Posted by & filed under Latest.

Being in the IT industry for over 20 years and running The PC Support Group makes me acutely aware of spam e-mails and computer security in general. I am almost over-cautious and positively cynical about every e-mail I receive. Even an e-mail from my mother asking how my weekend went is met with a level of scrutiny that MI5 would be proud of.

Until recently the only e-mails I received trying to “encourage” me to give away personal information consisted of various alleged dissidents from third world countries who just happen to have millions of pounds stashed away and just happen to have come across me (and my e-mail) as a potential way to get the money out of the country. In helping them to do this the e-mail usually explains that I will save many families and their offspring from tragedy and I’ll pocket a few hundred thousand pounds in the process. Wonderful! In fact… too wonderful!

Ludicrous though the above scam may sound, many thousands of people around the world have fallen for this kind of scheme and have gone on to reveal their bank account details to unscrupulous fraudsters who have then used those details to empty the victim’s bank accounts.

OK, so let’s assume that you’re not that naive and you think you would spot one of these scam e-mails in an instant. Don’t be so sure! In the last few months the fraudsters have started to become much more inventive.

Let me tell you about a few very plausible examples I’ve received recently.

I, like many millions of people, have an eBay account and from time to time I use it to sell something I probably should never have bought or buy something that I probably don’t need. That aside, for those that have used eBay you will know that during the buying and selling process (mainly selling), you will receive messages from other eBayers concerning the goods. These messages vary but can be concerning payment which is not always the easiest process, with people wishing to pay in various ways and with some forgetting to add shipping costs, etc. In other words, receiving an e-mail about this is not uncommon and perfectly reasonable.

I have received a few such e-mails recently… and I have been selling a few items via eBay so they initially appeared genuine. However, on closer inspection a few things were noticeable. Firstly the e-mail came to my work address but I registered on eBay with a separate home address. How would eBay even know about my work e-mail? Secondly, the item number and eBay member didn’t match anything I’ve sold.

The e-mail was clear and brief and simply stated that there was a problem with the payment and that I should click on the link (in the e-mail) to confirm the payment information. The e-mail was fully branded and appeared to come from eBay.com.

Because I noticed the issues above I didn’t go to the next stage but I can tell you it would ask to log in and then reveal payment information such as PayPal account details or perhaps even bank account details.

So would you have spotted this? Of course you would! Perhaps you don’t use eBay or you haven’t used the account for months so you would instantly know it was a scam.

The thing to consider is that these e-mails are sent to thousands or even tens of thousands of people on a regular basis and they are looking to catch the right person at the right time. What if you did use eBay and you had sold or purchased something recently? What if the e-mail did come to the address you had registered on eBay? How quick would you be to just assume it was related? Never assume, check the details rigorously before clicking on any link within an e-mail or opening up an attachment to an e-mail.

On another occasion I received an e-mail concerning a problem with my Lloyds TSB bank account. It was incredibly convincing… except that I don’t have a Lloyds TSB account!

In this particular case it was easy for me to spot as I don’t have an account with this bank. But what if I did?

What if you received an e-mail from your bank which appeared to come from their domain (in this case it appeared to come from www.lloydstsb.co.uk), was fully branded with their logo and head office address, and was stating that your account could be closed if you didn’t urgently click on a link to verify your details? Would you click? Many do.

If you receive such an e-mail, allegedly from your bank, how would you know it was part of a scam?

The harder and more complicated thing to look out for is whether the link inside the e-mail actually takes you to the bank’s main web site. For example, in this case it would start with http://www.lloydstsb.com whereas the scam link will be a totally different site with the bank’s name embedded somewhere within it such as http://www.online-lloysdtsb.co.uk/login. To add to the complications the written link you can see in the e-mail isn’t necessarily the web address that it is linked to. Also, bear in mind that anyone can create a site named anything provided it’s not already taken. In theory I could set up a web site today called www.online-hmce.co.uk/vat but that doesn’t make me anything to do with HM Customs & Excise nor does it give me any right to your VAT payment information… but it can be pretty convincing if part of a well structured e-mail.

However, the easiest way to spot this type of scam is to consider this, banks never ask you to reveal any personal or bank details over the web. Never! So if you receive an e-mail like this, either ignore it or call your bank manager and ask them if they sent it.

I also received a similar e-mail requesting that I verify my PayPal account. Again, this was credible in every way except that PayPal would never ask for this information over the web.

A final example was more business related. At The PC Support Group we operate advertising campaigns with Google. It doesn’t matter if this doesn’t mean a lot to you but suffice to say that it requires us to login and provide payment details for the advertising as part of the process. I recently received an e-mail stating that my account would be deleted unless I clicked on a link within the e-mail. I almost did. After all, I do have an account with Google advertising, the e-mail was fully branded and appeared to come from Google and, in any case, it wasn’t requesting financial information.

The key to the success of this new breed of scam e-mail is that they can appear so relevant to you and almost innocuous in what they are initially requesting that we assume it’s genuine. As I said I’m pretty sceptical so I initially wondered why my account would expire. It had no reason to expire and I didn’t recall reading anything about expiring accounts previously. I also noticed the link didn’t go to www.google.com and finally I simply logged into my account to see if there were any messages or related information, there wasn’t of course. I simply deleted the e-mail.

One thing is certain; these scams will continue to get more sophisticated and more targeted. Imagine receiving an e-mail asking you to clarify your bank details in relation to some car financing when you have just taken out some car financing. What if that e-mail asked you to clarify details in relation to the car financing on your BMW when you have just arranged some finance for a BMW? Would you immediately assume they are related and start providing details? Remember that if the fraudsters send ten thousand e-mails (which costs them nothing) and only 5 people (0.05%) happen to fit the profile, and they respond, then that could give them access to tens of thousands of pounds.

So, to summarise, the fraudsters are getting much cleverer at creating plausible e-mails to try to encourage you to give away your personal and financial details. If they miss the mark with you then they are obvious (e.g. asking for details from a bank with which you have no account), but if they happen to fit your current circumstances then anyone could be fooled. Check all e-mails thoroughly and never simply click on a link from an e-mail and enter any personal details on the web. Instead, validate the details by contacting the organisation by phone and/or go to the organisation’s official web site (not via the e-mail link), log in to your account and see if there are any messages on your account relating to the issue. The chances are there won’t be!