin says:

    I almost hate to say it, but I find the spam filter in googles gmail very effective. Without a doubt the main reason I stick with using gmail.

  6. E.M.Smith says:

    @David A:

    That message is common in two circumstances:

    1) A machine has a hard set IP address that is in a block also being handed out by the router for DHCP use (Dynamic Host Configuration Protocol – the thing that gives you an automatic IP ).

    2) A DHCP address was handed out with, say, a 3 day expiration, and then the router was told to set expiration to 1 day. Now, for 2 days, that first machine thinks it owns that IP, yet the router might hand it out to another one instead. Not very common as it takes a complicated set of behaviours… Just doing an ipconfig /release then ipconfig /renew can fix that.

    There are some other ‘edge cases’ that happen too… like having two DHCP servers handing out the same block, or two computers both with a hard coded IP address that’s the same.

    To fix it:

    First off, you need to know your network layout. Is it DHCP? Or are IP addresses hand set? Then make sure your computer follows that pattern. For most folks, you want it to be DHCP. That’s pretty much the standard now. ( I have my servers hard coded, and a couple of desktops where I don’t want any way the IP can change… but “variety machines” get the DHCP addresses.).

    A common standard is, for example, to have your internet / boundary router hand out DHCP addresses in a block like “192.168.0.100 to 192.168.0.199”. That lets you have 100 hosts via DHCP. Far more than any typical person needs at home or in one work group. Then special machines can have 192.168.0.1-99 and 192.168.0.200-254. (the router is usually x.x.x.1 or x.x.x.254 by convention, but can be anything if desired).

    So once you know the “numbering plan”, you can find your answer. If, for example, the DHCP block is from 100-199 and your machine is NOT doing DHCP but has the number hard set to x.x.x.102 you will pretty much be guaranteed to have a collision with whoever gets 102 via the DHCP assignment.

    Rule Of Thumb: When in doubt, set your IP to be assigned by DHCP and see if the problem goes away.

    2nd Rule Of Thumb: If it doesn’t, hard set your IP to a very unlikely number ( such as x.x.x.213) and see if the problem goes away. When it does, go hunting for what equipment had the prior number and fix it too… then most likely swap back to DHCP based address assignment).

    Let me know if you need help clicking on your network control panel things and finding where to set the IP address…

  7. Steve C says:

    @J Martin

    I’m reminded of a comment I saw somewhere years ago about Yahoo – the one I use for general email, and which also does pretty well on spam filtering. The suggestion was that they found the filtering an easy job because so much of the spam was coming from Yahoo accounts …

    Tsk, tsk. Such cynicism. ;-)

Comments are closed.