Can you spot a scam? (screenshots)
by ZDNet Author | April 13, 2011 6:43am PDT | Image 1 of 12
Previous | Next
A theft of names and email addresses like the recent one from marketing firm Epsilon doesn't sound that bad but that information is valuable for scammers to use in further attacks, notably in phishing scams.
If an attacker knows your name, the companies you deal with and your email, then it can craft some convincing emails that have a much better chance of fooling you.
ZDNet Australia's Darren Pauli presents some fabricated examples of phishing emails to illustrate what users need to watch out for in order to protect themselves.
The first one from Disney has mass appeal. The broad list of victims could be attractive for scammers.
Just In
Wouldn't it be a great idea if every time you started a brand new computer (or freshly installed browser) it took you through a web safety tutorial before letting you loose on the web?
@AndyPagin?
Were the tutorial skippable, the very people who need it would skip it. Were it not skippable, those who did not need it would be in a state of justifiable fury.
Were the tutorial skippable, the very people who need it would skip it. Were it not skippable, those who did not need it would be in a state of justifiable fury.
@?conomist ... Agreed, and IMO that information should be part of the windows "tour" or whatever they call it so it's not creating excessive numbers of documents to read. Proper treatment in the TOC might draw some users to it also. I have noticed that a lot of people play around in the tours on their machines and like clear and concise tutorials, which is another possibility.
The above, plus people getting behind such a move regardless of who makes it first, might even shame other companies into doing the same thing so as to keep up with the hype of information.
At least the information would BE there this way, rudimentary as it may be, but accompanied by some reliable and trusted links could open a world of information or just enough to get by on for a lot of the masses.
I go by two rules:
1. Don't even bother to look at the contents of a spam. It's easy to know whether you've had contact with a mailer just from the initial informaton at the top of the mail.
2. Even if I am dumb/curious enough to read it, I never, ever click on any link in it, nor do I spend any time messing with it once I know it's spam. Some, as demonstrated here, might take a little thinking, but never use a link or any information in an email you weren't expecting and that there is no reason for you to be getting it.
3. Next thing I do is parse the Headers and submit complaints to the spammer's ISP after tracing it as best as possible. Tracing emails isn't so easy to do so if you can't do that, then just delete the spam and forget it.
4. Finally, I protect my email addresses and use only throwaway accounts to contact any site I'm not sure of. But I type in the URLs myself, from my own lists of resources, or usually simply ignore the whole thing.
5. And I never ever touch an attachment. That's often another place the malware can be hiding.
6. I don't open ANY attachments unless I know who sent it, and was expecting it.
7. And then it's also just as important to perform "safe hex"
http://www.claymania.com/safe-hex.html
http://www.mvps.org/winhelp2002/security.htm
http://www.sophos.com/security/best-practice/
See? It's pretty easy to do.
The above, plus people getting behind such a move regardless of who makes it first, might even shame other companies into doing the same thing so as to keep up with the hype of information.
At least the information would BE there this way, rudimentary as it may be, but accompanied by some reliable and trusted links could open a world of information or just enough to get by on for a lot of the masses.
I go by two rules:
1. Don't even bother to look at the contents of a spam. It's easy to know whether you've had contact with a mailer just from the initial informaton at the top of the mail.
2. Even if I am dumb/curious enough to read it, I never, ever click on any link in it, nor do I spend any time messing with it once I know it's spam. Some, as demonstrated here, might take a little thinking, but never use a link or any information in an email you weren't expecting and that there is no reason for you to be getting it.
3. Next thing I do is parse the Headers and submit complaints to the spammer's ISP after tracing it as best as possible. Tracing emails isn't so easy to do so if you can't do that, then just delete the spam and forget it.
4. Finally, I protect my email addresses and use only throwaway accounts to contact any site I'm not sure of. But I type in the URLs myself, from my own lists of resources, or usually simply ignore the whole thing.
5. And I never ever touch an attachment. That's often another place the malware can be hiding.
6. I don't open ANY attachments unless I know who sent it, and was expecting it.
7. And then it's also just as important to perform "safe hex"
http://www.claymania.com/safe-hex.html
http://www.mvps.org/winhelp2002/security.htm
http://www.sophos.com/security/best-practice/
See? It's pretty easy to do.
@?conomist
How true that is.
How true that is.
The idea of including a phishing tutorial as part of the Windows "tour" has merit. I would additionally suggest that it be made into a "game" such as this presentation was. Interactive presentations would not only generate a higher "hit rate" but would also encourage closer attention paid by the end-user as they try to "beat" the game. Maybe I could finally get my wife and my mother-in-law to be more discerning with their emails if they could teach themselves instead of relying upon their geek-connection.
@AndyPagin - great concept. As @?conomist points out, the concept just needs a little fleshing out.
A couple of ideas just off the top of my head:
1. Tutorial on new "out of the box" computer is optional, right up until the point mandatory "scam-detection" software registers a hit. Then,
Penalty A: Internet connectivity is disabled until the user has watched the tutorial ~and~ passed the quiz.
Penalty B: Computer goes into "limp" mode, displaying a "Service Required" alert every 3-5 minutes. The offending computer returns to normal operation only after a charitable contribution to the "Association of Responsible Computing People" has been received.
2. Develop a "New Computer Purchaser Registry" and require enormous volumes of paperwork, background check, and mandatory waiting period before taking delivery on any new computer purchase.
3. A three strikes and you're out policy...to be forever relegated to dumb terminals!
4. Get tougher on the "supply" side...no excuses...just make it happen.
None of the above applies to you if:
* you have more than one fully functioning PC (virtual machines count)
* you can name one Linux distro (from memory & 1 other than Ubuntu)
* you can launch at least one command from the DOS prompt (heck....if you even know what a DOS prompt is might be good enough).
Thank you all for humoring me.
A couple of ideas just off the top of my head:
1. Tutorial on new "out of the box" computer is optional, right up until the point mandatory "scam-detection" software registers a hit. Then,
Penalty A: Internet connectivity is disabled until the user has watched the tutorial ~and~ passed the quiz.
Penalty B: Computer goes into "limp" mode, displaying a "Service Required" alert every 3-5 minutes. The offending computer returns to normal operation only after a charitable contribution to the "Association of Responsible Computing People" has been received.
2. Develop a "New Computer Purchaser Registry" and require enormous volumes of paperwork, background check, and mandatory waiting period before taking delivery on any new computer purchase.
3. A three strikes and you're out policy...to be forever relegated to dumb terminals!
4. Get tougher on the "supply" side...no excuses...just make it happen.
None of the above applies to you if:
* you have more than one fully functioning PC (virtual machines count)
* you can name one Linux distro (from memory & 1 other than Ubuntu)
* you can launch at least one command from the DOS prompt (heck....if you even know what a DOS prompt is might be good enough).
Thank you all for humoring me.
@AndyPagin
If I dont Know 'em, I dont open 'em! plain and simple. 99.9% of any offers via the web are pure crap and I tell ALL my clients the same!
If I dont Know 'em, I dont open 'em! plain and simple. 99.9% of any offers via the web are pure crap and I tell ALL my clients the same!
@AndyPagin
An even greater idea would be a way to get people to actually bother even reading it....much less heeding what it tries to teach. As Tater says - "Can't fix stupid".
An even greater idea would be a way to get people to actually bother even reading it....much less heeding what it tries to teach. As Tater says - "Can't fix stupid".
Since a good sign of spam is the inclusion of spelling mistakes, you might want to fix the one on the second slide. That should be "a commercial email," not "an...."
@SleepingCat
There are several misspelled words in the piece.
There are several misspelled words in the piece.
Marriott Rewards example: "should be also treated with caution."
That's odd grammar - this gallery is suspicious.
That's odd grammar - this gallery is suspicious.
@ejhonda
The grammar is correct. The war against split infinitives was lost decades ago:(
The grammar is correct. The war against split infinitives was lost decades ago:(
using Thunderbird's/Mail's mouseover link exposure is unavailable in this test. For shame.
Shouldn't the word be skeptical (rather than sceptical)? Or is this a UK/OZ spelling?
@destockwell
From the online OED:
(archaic & North American skeptic)
Spelling help
Remember that sceptic begins with sc- (the spelling skeptic is American).
From the online OED:
(archaic & North American skeptic)
Spelling help
Remember that sceptic begins with sc- (the spelling skeptic is American).
Thanks for the examples of phishing scams. I caught a couple of misspelled words, "dreem" from the Disney ad and "youre" in another example. Poor spelling habits are becoming more common as well as confusion over homonyms such as then or than, your or you're, there or they're or their show up a lot in public responses.
The use of a free email account for businesses as big as the examples is a good red flag. I get suspicious of email addresses that don't match the sender's name; such as J.Smith@businessname.com sent by Al Jones@businessname.com.
The use of a free email account for businesses as big as the examples is a good red flag. I get suspicious of email addresses that don't match the sender's name; such as J.Smith@businessname.com sent by Al Jones@businessname.com.
@sboverie@... Agreed. And too many legiit companies also do that! They farm out all their e-mails to someone else and when you get it, even though it's legit, there's nothing there to indicate it actually came from who they say they speak for!
whenever i receive any kind of solicitation email, I always look at the sender. these examples show some e-mails coming from hotmail.com. that right there is a dead giveaway that you are dealing with illegitimate senders.
always look at the sender address folks!
always look at the sender address folks!
@asg749d@... simply looking at the sender of an email is probably the biggest mistake that can be made. Just because it says, "From: admin@largewellknowncompany.com", doesn't mean a thing! It is very simple to alter the "From:" address to read whatever heart desires. You are led to believe it's form admin@whatever.com, when it fact the actual address it's being sent from is more like . More providers have the option to view the header or source code (most often through right-click or option menu. This will give you the true identity and origin of the sender (which you can then use to trace the bastard......or at least sent viable information to their ISP and FCC.
Well: I'm happy to say I spotted the problems almost instantly in each case and missed nothing important in deciding they were the very definition of spam because:
1. They are unsolicited bulk email (UBE or ICE),
2. I didn't ask for them nor did I give them permission to email me.
3. I will NEVER opt OUT Of a list I never opted INTO!
4. But I do report every single spam that makes it to my Inbox; about 4 to 8 per day right now.
Classic examples of spam/phishing and maybe worse.
1. They are unsolicited bulk email (UBE or ICE),
2. I didn't ask for them nor did I give them permission to email me.
3. I will NEVER opt OUT Of a list I never opted INTO!
4. But I do report every single spam that makes it to my Inbox; about 4 to 8 per day right now.
Classic examples of spam/phishing and maybe worse.
Good article, good examples, but light on what to do about any of it or how to treat such things (or not).
It's like the phony "You've got a virus! Send us $XXX.XX and we'll sell you the apps to get it removed."
It's like the phony "You've got a virus! Send us $XXX.XX and we'll sell you the apps to get it removed."
I failed the Hilton one 
Good article though. I will pass this around.
Good article though. I will pass this around.
Missed the Hilton and Borders ones, but since Hilton is more than a bit too rich for me and I have an account with Borders (and thus would have gone to my previously bookmarked page for more into), I wouldn't have been caught.
Gmail has a fairly decent spam filter, plus the ability to check out an email header (both basic and verbose), and I hop over to Whosit.com and check out the domain (if I'm totally bored). Otherwise I just trash them....
Jim
Gmail has a fairly decent spam filter, plus the ability to check out an email header (both basic and verbose), and I hop over to Whosit.com and check out the domain (if I'm totally bored). Otherwise I just trash them....
Jim
@RangerJimK
Click here to get our downlaoder to download our coupons.
At the same time We can't do a mouseover to see the underlying link.
Click here to get our downlaoder to download our coupons.
At the same time We can't do a mouseover to see the underlying link.
I have become so suspicious about phishing that when I got an email from Norton telling me that my subscription would automatically renew if I did not change my account preferences, I assumed it was a phish and ignored it, assuming my account would probably just expire. Too bad it was real. I later logged in the site directly to change the preference, but after I had been charged.
The only time I use a computer for email is when I have to scan and attach something.
99% of the time I use a phone.
99% of the time I use a phone.
Spotted it.
Of course, I don't know whether someone in the general population would understand the sender field so well. Plus even if the from address looks legit it isn't necessarily - it just so happens this one was easy to spot.
Of course, I don't know whether someone in the general population would understand the sender field so well. Plus even if the from address looks legit it isn't necessarily - it just so happens this one was easy to spot.
tom@...
I read through all of the information, but it was all about Microsoft stuff.
Nothing about Linux...
I read through all of the information, but it was all about Microsoft stuff.
Nothing about Linux...
yeah i think disney could afford their own domain heck even i have one lol
Excellent article. Just wish these examples would reach the people that need it most., but they wouldn't take the time to read it. So sad.
ie: Standard Email Client (webmail & client app) implementation verification via trust cert, of emails for an organization's emails.
It's from HotMail FFS, anyone falling for this is a dumb-ass.
i.m sorry, but these mailings resemble the junk mail you get snail mail. so treat it the same way. if it is in your inbox, just delete it.
The Hilton and Borders ones were subtle enough to be real. I guess the best idea is to go to the actual site to obtain software you might need -- sort of an on-line "Don't call us; we'll call you" approach.
Every time your browser connects to a web page, it transimts a ton of information about your current PC build. It's getting to the point that it's absurd. And IE is the absoltue worst browser. Who the hell needs to know that I am using a given version of an operating system? It's the web your morons. All you need to know is what browser I am using. I hope FireFox wises up and shuts this hacker back door.
Well first I look at the email address the one at the top of the page is from Disney Ok, Right such a large company using an email address from HOTMAIL mmmmmmm thats Just Wrong.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
