• Anatomy of an eMail Scam Attempt

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Anatomy of an eMail Scam Attempt

    Author
    Topic
    Noel Carboni
    AskWoody_MVP
    February 14, 2018 at 10:38 am #167400

    Ever get a worrisome eMail that causes you to want to do something about it right away?

    First answer: STOP! Think!

    Consider the following attempted scam eMail I received:

    ScreenGrab_NoelC4_2018_02_14_110225

    Wow, I might think, I need to click through that link because I didn’t set any hold on my mail service. I need to go see what’s up.

    But wait, let’s stop and think about this for a moment…

    – Who sent it? MailHold@sujacsewing.com? That’s certainly not the US Postal Service! They spoofed the name as “USPS” and maybe some eMail clients wouldn’t show the reply eMail address, but most clients allow you to see it if you look for it. Even the reply eMail address itself is likely spoofed, using some hapless business’ domain. BIG RED FLAG here.

    – Would someone in the United States format dates in Day/Month/Year format? No, and certainly not the government. Another red flag.

    – I must have Microsoft Word installed on my PC? Why? Do we really think the postal service would require that?

    – I wouldn’t use my business’ support eMail address for any legitimate hold mail request.

    – There are several mildly alarming phrases, such as “cannot be canceled” and “Dont call me” that are put there to try to get me to react, not think.

    – If it’s the real United States Postal Service, shouldn’t my name, physical address or at least some more information that would personalize this notification appear in the message?

    – The message seeks (subtly in this case) to get us to click through a link.

    When we look this over in general, we start to realize that it’s really quite an amateurish attempt to manipulate a recipient into a knee-jerk reaction, to follow a link and presumably (I didn’t click through it) download a document that likely attacks Microsoft Office / Word to try to infect the recipient with something.

    Morals:

    NEVER react quickly without thinking to something you’ve received, no matter how important you may feel it is to deal with it quickly.

    ALWAYS think first, seek to verify authenticity of the source, look for odd inconsistencies, and seek alternate means to contact your legitimate service institutions.

    Treat anything that seeks to grab your attention with suspicion and even contempt. Don’t do what THEY want you to do. Do what YOU think makes sense.

    -Noel

    9 users thanked author for this post.
    Lori, samak, Bill C., Steve, Cartoonist Aaron, Elly, HiFlyer, Kirsty, BobbyB
    Reply | Quote
    Viewing 3 reply threads
    Author
    Replies
    • Elly
      AskWoody MVP
      February 15, 2018 at 2:38 pm #167735

      This is a great example, and your analysis was very helpful, because you looked at multiple things that might alert someone… and explained them. I’ve had that ‘bad feeling’ about an email before, but couldn’t exactly identify why. This helps me actually know why I don’t want to click that link…

      Thank you very much!

      Non-techy Win 10 Pro and Linux Mint experimenter

      1 user thanked author for this post.
      Noel Carboni
      Reply | Quote
    • Cartoonist Aaron
      AskWoody Plus
      February 15, 2018 at 7:24 pm #167760

      The date format was a really good point. That was one I missed completely.

      For the fun of it, a couple other red flags:

      – total lack of any USPS logos, header/footer, etc.

      – inconsistent terminology (is it “HoldMail”, “Hold Mail” or “holdmail”? Is it a confirmation invoice or confirmation notice?)

      – odd grammar (“the shipping information has been enclosed to this message”?)

      LABS - a family friendly webcomic about scientists, robots and Wisconsin
      1 user thanked author for this post.
      Noel Carboni
      Reply | Quote
    • Bill C.
      AskWoody Plus
      February 15, 2018 at 10:22 pm #167765

      Noel: Thanks for that. I too received a variation of that email a few months ago. It had the same clues and leads. Plus I worked for the USPS a lifetime ago.

      THe big ones now that I see are Walmart, Target, and Amazon gifts, tracking emails, bonuses or confirmation receipts in PDF format, or with hyperlinks. NO, NO, NO for all. I do not normally use any of them, and if I do, it is in person and paid cash.

      It is all social engineering – make the person do what they would not normally do or have been told not to do. All the cybersecurity and OPSEC will not protect against the weak link who is the target, the distracted user, or far, far worse – the curious user.

      Great example.

      1 user thanked author for this post.
      Noel Carboni
      Reply | Quote
    • samak
      AskWoody Plus
      February 15, 2018 at 11:51 pm #167771

      “First answer: STOP! Think!”

      I would amend this as follows:

      “First answer: STOP! If you’ve had a few beers don’t even try to think, just stop until tomorrow”

      “Second answer: In the morning, Think!

      ;=)

      Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

      1 user thanked author for this post.
      Noel Carboni
      Reply | Quote
      • Noel Carboni
        AskWoody_MVP
        February 17, 2018 at 3:48 am #168025

        Exactly right. No one likes to admit they may be occasionally compromised – by a substance, emotionally, by being tired, by age… But it’s reality.

        It’s a shame that there are so many out there throwing a dragnet out for folks who are even momentarily off their games.

        The only real solution would be to change the culture of people to regard trying to take advantage of others as wrong, but the chances of that happening aren’t too good when the incentives are instant gratification and the downsides virtually non-existent. When the authorities are so overwhelmed that they can’t even find the time to stop killers whom they have been specifically warned about, who’s likely to prosecute a scam eMailer?

        -Noel

        Reply | Quote
    Viewing 3 reply threads
    Reply To: Anatomy of an eMail Scam Attempt

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.