An Annotated Field Guide to Identifying Phish

Yeah, I wrote about this scam a while back too.

That was nagging at the back of my head, but I was really thinking of muscle spasms. I’ll change it.

Actually, I just looked at the site that’s the most problematic for this (it’s a banking site and their app will often stop using FaceID after a bit, forcing me to put in the password, but won’t autofill from 1P) and the URL of the login site is completely different. It’s like the main site is and the login site is – I think the bank is too small to support their own login system so they license it from a third party. I have seen “are you sure?” warnings from 1P because it assumes I’m giving my password to a different site than the URL, which does make me nervous.

I never thought about doing that! I just added the secondary site, so next time it happens I’ll see if 1P will autofill. That will be safer and easier.

1 Like

Well, I want to find the person who decided that HTML formatting for email was a good idea and punch him/her in the mouth.

It’s worth learning how to view the message source and inspect the email headers to see where the message actually originated from. Here’s one guide: Find Out Where an Email Came From (Read Email Headers) | IT@Cornell

But part of the problem is that outsourced messaging is pretty much undistinguishable from spam email, and a lot of companies, including the so-called “professional messaging service providers” don’t properly set up things like SPF. Of course, CIOs are not held responsible for the problems their outsourcers produce. (And I see this particularly with UNH’s outsourced IT, with multiple messaging systems, multiple message originators all claiming to be a valid address.)

Just got this text. Non-native English speaker, head-scratching inclusion of “copyright” information, and weird non-Apple organizations listed are just a few of the tell-tale signs of phishing…

Actually you can set up both urls in the same entry so that it will autofill with either url. Depending on how you’ve set up…you might have to choose edit, then add field and choose url but in mine the alternate url field is already visible when I select edit.


I read your post and shuddered when you wrote that you rang the number in the email you received.

A better course would have been, after logging into the PayPal site from a bookmark or typing the URL by hand, to look up a contact number on the site.

When I clicked the Contact link at the bottom of the PayPal home page, this text was at the top of everything:

Received a suspicious email, message, invoice or money request? Don’t reply, open links, download attachments, or call any listed phone numbers. (emphasis mine) We’ll never ask for your PayPal password or financial details by email or message, or over the phone. Forward suspicious messages to and then delete them.

On the contact page there were links to chat as well as a phone number. I would expect that the phone number linked from the PayPal contact page was not the one in your email.

1 Like

If I’d have seen any one of these phishing messages, it would have immediately been deep sixed.

My motto to my kids and grandkids is to trust everything you see on the Internet and trust nothing on the Internet. The real answer is in-between.

Yes Jonathan, you are quite right! I was really duped and I had thought I was pretty smart and scam aware too. I have just googled the phone number that I rang and it is listed as linked to a bank scam and is quite different to the real UK Paypal contact phone number.

What completely fooled me was that I DID separately log in to Paypal, without replying to the email or clicking on the link or at that point considering phoning the number as I was sure that email was a phishing email, but then I discovered that by independently logging in to my account WAS showing a payment request for £989.99 from the person named in the email. I even checked the email’s full headers which looked good, so then I completely - stupidly - trusted that phishing email as being genuine and consequently falsely trusted the phone number it contained. Later I found on the Paypal site a record of my account having been accessed from a computer that was not mine - a useful security check I recommend everyone with a Paypal account should be aware of.

The scammers were very smart. They had sent me a phishing email to warn me about the fraudulent payment request that they had made! So, their real aim was not to gain £989.99 from me via Paypal (unless I would accidentally click on the Send Payment button or email link which some people in a flurry might do) but to get me to hand over personal bank details. What I cannot explain is that after I independently logged in to my Paypal account why did my attempt to click on the button cancelling this payment request result in an error message? It was only after receiving this error message that I wanted to make a phone call - although hours later the cancellation button did work. This failure to be able to make an online cancellation was crucial for the scammers to be able to execute their scam, certainly in my case. Could there have been any insider involvement in facilitating this scam? Is it easy for anyone to make a payment request from a Paypal account? The phishing email had a Send Payment link. Why did the scammers not simply falsely label this link as ‘Cancel Payment’ rather than ‘Send Payment’ so getting the victim to unwittingly authorise £989.99 being taken from their account?

The end result seems to have been that after I rapidly cancelled both my bank cards that I’d divulged details of and then afterwards closing my Paypal account the scammers failed to take any money, but their shrewdness in social engineering has to be admired. This was a well targeted attack, with a tiny sum deposited into my Paypal account effectively slowing down account closure. Unfortunately here in the UK it is open house for scammers as the police resources don’t match the scale of the problem. I have reported it to but media reports suggest that only actual losses over £10k stand any chance of being investigated.


On the flip side, I’ve received genuine emails that look phishy. This includes financial institutions. The language is usually OK, but the sender’s address and subject line can be obscure, and the messages may be brief and badly formatted.

I like the idea of not including clickable links (though I see those all the time in genuine emails), but I think companies could do more to check that their emails look professional. Then again, here in the UK many financial websites are pretty crummy.

That’s Apple’s Irish real corporate name and address. The only part that’s wrong is the misspelled name of the country (and the fact it’s actually in the Republic of Ireland, because “Ireland” is an island, not a country).

Obviously the URL is bogus.

1 Like

Well, that would be the correct spelling of the country, in French. :grin:

Just lately I’ve been seeing a lot of emails like this one - it’s full of phishing clues, but one of my clients fell for one just like it. This is addressed to me - from me. Except that I’m not in China and my return address to me is not in Russia!

Here’s another one I got a few days ago that I could easily see convincing someone to click. Simple is more believable.

That’s a really big PDF attachment for a report, though :slight_smile:

1 Like

My SO bought me a gift from Verizon, forgetting the email would go to me and he couldn’t stop the sales rep in time. I saw the email come in but it was plain Jane with an attachment that said Purchase Receipt. I hadn’t gotten any notification that someone was in the account so I didn’t open the attachment and junked it. 10 minutes later he calls and apologizes for spoiling the surprise and I just burst out laughing and told him I’d junked it thinking it was spam! Then I had to unjunk it in case he needed it back.



Yes, how hard could it be to set the subject to: “Purchase receipt for your shiny gadget / subscription plan / whatever” ? (Not that you would have wanted that in this particular case :slight_smile:)

PDF bills and receipts are similar. They’re all called “download.pdf” or meaningless strings of digits. I use Hazel to rename them, but I wish they could be sensibly named in the first place. It can’t be very difficult.

Clearly a Very Important Report that Adam should download without delay.

No I would not have wanted a descriptive subject, and I didn’t even guess what he got :)

This is the screenshot, it still looks like spam to me! Unknowingly or not, Verizon’s cheap looking email saved the surprise :D



I’ve seen a lot of that, too. I wonder how much of it gets caught by spam filters, which may account for bills that go unpaid.

You’ve hit the a home run with this article.

Your piece is linked from Bruce Schneier’s Schneier on Security site today.


1 Like