Correct. I recently received a series of fake payment notifications from PayPal that looked 100% genuine; but I didn’t buy anything or send money to anyone. A quick login to my PayPal account confirmed that the notification was fraudulent. I forwarded one of those messages to PayPal’s spam desk and deleted the messages.
… and I just received a similar scam today. The return address claims to be from American Express. But with several telltales, including:
-
The return address was from
...@amex.com. Apparently the sender was unaware (or figured you wouldn’t know) that amex.com is not American Express, but a redirector to the New York Stock Exchange’s American Exchange. (American Express is americanexpress.com.) -
Hovering over the links in the message shows that they link to some large and confusing URL belonging to a college in Mexico. Clearly no relation to American Express.
And this is without reading any headers and ignoring the fact that I don’t have an American Express card. (I have an AmEx corporate card, but it is tied to my work e-mail, not the one that received the scam.)
This also reminds me of a very old scam/chain letter asking for money for some child allegedly dying of cancer, where the original mail at the bottom of the chain had an address ...@acs.org, making people think it was from the American Cancer Society. Even though acs.org is actually the American Chemical Society. (The American Cancer Society is cancer.org).
3 Likes
A simple, first line defense I use against spam, phishing, and social engineering scams is an email address that is only given to selected companies and organizations. Then when emails from, say, “American Express” or “Microsoft” hit my friends-and-family email box, I know the messages are fake.
It is easy to do this, even if you don’t maintain your own email server. Apple allows a limited number of aliases on iCloud email accounts. Yahoo, Microsoft, and Google—and many others—offer free email accounts. DuckDuckGo lets users establish an infinite number of disposable email addresses (I think Apple or DuckDuckGo may be the best options from a privacy perspective).
You’re not serious, are you? There’s no comparison. Also, I read David’s response, and now better understand the quandary. Still discouraging, nonetheless…
These are the kinds of things that I spend a lot of time trying educate my clients about, which is why it’s so discouraging that the scammers can also spoof actual legit addresses. I get that it’s always been possible, and happens all the time. I just wish there was a way to stop it.
I also recommend using throwaway email addresses to battle spam, but it’s not a great solution for the average user, who doesn’t have a lot of time and energy for that level of effort.
1 Like
Well, that makes me feel pessimistic that phishing attacks will ever diminish. I’d say trying to maintain constant vigilance against a frequently morphing threat takes a lot more time and effort than assigning xxx@icloud.com to bank accounts and using yyy@icloud.com for everything else.
I am serious and there absolutely is a comparison. In fact, it’s quite useful because it’s easy to immediately understand that a sender could write any return address on a physical envelope in a way that’s much clearer than realizing that an email address can be spoofed.
The dead giveaway to me, without needing to check from and reply-to addresses or the headers, is the text “Question’s ?”. The incorrect use of the apostrophe and the space before the question mark are common errors you see from the ignorant masses on the internet, not typically from a company like Microsoft that cares about its image.
1 Like
I agree…but if a target is not reading carefully because they’re distracted, in a rush, or panicking (or is unable to read carefully due to a small screen), those red flags might go unnoticed until it is too late.
1 Like
The fact that you noticed that means you’re not their target:
4 Likes