Most spam is irritating and time-consuming, but some spam is positively dangerous to handle. Usually email scams are trying to get you to give up your bank details so that the fraudsters can either withdraw money, or steal your identity.
Such messages include phishing scams and advanced fee fraud. Be suspicious of:
- anything that offers you something for nothing;
- anything that looks like it's going to ask you to give up financial details;
- anything to do with accounts of yours that has embedded links to follow;
- anything that asks you to keep it secret.
The Information Security team have published information on how to avoid phishing.
Additional information about phishing continues below.
Phishing attacks are attempts to steal sensitive information such as personal identity details, bank account details, credit card numbers, and passwords. The idea is to lead the victim to a web site that looks legitimate but is in fact bogus and persuade them to enter their information into it, making it available to the attackers.
The nature of phishing scams
The scam starts with an email message that pretends to come from some organisation that might make legitimate use of the information the scam is trying to obtain:
- a bank or other financial institution;
- an online site you may have an account with: EASE, ebay, paypal, etc;
- an online shopping or mail-order site.
The message is a forgery of course, but such forgeries can be difficult to detect without detailed scrutiny of the mail headers, which can be obscure to most people and which common mail software can make difficult to see.
The message tries to persuade you that there is a really good reason why you must visit the organisation's web site:
- is some problem with your account and you must verify your details or the account will expire;
- your account has been frozen because suspicious activity has been detected;
- they are offering a new service which they want you to sign up for;
- there has been a problem with your shipment and you must log in to check the details;
- some transaction on your account has been declined because it requires verification, and so on.
The message then contains a link to the web site for you to click on. This link does not, of course, lead to the legitimate organisation's web site, but to a bogus one run by the scammers. It can be difficult some times to see the URL that the link will lead you to, and some mail clients have bugs where a cleverly constructed message can entirely obscure this information, so you are lead to one site while your client reports you are at another. Some of these bogus web sites can be extremely convincing too.
Alternatively, the message may simply ask you to mail back your username and password. The reply containing your details will go to some external mail account, where it can be picked up by the thief.
What you should do if you receive a phishing message
- NEVER give out your passwords to anybody. Legitimate persons, such as support personnel, will never ask you to reveal your passwords.
- You should always treat such messages with suspicion. Most legitimate organisations are aware of these scams and will not send out messages like these in the email.
- You should be particularly suspicious of any such email that contains a link for you to follow. A legitimate business might send you an email suggesting you visit their web site, but will know you already know the URL to go to, or will have a bookmark pointing at the correct web site. An email like this with a link is liable to point to a bogus site.
- Call the organisation to verify the message (or report it as a scam!) Or email them directly by typing in the address directly or using your addressbook, not by replying to the suspicious message, which would be as dangerous as following any links in the message.
- Of course we all receive mail with links in them - solicited offers, newsletters, messages from colleagues and friends referring to documents online, and so on. It would be impractical to suggest that you never follow a link in an email message. But most such legitimate messages will be expected, or at least in a familiar context which you can reasonably trust.
- Only give out sensitive information when you have started from a place you can trust, such as your own bookmark to your bank's website.
- In any case, in general, be careful about giving your sensitive information out.
Useful advice can be found on the Anti-Phishing Working Group's website:
Advance fee frauds
Also known as "Nigerian fraud" or the "491 fraud" after the part of the Nigerian criminal code that covers them, they are one of the commonest frauds perpetrated by email. Following them up can result in financial loss and in some cases a high degree of personal danger. The common element is that they ask you for money up front in order to facilitate a much larger sum of money later (which never materialises, of course).
The sender usually claims to be from a foreign country, often African or other Third-world country, and claims plausible access to a large sum of money from, for example:
- overpayment on government contracts;
- a family fortune which would otherwise be claimed by a corrupt government;
- funds from somebody arrested by the government on dubious charges
and so on. Commonly we also have:
- placing the scam in the context of topical events in order to lend an air of authenticity;
- reference to news articles, biographies, etc to back the above up;
- a plea for absolute secrecy.
Finally, the sender offers you a substantial cut of the money should you agree to handle the money for them. Of course, if you agree to do so, the sender will then claim that certain fees need to be paid in advance in order to release the money, bribe officials, or whatever. Such payments will of course be taken by the fraudsters and the victim will get nothing back.
Sometimes the victims will be lured into travelling to a foreign country to meet up with the fraudsters. This has resulted in loss of documents and money, and in a few cases in loss of life.
What to do if you receive an advanced fee fraud message
- Don't believe anybody sending you an unsolicited message is who they say they are.
- Never be lured into parting with money or financial information unless you are unsure that you are dealing with a reputable person or organisation.
- If it seems to good to be true, it is.
Lottery win scams
More attempts to make you give up your bank details, these are messages claiming you have won a lot of money in a lottery you have never heard of. Typical examples may have subjects like:
- ++NOTIFICATION OF YOUR LOTTO WINNING+
- AWARD FINAL NOTIFICATION
- CONGRATULATIONS, YOU HAVE BEEN SELECTED.
If you get sucked in to talking with the prepetrators, they will at some point no doubt ask you for your bank details - which is what they are really after.
"Money transfer" job offer scams
This type of fraud offers you a job in transferring money, usually between different countries. The typical pitch is that in order to facilitate money transfer they require brokers or agents in different countries to accept transfers of money and pass it on to clients, for a fee. Of course, to do this they will require the details of your bank account to transfer the money in to. This is of course the real object of the exercise.
Some example subjects:
- Elite Vacancies Available
- offer partnership (Job)
- RE: Recent Application (UK)
- Job opportunity
- Career oportunity