Every trick in the book:
by Rich Pasco
how hackers take over your computer
(or your bank account)
Spammers will use every trick in the book to get you to click on
their links to malicious web sites, or to open their malicious
attachments, or to divulge personal information for identity theft.
Below are just a few examples. As P.T. Barnum said, “There's a
sucker born every minute.” Don't be one of them!
Most are designed to create a sense of alarm and urgency,
threatening financial harm, embarrassment or inconvenience unless
one takes the bait. Others flatter the recipient and/or hint at
sexual benefits. Still others purport to be from a friend with
something curiously exciting to share.
Often, the “From:” e-mail address on such fraudulent
e-mail messages is forged, or “spoofed”, to resemble that
of a well-known service (such as Facebook, MySpace, Verizon or
CitiBank). If you have that service in your approved senders list,
such junk mail will slip right past your junk-mail filter. You
should never trust the “From:” address on any e-mail; it
is easy to forge.
There have been an increasing number of incidents where a hacker
breaks into an e-mail account and sends junk mail to all that
person's contacts. Even if an e-mail seems to be from a friend,
it may not be, so proceed with caution. For more information see
“Spam from your friends: hacked and
All the same concerns about e-mail also apply to messages sent via
social networking sites like Facebook via mobile phones. Be just
as suspicious about strange phone calls and texts as about e-mail
- To trick you into divulging personal information,
such as account passwords, social security numbers,
etc. (for the crime of identity theft).
- To trick you into installing software which will give
them total control over your computer.
- To trick you into sending them money (e.g. to buy phony
anti-virus software, to pay a “fine” to unlock
your computer, or to aid a friend allegedly victimized by
theft while on vacation).
To this end, they broadcast thousands of e-mail messages which use
all kinds of trickery to get you to open an attachment or click on
a web link which will take you to a malicious web site, which will
either prompt you to enter your personal data or directly load
software onto your computer.
The tricky e-mail may pretend to be from your internet service
provider or financial institution and ask you to “confirm your
details” or “activate your account.” Or it may
pretend to come from a known retailer (e.g. Amazon.com) and claim to
“confirm” a purchase you allegedly made (but didn't).
The phony e-mail conveys a tone of urgency and a threat of loss if you don't comply quickly.
Hackers want you to hurry so you won't have time to think, so they tell you that
you will miss out on an offer expiring soon, your card will be charged, your account will be closed, you will
be sued, or even that a warrant will be issued for your arrest, unless you quickly take the requested action.
- It does not directly correspond to any action you recently
took. It may claim to be about “system upgrades” or other
vague topics. It may allude to a purchase you did not make, a parcel
you did not send, or a lottery you did not enter.
- It does not address you by your full name, but rather by your
e-mail address, or by “dear customer” (even though your full
name is on file with your provider).
- It contains links which may appear to lead to a legitimate site,
but actually lead to a malicious site. See “Where does a
link really lead?” below.
- The address on the “From:” line is obviously phony, or someone
you don't want to hear from. For example, I got a junk mail from
firstname.lastname@example.org. Note: The converse is not true:
Just because an address looks legitimate does not mean that it is.
- The address on the “From:” line is your own.
If the address on the “From:” line is your own, and you didn't
send it to yourself, then you absolutely positiviely know that it is phony and may dispose
of it immediately. Hackers know that you probably have your own address in your address book
(contacts), so they spoof your address to get their junk past your spam filter.
- It is written in bad English. For example, it may contain the phrase,
“needs your urgent attention.”
The address on the “From:” line of an e-mail should never
be relied on to determine its origin. That line is easier to forge
(or spoof) than the return address on the upper-left corner of a
paper envelope. It is inserted by the sender's e-mail software, and
so a sender can put anything he wants there, be it Bank of America
or Santa Claus. (There are, however, postmarks in the hidden
headers of an e-mail which advanced users can interpret to determine
a message's true origin. For details see
“Where in the world is the hacker located?”)
A phony e-mail may include all the same artwork and formatting
(stationery) as a legitimate one. It is very easy for a hacker to
copy artwork from a legitimate e-mail to a phony one.
Below is a sample of a phony e-mail, purportedly from American Express.
As received, all of the hyperlinks lead to the hacker's web site!
What lay there, I don't know because I didn't date click on them,
but it would most likely either install malware on my computer or
present a login screen looking like Amex's designed to trick me into
entering my Amex username and password.
Sample phony e-mail
What to do with a phony e-mail
If you receive such an e-mail, the safest course is to simply delete
it. If in doubt about your account with your bank or other service,
do not click on the link in the e-mail; instead sign in by going to
their known web address from a trusted source (e.g. printed on your
last statement). And, if you would like my opinion, feel free to
I used to believe that there was no harm in simply visiting a web
site, and would occasionally click on a link in an e-mail out of
curiosity, just to see where it led. I was too smart to enter my
personal credentials on any form there, but I wanted to see how the
site looked. Unfortunately, twice in one year, my computer got
infected by malicious software by my doing so. This is colloquially
called a “Drive-by download.” In each case, I was running
Windows XP with all the latest security patches from Microsoft, the
latest Mozilla Firefox browser, and the latest AVG anti-virus. But
still malicious software got installed, apparently from scripts on
the web sites.
I've received e-mail from Macintosh users who gloat about how they
are not vulnerable to viruses and malicious software. While it is
true that far more viruses are targeted at Windows than at Mac OS,
and Windows is more vulnerable than Mac OS, Macs are not invincible,
and the same general precautions apply. And no OS in the world will
protect against a user who gives away his password by typing it into
a phony web page.
Since hackers send out spam (junk mail) with a goal of getting you
to click on links to their malicious web pages, it is important to
know where a link in an e-mail really leads, before you click on
it. With HTML-formatted e-mail (most e-mail with multiple fonts,
embedded graphics, etc.), what you see (in the visible text) is not
what you get (when you click on it). The visible appearance of a
link can be set independently of where it really leads. If you
don't believe me, click on this link to see what happens:
In this example, the visible text says Google, but the
hidden hyperlink really leads to my own page (which is harmless).
So if you can't trust the visible text to tell where a link leads,
how can you tell? The answer depends on your e-mail client
application, your operating system, and if you're using a web-based
e-mail client, your browser. In some, you can hover your mouse
over the link and view its target in your status line. In others,
you can right-click on the link and choose "Properties", then look
at the address shown on the pop-up. Check with your system's user's
manuals to be sure.
If the target address doesn't match the visible text, beware!
The figure below shows a phony message which I actually received, as
displayed in my e-mail client,
The top circle shows my cursor hovering over the link “let us
know immediately” (I did not click on it!) and the
bottom shows Thunderbird displaying actual target of that link in
the status line. I know the message to be phony because the target
is not facebook.com.
Here's a scam aimed at people selling used cars online, e.g. via
Trolls scan used car ads and ask the sellers for a vehicle history report.
When you send them one, they tell you they don't trust it and ask you to
get one (at your own expense) from their pet company. In fact they have
no intention to buy your car but are trying to drum up business for their
pet company which makes a huge profit and pays the troll to advertise them.
When selling her van in the summer of 2017,
my partner obtained a vehicle history report, which we
send to prospective buyers who ask for it. Two of the ostensible buyers,
“James Parkin” and “Pete Hansen” sent such similar
e-mail messages that their motives are apparent:
It turns out that according to Network Solutions'
both of the domains usvehiclecheck.com and vinchecksup.com are registered to
“Internet Domain Service BS Corp.” How appropriate!
Is it any coincidence that both of the recommended sites resolve to exactly
the same IP address? According to
[220.127.116.11] is hosted by NForce Entertainment B.V. in the Netherlands.
Update 2017-11-15: My friend Don reported today that he actually fell for such
a scam and purchased a report from a company advertised like this. After
he received the report, he grew concerned about whether his credit card account
had been compromised by giving them the card number. We may never know.
The “Unusual sign-in” scam
I got an amusing piece of spam, designed to get me to click on a malicious link. It is amusing because I asked, “How stupid do they think I am?” It claimed a suspicious sign-in to my Microsoft account, but there were several glaring problems:
Obviously, I didn't click on the link.
- TIt did not come from Microsoft, not even close. They could have spoofed Microsoft's address onto the From line but didn't. It didn't come from the domain they did spoof, either. That dcccd.edu domain is from the Dallas County TX Community College District.
According to the message's hidden headers, it really came from IP address 18.104.22.168 which is in Guizhou, China, according to IP2Location™.
- It had no Subject (the Subject line was blank).
- The it was addressed to my personal e-mail address (redacted here in red), and the body referred to that address as my Microsoft ID, but I really use a different e-mail address as my Microsoft ID.
- The IP address from which the alleged sign-in came is not a valid IP address. IPv4 addresses comprise four numbers from 0 to 255, and IPv6 addresses have a totally different syntax.
- The instruction "Please check out document for further instructions" pointed to a web address which was also not Microsoft's (and different from the domain on the From line).
The “missing font” scam
Surfing with the popular browser Google Chrome, you happen upon a web site that appears garbled, and an notification says
“The web page you are trying to load is displayed incorrectly as it uses the ‘Hoefler Text’ font. To fix the error and display the text, you have to update the ‘Chrome Font Pack’.”
So you obediently click the “Update” button, and install “Chrome Font v7.5.1.exe”.
Bang! Your system is infected with malware. You violated my number 1 rule: only install executable files
obtained directly from publishers you trust.
Note: While this example cites Firefox, scams of this sort can affect
users of any browser. It is easy for code on a web site to determine which
browser the visitor is using, and configure a custom message for that visitor.
You are visiting a web site, when suddenly your browswer screen is replaced
by one like shown below. What do you do?
If you accept the offered “upgrade” then you have compromised your computer.
Remember my advice to only install software obtained directly from the publisher. Personally I have
never heard of “baehobelmo.org” (see the address bar in the screen shot above), and I
can be certain that this site is not part of the Mozilla organization which publishes of Firefox.
Also please notice the extension “.js” of file being offered, firefox-patch.js
designates an executable file. Opening any executable file surrenders
total control of your computer to its distant and unknown author.
What should you do instead? Just close your browser. No harm is done if you don't install the phony “upgrade.”
Next, consider how you got to this page. Most likely, the page you were visiting before it appeared embedded
some third-party advertising, and that advertising carried a browser redirect taking you to this phony site.
If you can identify the ad containing the redirect, inform the webmaster of the page you were visiting that
his embedded ad was malicious.
And you should always directly check your browser's publisher for updates.
With Mozilla Firefox, that is very easy to do: Just pull down the “Help” menu and choose “About Firefox.”
You will get a screen like this one:
The words “Firefox is up to date” indcate that no update is needed. If a newer version were available,
download instructions would appear here, or depending on your setup, the newer version would automatically install.
TALLAHASSEE, Fla. - The Department of Highway Safety and Motor Vehicles (DHSMV) is warning consumers that they may be targeted by a company representing itself as the DHSMV demanding payment for fraudulent citations. The company, which is not associated with the DHSMV in any way, will send emails to consumers requesting payment of a citation within a certain timeframe and if the payment is not received on time, the company will falsely require a daily late fee payment.
Example of phony e-mail
Example of phony e-mail (click for enlargement)
The email sent to consumers includes a linked payment page and email address. While the linked payment page appears to be inactive at this time, the DHSMV is warning consumers that this is a scam and no payment should be made. If a consumer has made a payment, they should refute the charge and take the appropriate security measures with their financial institution.
Consumers should note the following:
- The DHSMV and Clerks of Court do not email citations to customers;
- The DHSMV and Clerks of Court do not require citation payment via email;
- Citation numbers are always seven alpha-numeric digits;
- If a consumer receives a notice regarding a suspicious citation, they should contact the local Clerk of Court or call the DHSMV immediately.
The Florida Department of Highway Safety and Motor Vehicles (DHSMV) provides highway safety and security through excellence in service, education and enforcement. DHSMV is leading the way to a safer Florida through the efficient and professional execution of its core mission: the issuance of driver licenses, vehicle tags and titles and operation of the Florida Highway Patrol. To learn more about DHSMV and the services offered, visit www.flhsmv.gov, follow us on Twitter @FLHSMV or find us on Facebook. For safe driving tips and techniques, download the official Florida Driver License Handbook.The DHSMV and Clerks of Court do not email citations to customers;
- The DHSMV and Clerks of Court do not require citation payment via email;
- Citation numbers are always seven alpha-numeric digits;
- If a consumer receives a notice regarding a suspicious citation, they should contact the local Clerk of Court or call the DHSMV immediately.
The Florida Department of Highway Safety and Motor Vehicles (DHSMV) provides highway safety and security through excellence in service, education and enforcement. DHSMV is leading the way to a safer Florida through the efficient and professional execution of its core mission: the issuance of driver licenses, vehicle tags and titles and operation of the Florida Highway Patrol. To learn more about DHSMV and the services offered, visit
follow us on Twitter @FLHSMV or find us on Facebook. For safe driving tips and techniques, download the official Florida Driver License Handbook.
You get an e-mail, apparently from one of your financial services providers,
stating that there has been some suspicious activity on your account, so click
on this link for details. In reality, the mail is phony, it's From address is spoofed,
and the link leads to a site designed to trick you into divulging your login credentials (phishing)
or to install malicious software on your computer (drive-by download). If you receive
such an e-mail, do not click on any links in it. Instead, if in doubt about your account,
visit your financial service's web site via a trusted bookmark and check your account there.
Here is an example of one I recently got. Notice that the link leads to a site in
Moscow, according to the useful site ip2location.com.
You get an e-mail, ostensibly from a friend, stating that he or she
took an unplanned vacation and was robbed, so please send money.
Most likely, your friend is safe at home, and either his e-mail account
was hacked or his address was spoofed.
You may notice a “Reply-to” line in the header so that your reply
goes not to your friend but to the hacker who has created a similar, but subtly
different address. If you reply and send money, you will
never see your money again. Instead, you should call your friend on the
phone and discuss the situation.
You get an e-mail, ostensibly from a reputable file-sharing service,
for example Dropbox or Google docs,
stating that someone has used their service to share a file with you,
so click here to view. You click on the link. Gotcha! It may lead
to a phony look-alike page on the hacker's server which collects your log-in
credentials. Some examples:
The shared file scam
Several red flags highlight your way:
- The e-mail probably did not really come from Dropbox or Google docs, but from the hacker. The address on the
message's “From:” line was spoofed.
- You probably do not know the person who allegedly sent it to you. It may say something vague like “a friend”
or “your financial institution.”
- The link does not lead to the file sharing service, but someplace else.
(See “Where does a link really lead?” above.)
- Although “view” sounds innocuous enough, you really have no
idea what you are getting. It could be a malicious
executable file to take over your
from Sophos Naked Security
The credit card concern scam
You get an e-mail, ostensibly from the issuer of one of your credit
cards, advising you of a security concern with you card, and offering
a link to resolve the concern and warning that if you don't act then your card will be declined. But
really there is no problem with your card, the e-mail comes from a hacker, and the link leads to a phony site which will either ask for personal
details (for the crime of identity theft) or install malicious software
onto your computer.
Notice these clues that the message was phony:
- It begins “Dear Customer.” Your credit card company knows and will use your name.
- It refers to “your account.” A legitimate message would tell you which account, e.g. by giving the last four digits of your account number.
- The link which looks like http://americanexpress.com does not really lead there. See See “Where does a
link really lead?” above.
The customer reward scam
You get an e-mail, ostensibly from a business of which you are a customer,
thanking you for your loyalty and offering a gift card as a reward. Simply
click this link to “activate” your reward. Beware!
As likely as not, the real sender of the e-mail has nothing to do with the
business they claim to represent (remember, the “From:” address
may be spoofed), and the link only leads to misery for you: either it
will install malicious software or trick you in to completing a “survey”
or otherwise divulging personal information. See “Where does a
link really lead?” above.
USAA is a reputable insurance company,
which e-mails its policyholders their insurance ID cards in PDF format.
Nothing wrong with that, no scam there. But scanners have taken the
opportunity to forge realistic-looking e-mail messages (see below) which
closely mimics USAA's e-mail message, with a few exceptions:
- The genuine one is sent to just you; the phony one is sent to a long list of e-mail addresses.
- The genuine one addresses you by name, the phony one begins “Dear Driver.”
- The genuine one shows your name and the last four digits of your USAA number in the “USAA SECURITY ZONE” in the top-right corner;
the phony one shows no name and a random 4 digits.
- The genuine one specifies which vehicle USAA insures for you; the phony one does not.
- The genuine one carries a PDF file attachment; the phony one carries a ZIP archive containing a malicious executable .SCR file.
You get a phone call or e-mail stating that they have discovered a problem
with your computer and offering to fix it if only you'll allow them remote
access to it. They may or may not ask for your credit card number to
charge their “support fees.”
A telephone caller may claim to be from Microsoft, which is a good reason
to not believe him—Microsoft does not make phone calls! He may invite
you to follow a procedure and discover a number among the system files of
your computer, which he says “proves” your computer is infected,
when in truth every computer has that number.
Or maybe a realistic looking pop-up tells you that you have an infection,
and offers a “help” button to learn more and fix it. It may ask
you to call a phone number, where a friendly-sounding agent will ask for your
credit card number and/or password to allow him remote access to your computer.
Likely the pop-up is phony, and the “help” button leads to more misery. Your
only concern should be, where did that pop-up come from, and how did it get onto my
In an extreme case, you stumble on a web advertisement which contains
code to lock up your browser (apparently your whole computer). Pretending
to be ransomware, it displays a demand
for payment to unlock it. If the recipient of such an ad would
either kill their browser from Task Manager or restart their computer, everything
would be fine, but some victims don't know what to do and pay the ransom.
Speaking of malicious ads containing code which locks up your browser, if you
encounter such an ad and get rid of it by closing your browser, you certainly
don't want to go right back there when you later re-open it. Therefore you
should configure your browser's settings to always start up with either a blank
page or a page you trust (e.g. google.com), never to automatically
return to the last page you visited before you closed it.
Special note to users of Microsoft Edge, which is notorious
for always automatically reopening previous tabs, and therefore returning
automatically to such malicious ads. Several users have suggested
- Close your Edge browser, if you haven't already.
- Disconnect your computer from the Internet (unplug Ethernet cable or turn off WiFi radio)
- Re-open the Edge browser.
- Clear all of your browsing history, and then close Edge.
- Connect the Internet back up and open Edge again.
Be very careful to whom you give remite control over your computer. Not everyone
who claims to be “support” is on your side! Remember that once
you give someone remote access to your computer, they may install software
giving them permanent control over it. Effectively, they now “own”
your computer, even though you house it and feed it electricity.
Here is an example: I was reading a blog page recommended by a dear friend, when my
session was interrupted by the advertisement copied below, accompanied by an annoying
beep-beep-beep from my speaker. Based on my experience with such matters, this was
obviously a phony warning message designed to trick me into either calling the so-called
“Help Desk” at the number shown or entering my User Name and Password
(I am not sure which ones they wanted, but I was not about to divulge any of them).
So I simply closed my browser and re-opened it. No problem. However, my concern is
that someone of less technical savvy might be tricked into calling the number (and
thus talked into giving them a credit card number for unnecessary "support.")
Apparently the author of the blog sells ad space to an agency, which rotates
the ads it displays. Even the ad agency may be unaware that one of their customers
is posting such misleading and malicious ads.
For more information see
- Tech Support Scams from U.S. Federal Trade Commission, May 2017
- 'Tech-support scam' allegedly bilked millions from computer users by Kevin McDermott, St. Louis Post-Dispatch, May 13, 2017
- FTC and Federal, State and International Partners Announce Major Crackdown on Tech Support Scams by the Federal Trade COmmission, May 12, 2017
- Cold Call Tech Support Scams Increasingly Common by Lucian Constantin, Softpedia, August 2, 2010
- Omni Tech Support Complaints and Reviews by Scamero
- 5 Tips to Avoid Tech Support Scams by Katie Nielsen
The Dual-Extension Trick (Phony cell-phone pictures)
You get an e-mail apparently from a username at vzwpix looking like
a ten-digit phone number (spoofed of course),
as would suggest pictures from a cell phone. The
attachment is not a JPG image but a ZIP file containing a file named
8400587498Img_Picture.jpeg.exe. Luckily you have changed your Windows
settings so as not to hide known extensions, so your recognize the
executable file and don't open it. Whew!
The ACH Transfer Form
You get an e-mail, ostensibly from a well-known bank, reading:
There are two red flags in that one! First, I only give ACH transfer forms and voided
checks to businesses I trust, in conjunction with a transaction I have initiated.
And second, the attachment is a ZIP archive containing an executable file, which
most certainly installs malicious software on the computer of anyone who runs it.
Please fill out and return the attached ACH form along with a copy of a voided check.
The Phony Friend/Link Request
You receive an e-mail, ostensibly from a social networking site
of which you are a member (e.g. Facebook, LinkedIn) saying
so-and-so wants to be your friend, so click here accept the link.
As soon as you click on the link, your computer is compromised. Or
maybe it takes you to a phony login screen (see below). Problem is,
the e-mail was a forgery (spoof) which didn't really originate from
the service it seemed to, and the link didn't lead to that service
but to a hacker's site (which may closely resemble its legitimate
Next time, you won't believe the “From:” address on the
e-mail (see “Ways to tell a phony e-mail” above) and you
will check where the link leads before clicking it (see “Where
does a link really lead?” above).
This scam has been around since the 1960's, but people are still
falling for it. You see a log-in screen which looks just like the
log-in screen of your e-mail system, social network, bank or other account, so
obligingly you enter your username and password. You don't know
it, but you have unwittingly given a hacker full control over your
account. Next time, you'll be more cautious:
See: New, highly effective phishing technique targeting Gmail users, WFLA News Channel 8, Tuesday, January 17, 2017
- Look in your browser's Address bar and make sure the page onto which you're typing really
belongs to the service to which you intend to log in.
- Be especially cautious if a log-in screen pops up at unexpected times. For example
if you're already logged into your social networking site or reading your e-mail and you click on a link in a
post or e-mail message, and a new log-in screen pops up, it is probably phony. Maybe
you shouldn't have clicked on that link in the first place.
You receive an e-mail, ostensibly from a reputable news source like
CNN, BBC, or MSNBC, stating that someone has shared a news item with
you. The headline sounds amazing, so you click on the link to learn
more. The link infects your computer with malicious software and
your computer now belongs to the hacker.
The Fax (or Scan)
You receive an e-mail telling you that you have received a fax (or a
scan) and it is attached. The “From” address is forged to
be something familiar so it slips past your spam filter. However,
the attachment is not really a fax or document image but an executable file, so as soon as you open it,
your computer belongs to the hacker.
“Someone who cares has sent you a greeting card”
You get an e-mail saying “someone who cares” or “a
family member” has sent you a greeting card, so “click
here to open it.” Eager to find out who sent it to you, you
click on the link or open the attachment. Gotcha! You've been
Legitimate e-card services will tell you the name of the friend
or relative who sent you the card. Even so, before opening it,
verify that the link actually leads to a greeting card service you
recognize and trust. Depending on your e-mail client, you can
usually do this by hovering your mouse over the link while watching
the status line. If in doubt, contact the friend and ask if they
really sent you a card.
The “You Sent a Payment” trick
You get an e-mail, ostensibly from PayPal or a credit card company,
“confirming” that you sent a payment which you know you
didn't send. Just click on this link for details, the message says.
The “Your Computer is Infected” trick
In one variation, a shady web site pops up a window appearing like
a system notification, stating that your computer is infected by a
virus. Click here to download the software that will cure it. Only
problem is, the pop-up is phony and the software in fact takes over
your computer for malicious purposes.
In another variation, an anonymous telephone caller says he's with
“The IT Department” or a major software company, and with
a routine scan has identified malicious software on your computer.
If you'll only permit him remote access to your computer then he
will remove it for you. You'd be a fool to grant any stranger even
temporary remote access to your computer, and if you did, you'd find
that he installs software he needs to permanently give him control
One common way hackers take control is by popping up a
notice telling you that you have a virus and to call a certain number for
help in removing it. Just close the window and don't call the number.
If you do, call
Do not call that number! What you should do instead is determine how and why that noticed popped up the first place.
If it is a web browser window, it is probably an “advertisement” embedded from a dubious site you were
browsing. Just closing the window should solve it, Conversely, if it came from anywhere else, you should scan your system
for malicious software.
- If you give them your credit card number, then they will fraudulently charge your card.
Your bank will have to cancel the card to get them to stop.
- If you give them remote access to your computer, then they will install malicious software
to give them permanent control.
The “Air Fare Sale” trick
You get an e-mail ostensibly announcing very low prices on plane
tickets (maybe even free) from a major airline. Just click here for
details. However, the e-mail comes not from an airline but from a
“Your bill is now available”
You get an e-mail appearing to be from a popular vendor or financial
institution (e.g. Amazon.com, Verizon Wireless, PayPal,
CitiBank, etc.) which looks just like a routine notification that
your bill is available on-line. A very few clues suggest that the
mail is phony: It does not include your real name (e.g.
begins “Dear Customer” or “Dear Cardholder”),
or the balance due is way in excess of what expect. It includes
a link “View your detailed bill.”. Eager to find out
the problem, you click on that link. Gotcha! The link installs
malicious software. You learn, next time you'll hover your mouse
over that link and look at your status line to see where it really
leads before clicking on it. If in doubt, you'll go directly to
your vendor's web site via a bookmark you trust, to view your
You get an e-mail purporting to be from a known software publisher
like Microsoft or Adobe, claiming that your software is out of date
and needs to be updated, so click here to install the update. Only
problem is, the e-mail didn't really come from that publisher, and
the link installs malicious software. Gotcha!
In a variation, you visit a dubious web site offering exciting
videos (e.g. late-breaking news or erotic videos), but in the
box where you expect a video, you see a notice stating you need an
updated video player, so click here to install it. Gotcha!
Example phony media player advertisements: Beware!
Remember two important rules:
- Legitimate software publishers do not send updates by e-mail.
- Links on untrusted web pages are not trustworthy.
can be configured to automatically update themselves by connecting
directly to their publisher's legitimate server--this is the
preferred way to keep your software up to date. And if you do need
an update that didn't get installed this way, please directly visit
the publisher's web site by going to a known, trusted address,
rather than by a link in an unsolicited e-mail or dubious web page.
The “notification pending” trick
An e-mail pretends to come from Facebook, LinkedIn, or another
popular social-networking site. The “From:” address is
forged (spoofed) accordingly, and the body exhibits a phony but
convincing replica of that service's graphics and tells you that you
have a notification, friend request, or other message pending on
their system, so click here to get it. Gotcha!
The wise user, upon receiving such an e-mail, will not click on the
link in the e-mail without first checking where it really leads.
(In some e-mail programs, you can hover your mouse over the link and
read the status bar.) Better yet, just delete the e-mail and then
log into your networking site in the usual way to see what messages
may await you there.
Emil Protalinski of ZDNet gives details of one version of this trick
in his article
Virus warning: Someone tagged or added a photo of you on Facebook.
Your craigslist ad has been posted
You get an e-mail, ostensibly from craigslist, confirming that your
advertisement has been posted. Only problem is, the ad isn't yours,
and the item advertised isn't one you're selling. So you click
on the link provided to view the ad in full. Gotcha! The
“From:” line was a forgery (spoof), and even though the
visible text shows a craigslist address, the hidden hyperlink leads
somewhere else. You need to learn to hover your mouse over a
hyperlink to see where it
really leads before you click on it.
The “order confirmation” trick
You receive an “order confirmation” e-mail ostensibly from
a known retailer (e.g. Amazon.com) or a known credit card (e.g.
MasterCard) confirming a purchase you allegedly made. You know
you didn't make the purchase, so you click on a link to view the
If you suspect that something you didn't order was charged to you,
you should go directly to your credit card company by telephone or
by the link you trust and usually use—not the link in
the e-mail. If you can't corroborate the e-mail, that confirms that
it was phony.
The parcel delivery problem
You receive an e-mail message telling you that a parcel you
shipped could not be delivered, and please click here (or open the
attachment) for details. Gotcha!
The giveaways are that you didn't ship a package recently, the
e-mail comes from a shipping agency you don't patronize or doesn't
exist (e.g. United States Parcel Service or United Postal
Service), and it is very vague except for the insistence that you
open the attachment or click on the link. Besides, how would they
know your e-mail address, anyway?
The travel reservations trick
You get an e-mail ostensibly from an airline, hotel or travel agent
saying that they have your reservations, just click here to see the
details. You don't recall making any, so you click to investigate.
Unless the e-mail comes from an agent with whom you already made
and includes information which a stranger
would not know (such as your full name, travel dates, itinerary,
flight numbers, etc.) it's safest to just delete it.
“Is this you in this video?”
You get an e-mail message, apparently from a friend, asking “Is
this you in this video?” You wonder what videos showing
yourself might have been posted on-line, so you click the link.
In a variant of this scheme, the link takes you to a page pretending
to be a video player unable to play the video unless you install
a new video driver. Gotcha! Please see the “software
update” trick above, and my page about
“I liked your profile ... here's mine”
This one preys on people having profiles on singles dating or social
networking sites. You get an enticing e-mail flattering you on your
profile and inviting you to click on a link to see their profile, or
open an attachment to see their picture. Gotcha!
The dead giveaways are that the e-mail doesn't state which profile
the writer saw or where he saw it, or what it was about it he liked.
It's vague enough to apply to anybody with a profile anywhere!
Also, legitimate social networking services don't give out your
e-mail address. If someone responds to your profile, their response
will be forwarded by the service, not come directly from the
correspondent. If, having read all this, you still feel compelled
to reply, then you should ask which profile the person saw and,
“Just what about my profile was it that you liked?” Only
proceed if you get a credible response to this question.
Here is an obviously phony e-mail message, because it claims to have gotten my
e-mail address from Facebook, and Facebook does not give out my e-mail address:
|My name is Blessing. i got your email address while browsing today at www.facebook.com, can we be friends? i will like to know you more then.
I will tell you more about myself with my picture as soon as i get your reply, I believe we can move from here! (Remember the distance,colour or age does not matter but love matters a lot in life)hoping to read from you,
The “job offer” (or opportunity) scam
You're looking for work, and you get an unsolicited e-mail
purporting to offer you a job. Full details are in this link; click
To defend against this one, look carefully at the e-mail. Was it
addressed to you by name (as a legitimate inquiry would be) or
just by e-mail address? Did the writer say what it was about your
résumé that interested him or her? Does the offer
state the physical location of your new workplace? (If not, why
not?) Your salary? (Legitimate employers save this for a printed
job offer letter.) Does it urgently request immediate action
(within minutes or hours)? If it seems to have come from a
job-search site where you have a résumé listed, are
you sure? Some spammers forge, or “spoof” the address
of a well-known job site. As always, never click on a link unless
you're sure where it leads. (See “Where
does a link really lead?” above.)
The erotic photo trick
An unsolicited e-mail carries an attachment or link with a cover
letter claiming it's an erotic photo. For example, here's one I
Fortunately, my virus scanner deleted the attachment. Yours may or
may not. Here's
about a similar trick.
Hey. I am attaching a pic of my big boobs. Enjoy my love!
“Your e-mail account will be terminated”
This one threatens to cancel the recipient's e-mail account unless
certain very personal details are divulged by return e-mail. Of
course the e-mail doesn't really come from your service provider
(who would already have this information), and your response allows
the scammer to steal your identity. Here's one example:
Delete this junk mail. If you still suspect something wrong with
your e-mail account, contact your service provider by a trusted
We are currently upgrading our database and as such terminating all
unused accounts to reduce congestion on the network. To prevent
your account from being terminated, you will have to update it by
providing the information requested below:
PLEASE CONFIRM YOUR EMAIL IDENTITY NOW!
Email : ...................... Password : .................. Date
Of Birth : ..............
NOTE: Your data and information will not be interfered with or
tampered we will just record your data back into our data base and
send you an email and after 24hours. Warning!!! Account owners
that refuses to update their account may lose such an account
Message Code: NXDT-4AJ-ACC Thank you, Mail Support Team.
Upgrade on your Webmail Account.
You get an e-mail telling you that your e-mail account will be
suspended unless you install some updates right away, and conveniently
the e-mail includes a link to install them. Only problem is, the
sender of the message has nothing to do with your e-mail account, and
the link actually installs malicious software (malware).
In the above example, an astute reader might ask why someone at
Chung Chang University in Taiwan would be suspending anyone's Yahoo Mail
account. An even more astute reader might suspect that the “From:”
address might be spoofed and it didn't really come
from Chung Chang University.
The wisest response is to ignore or delete
this message, and if you are still concerned, check with your e-mail provider
by their known and trusted address to see whether updates are really
The “Credit Card Overdue” trick
You get an e-mail claming that your credit card payment is overdue,
but the late fee will be waived if you open the attachment right
away, or complete and submit this form. Catch is, the e-mail didn't
come from your bank, the attachment installs malicious software on
your computer, and the form doesn't go to your bank but sends your
personal information to the con artist who sent it to you. Gotcha!
What to do instead: Delete the junk mail. If you really suspect
something is amiss with your credit card, log in to the bank's web
site via a link you trust and check your account activity there.
The “Better Business Bureau” trick
You get an e-mail purporting to be from the Better Business Bureau
reporting a complaint against you. Details are in the attachment.
However, the e-mail is phony and attachment (or link) leads to
malicious software. Gotcha!
The Wedding Invitation
You get an e-mail inviting you to a wedding, except it doesn't name
the bride and groom, state the location or give any other important
details, which are supposedly on the linked page. If you click for
details, your computer belongs to the hacker.
You are Cordially Invited to Celebrate|
the Our Wedding
On Tuesday March the 29 at Four O'clock
Followed by a Reception
This example was received in 2013, in which March 29 is not Tuesday.
Notice also the bad grammar, “the Our”.
You get an e-mail stating that you've won a lottery, click for
details. If you do, maybe you download malware, or maybe you're
asked to pay a “processing fee” to claim your winnings.
Questions to ask: Did I buy a ticket in that lottery? Did I give
my e-mail address when I did? Does the e-mail make reference to
that purchase? Unless all three answers are yes, the e-mail is
either a malware scam or a financial scam.
“Scan from a Hewlett-Packard ScanJet”
You get an e-mail from someone you don't know with the above title,
and are tempted to open the attachment. After all, what could be
wrong with a scanned image? Gotcha! Problem is, it's not a scanned
image, but a link to install malicious software on your computer.
A web site offers a free download of a popular, music album, movie,
or other software, but to get it you must first download and install
an executable download utility (in .exe
format). Be very careful! Reputable distributors (like Amazon.com) may provide
an innocuous downloader (like
Amazon's MP3 Downloader), but other, unscrupulous
distributors may include malicious code in their downloader, so that
while your music is downloading, so is their ability to take over
control of your computer. Remember, opening any
executable file gives total control of your computer to its distant and
unknown author, so you should only use executable files obtained directly from
publishers you know and trust.
The phony self-extracting archive
An archive file is a big file containing lots of little
files. For example, a music album might be stored as a single
archive containing a separate file for each song or track. Popular
archive formats include ZIP and RAR. Normally, an archive file
needs an application program to unpack it (extract the individual
files it contains), e.g. WinZIP or WinRAR.
For the convenience of people who might receive an archive file,
publishers of archive software offer an option to create a
self-extracting archive file, which is an executable file
(.EXE) comprising an archive file plus extraction software in a
single file. So far, all that is legitimate.
Unfortunately, hackers have seized on the opportunity to distribute
malicious executable files disguised as self-extracting archives,
to trick their recipients into installing their malicious software.
Remember, any time you run any
executable file, you give its author full control over
your computer system.
Therefore, when obtaining archive files, it is strongly recommended
that you choose the regular archive format over its self-extracting,
executable counterpart. Even if you get the executable format,
you still should be able to open it with your trusted archive
application without actually executing it. If you can't, do not
open it (execute it) directly.
I'm not sure whether this topic belongs on this page, since whether or not it
is about truly malicious software is open to argument. But I get really
angry enough about sneakware, and I feel like I have to warn people somewhere.
By definition, sneakware is unwanted software which tags along for
the ride when installing something you want. In that sense it is a kind of Trojan horse,
although the latter term is usually applied to truly malicious software (malware).
Sneakware comprises commercial applications which are not truly malicious, because
some users deliberately and voluntarily choose to install them. However, because their
publishers stand to gain by getting as many users as possible, they pay the publishers
of unrelated software to bundle their installers together, so that when a consumer
installs a desired piece of software, the sneakware gets installed too.
When installing any software, particularly that which is distributed free or at very
low cost, pay careful attention to the questions it asks when being installed. In
the installer, don't be afraid to always choose the “advanced” installation
over the “standard” one. Do not just click OK, OK, OK all the way through
on each screen. Instead, read carefully the options presented (especially the pre-checked ones)
and ask yourself whether they truly represent your wishes. If you don't understand them, ask a
more computer-literate friend to explain them. Some of the options to be careful about are:
- Make [this software] the default application to open everything it can [thus replacing
the associations you have already made between file types and your favorite applications
to open them. If you're like me you probably already have a preferred way of opening the
files on your system, and you may not want this newcomer to replace them.
- Also install the ________ browser Unless you're installing a browser (software
to display web pages) today, why would you want to accept such an offer?
- Make ________ your default browser
- Make ________ your default search engine
- Install the ________ toolbar
You need a software driver for an old piece of hardware, so you enter a description into Google
and you find an advertisement for the “Intel® Driver Update Utility” featuring
this screen shot:
If you accept the bait and download this software, you have just turned full control over
your computer to the hackers. Sometimes, the hackers even charge you money for the privilege!
The problem is, you didn't get it directly from Intel!
The genuine software
The genuine Intel® Driver Update Utility is available free of charge
directly from Intel.
To be sure, verify that the URL begins:
As of this writing (December 2015) the screen of the genuine utility looks like this. Notice any difference?
Of course, any hacker could clone any screen shot for his ad, just as easily as I did for this
article. So you should not rely on screen shots to determine software authenticity. Instead the rule is:
|Only download software directly from a publisher you know and trust.|
The “Fun Content” Trick
By now, I shouldn't have to state the obvious danger in this advertisement:
Dangerous advertisement: Beware!
The “Serious Malfunction” Trick
You're surfing the web and a window pops up telling you of a serious malfunction and instructing you to call a specific number for technical support.
The helpful technician tells you that to fix your computer he will need you to give him remote access. Trouble is, the window was phony and
the technician is a hacker who installs software to give him full control of your computer. After that, he owns your computer and all your personal data.
The information about your operating system and browser is routinely made available by web browsers for web servers to use; all this
page did was parrot it back as part of the phony warning message. What is especially funny in this case is that the operating system is OS X (by Apple)
and the browser is Chrome (by Google) and yet the message says to call Microsoft technicians! That alone should be a dead giveaway that the message is phony.
For more reading
- Don't fall for fake iTunes and App Store messages by Lisa Vaas, Sophos Naked Security, March 2, 2018
- It's the Most Wonderful Time of the Year... for Criminals, Cheats and Scammers by Eva Velasquez, Experian, November 17, 2017
- 5 scams that are fooling even the smartest victims by Kim Komando, USA Today, August 25, 2017
- The Most Common Mobile Phone Scams & How to Avoid Them by Sandra Henshaw, Tiger Mobiles, September 24, 2016
- Allowing Gullible Victims to Self-Select in Online Attacks by Lenny Zeltser, February 14, 2015
- Anatomy of an iTunes phish - tips to avoid getting caught out by Paul Ducklin, Sophos Naked Security, July 28, 2014
- How to Trick the Guilty and Gullible into Revealing Themselves by Steven D. Levitt and Stephen J. Dubner, Wall Street Journal, May 9, 2014
- G20 delegates duped by nude pictures of Carla Bruni allowing hackers to access their computers by Peter Allen, The Daily Telegraph Thursday, December 12, 2013
- Pope sued over sexual abuse and not wearing seatbelt? Fake CNN and BBC news alerts spread malware by Graham Cluley, Sophos Naked Security, March 19, 2013
- You receive the electronic reservation? Malware attack poses as hotel booking email by Graham Cluley, Sophos Naked Security, December 10, 2012
- Blatancy and latency: Why internet scams seem so obvious, The Economist, June 30, 2012
- Why Do Nigerian Scammers Say They are From Nigeria? by Cormac Herley, Microsoft Research, June 1, 2012
- Avoiding Scams from Craigslist
- Avoid scams that use the Microsoft name fraudulently by Microsoft
- Threatsaurus: The A-Z of computer and data security threats from Sophos
- How to Avoid Phishing Scams from Anti-Phishing Working Group
- Google Safe Browsing from Google
Index to all of Rich Pasco's articles on e-mail and viruses
Rich Pasco's home page
Copyright © 2010-2016 Richard C. Pasco. All rights reserved.