Wed, Feb 22, 2017 11:10 pm
PhishMe Phishing Email
I received an email message today stating that all users of a system I use
for work must update their security questions on a bi-yearly basis and that
my account would be locked out in twenty four hours if my security questions
were not updated within that time. Within the message was the
Uniform Resource Locator (URL)
for the relevant website.
The message seemed suspicous, since I would expect to have received
prior notices before one informing me I had only 24 hours left to
update the questions and also I've not encountered instances of
such sites requring security questions to be updated on a periodic
basis, though it is common to require passwords to be updated
When I hovered my mouse pointer over the link in the message, I found
that the first part of the name in the
fully qualified domain name (FQDN) looked like something
I would expect in a site name for my employer, but the ending of the
domain name was securefileshares.com, which would not be a site I would go
to to modify security questions for a work-related system. On my laptop,
I use Outlook 2016 as my email;
to view the email
header for a message in Outlook 2016, you can take these steps, but most
email clients provide a mechanism to view a message's header, which will show
the originating system and other email servers a message has passed through.
Viewing the header information, I saw the following lines:
Received-SPF: Temperror (SPF Temporary Error: DNS 'NoneType' object has no attri
bute 'header') identity=mailfrom; client-ip=188.8.131.52; helo=mail.nova.phishme.
com; firstname.lastname@example.org; email@example.com
Received: from mail.nova.phishme.com (mail.nova.phishme.com [184.108.40.206]) by
X-PhishMeTracking: TjaVg7y+fe0Q/<text snipped>
The header lines showed it was a training exercise, since
PhishMe is a company
that helps organizations train their employees to avoid
But, if you have a question about whether a message you have received
is legitimate or is a spoofed message that appears to come from a legitimate
sender, such as your employer, bank, or some source you would trust,
it is best to type in a link rather than click on one within an email, unless
you observe the actual link very closely. It can also help to identify
a message sent by someone spoofing a legitimate sender by examining message
headers. It is trivially easy for a spammer, malware purveyor, or other
malefactor to spoof a "From" address, so you should never assume that a
"From" address is a reliable means of identifying a message's actual sender.
Thu, Oct 06, 2016 9:46 pm
Indian scammers posing as U.S. IRS employees busted
I heard some good news on the radio while driving home from the office this
afternoon. Indian law enforcement officers arrested 70 people working in
call centers on the outskirts of Mumbai
who were involved in a phone scam operation where they
would call U.S. citizens and leave voice mail messages where they claimed to be
U.S. Internal Revenue Service (IRS)
payments for taxes those called supposedly owed with the threat of arrest
if the callee doesn't pay. Assistant police commissioner Bharat Shelke
stated that "Fearing arrest, some used to call back, and employees
at the call center then demanded a few thousand dollars to settle the
case." Shelke also stated that an estimated $36.5 million was extorted
from Americans duped into paying the scammers. Unfortunately, the police
haven't yet caught the ringleaders of the operation.
Indian authorities stated that the callers were trained to disguise their
Indian accents, so that they would sound more like native-born Americans.
Employees of the scammers were given a six-page script with tips on how to
allay potential victims suspicions. For their jobs as criminals, callers
were paid between 10,000 rupees and 70,000 rupees every month, which is
equivalent to between $150 and $1,050 U.S. dollars, police said. Shelke
stated "Employees were aware of the fraud, but since they were getting
a good salary, they remained silent."
I received a call from a
scammer pretending to be an IRS employee in February of this year. In that
instance, the person I spoke to had an obvious Indian accent. When I told
him I knew he was a fraudster, he responded with a reference to a sexual act
and hung up. Subsequently, my wife has received many similar bogus IRS calls.
In the case where I spoke to the caller in February, the scam operation was
spoofing the calling phone number.
Such scammers don't target just Americans. Tax agencies in Canada and
Australia have all issued warnings over such scam callers. Last year,
Sahil Patel, a scammer residing in
Pennsylvania, was sentenced to 14 1/2 years in prison for his role in
a similar scam where callers posed as law enforcement officers or tax agents.
He was also ordered to forfeit one million dollars. The call centers
Patel worked with used software that allowed them to spoof calling numbers so
that those called would see a phone number that appeared to be associated with
the agency with which the callers claimed to be associated.
At a Senate hearing in 2015 prior to Patel's conviction, a
U.S. Department of the Treasury official estimated that
such scams generated between 9,000 and 12,000 complaints a week and had gained
scammers more than $15.5 million from 3,000 victims.
So kudos to Indian law enforcement officers for the recent operation; I hope they catch the kingpin(s) for whom those arrested worked.
Indian police seek kingpins in tax scam aimed at Americans
By Rajendra Jadhav and Rahul Bhatia | Mumbai
Date: October 6, 2016
Pennsylvania man gets 14-1/2 years in prison for India-based phone scam
By Joseph Ax | New
Date: July 8, 2015
Sat, Jul 16, 2016 10:16 pm
Windows Technical Department Scam
My wife received a call at 1:02 PM Eastern Time today from someone with an
Indian accent claiming he was from the "Windows Technical Department" calling
because they noticed that our "computer is infected with some harmful viruses."
The call was obviously a scam, but I picked up the phone and played along for
several minutes to see what the person would try to do. He had
me open the Windows Event Viewer
and suggested that the entries I saw in
the Application log indicated the system was infected with viruses. There
will normally be a plethora of entries in the log associated with the normal
functioning of a Microsoft Windows system, but I can undestand
how such con artists might be able to scare someone who has never
looked at such log entries before into thinking they were evidence of
something being terribly wrong with his/her system. When I asked him
what percentage of people he called fell for the scam, he insisted it
wasn't a scam. When I asked him if he was calling from outside of the
U.S. and so felt immune from prosecution in the U.S., he hung up. When
I used *69 to get the calling number I found it was 315-825-8947.
When I tried calling the number, I heard a recorded message stating
"The person you are trying to reach is not accepting calls at this time.
Please try your call again later."
When I then searched online for that number, I found others reporting
receiving similar scam calls from that number, e.g., at the 800Notes page at
I found reports such as "They called me 4 times. I finally picked up
on the last time and it was a woman with an Indian accent claiming to
be from Windows Tech Support and I immediately hung up. This is a scam."
Fifty minutes later, my wife received a similar call again at 1:52 PM
from someone with an Indian accent. She informed the caller that she knew
it was a scam and asked to be removed from the calling list. I used
*69 again and this time I was informed that the caling number was
315-639-8222. I found that number also listed at the 800Notes site at
When I tried calling that number I heard a message that "The number you
have reached has been disconnected or is no longer in service."
We received two more "Windows Technical Departement" calls within a
couple of hours. We were watching a series on Netflix during that period
and I didn't try to check those two calling numbers with *69.
I think it was the second call where I again picked up the phone and talked
to the caller who again had an Indian accent - my wife told me all four
seemed to have an Indian accent. I asked where he was calling from and he
told me New York. I asked him what company he worked for; he said "Windows
Technical Department". I asked him if he knew what company produces Windows.
He didn't answer, but attempted to continue with his spiel telling me where
to click with the mouse. I tried to see if he knew anything except the spiel
he had been given, but this caller wanted to stick with the spiel telling me
where to click, though he eventually hung up when I told him to hold on for
a minute while I went to another phone, where I was going to record our
My wife gets very annoyed by such calls; she's usually the one picking
up the phone for our home phone number, which is a
service from our cable provider. I haven't received such scam calls on
my cell phone number, though I do get a fair number of unwanted telemarketing
calls on that number,
spoofed numbers. My wife said she frequently gets the Windows scam calls
when I'm not home. A few months ago,
I received a call on our
home number from another scammer pretending to be from the IRS.
Our phone numbers are on the U.S. Federal Trade Commission (FTC)
Do Not Call
list, but, of course, scammers, and many telemarketers as well, don't bother
checking that list.
Coincidentally, today I read an article on the Ars Technica site titled
Mobile carriers aren’t doing enough to fight robocalls, senators say. I
wasn't pleased by the following paragraph in that article:
AT&T CEO Randall Stephenson recently
that AT&T doesn't have the "authority" to implement new robocall blocking
technology in its mobile network, even though the Federal Communications
clearly stated last year that carriers have the "green light"
to offer robocall-blocking services to consumers.
Fri, Feb 26, 2016 10:11 pm
Scammer pretending to be calling from the IRS
This morning at 8:12 AM my time I received a call from someone speaking
with what sounded like an Indian accent who claimed to work for the
U.S. Internal Revenue Service (IRS)
asking me if I was aware
that a warrant had been issued in the state of Maryland by the IRS for my
arrest. Since I have not received any correspondence recently from
the IRS by postal mail and it seemed unlikely an IRS employee would call
me to notify me that a warrant was issued for my arrest, I was angered,
but not worried by the call. I asked the caller where he was calling from
and he said he was located in Washington D.C., which is, of coure, the location
for the IRS. I asked for the calling phone number and he told me
1-800-829-1040. I was so irked by what seemed like an obvious
scam attempt that I didn't let him go through his whole spiel
to learn the details of how the scam was conducted. Instead, I
simply told him that the call seemed like a scam and he seemed
like a fraudster. He immediately responded with profanity and
hung up; his knowledge of American profanity at least seemed good.
of Chapter 1 of Part 5 of the Internal Revenue
Manual states that it is a violation of IRS policy for an employee to
use "obscene, profane, or abusive language", so that was only another
indicator that the call was fraudulent.
After he hung up, I used *69 on my phone to see what calling number was
reported. The calling number reported was 1-800-829-4933. That number and
the one he gave are actual IRS numbers. The 1-800-829-4933 number is the
IRS main taxpayer assistance line listed at
How to Get Tax Help from the IRS and the 1-800-829-4933 one is the
one listed on that same page for taxpayers to call with small business-related
questions. However, it is common for telemarketers and scammers to spoof
the calling number. Unfortunately, it seems that is fairly easy for them
to do. E.g., often when I receive telemarketing calls to my mobile phone I
notice that the first six digits of the calling number match those of my
phone, but if I call the number back, the person who that phone number
actually belongs to will answer and knows nothing about such calls.
Telemarketers spoofing calling numbers is a common way to make it more
difficult for people to identify the actual originating phone number when
they file a complaint, but also telemarketers will spoof a calling number
to make it more likely that the callee will think that he/she is receiving
a local call and thus answer the phone. Con artists will spoof a calling
number from a legitimate business, organization, or government agency
to dupe a callee into thinking the call is legitimate.
After I hung up, I found the October 15, 2015 article on the IRS website,
IRS Warns of Pervasive Telephone Scam, which notes:
The Internal Revenue Service today warned consumers about a
sophisticated phone scam targeting taxpayers, including recent immigrants,
throughout the country.
Victims are told they owe money to the IRS and it must be paid promptly
through a pre-loaded debit card or wire transfer. If the victim refuses to
cooperate, they are then threatened with arrest, deportation or suspension
of a business or driver’s license. In many cases, the caller becomes
hostile and insulting.
The article notes "that the first IRS contact with taxpayers on a tax
issue is likely to occur via mail", which is what I would expect and lists
the following characteristics for the scam:
- Scammers use fake names and IRS badge numbers. They generally use
common names and surnames to identify themselves.
- Scammers may be able to recite the last four digits of a victim’s
Social Security Number.
- Scammers spoof the IRS toll-free number on caller ID to make it
appear that it’s the IRS calling.
- Scammers sometimes send bogus IRS emails to some victims to support
their bogus calls.
- Victims hear background noise of other calls being conducted to
mimic a call site.
- After threatening victims with jail time or driver’s license
revocation, scammers hang up and others soon call back pretending to be
from the local police or DMV, and the caller ID supports their claim.
The article notes that you can file a complaint with the
Commission (FTC), a consumer protection agency, regarding such
You can file a complaint using the
FTC Complaint Assistant; choose “Other” and then “Impostor Scams.” If the
complaint involves someone impersonating the IRS, include the words “IRS
Telephone Scam” in the notes.
Note: I found that I needed to select "Scams and Rip-offs" and then
"Impostor Scams", which is for "Someone posing as a well-known business,
a family/friend, or a government agency". After that I made the following
selections (it didn't sem to be as obvious as I would have expected how
one should file a complaint regarding someone pretending to represent
a U.S. federal government agency):
- How were you contacted? Phone
- Are you contacting us to complain about the company’s telemarketing
- Did the person: Pretend to be a representative or employee of a
local, state, or federal government?
You will then be taken to the "Information Collection" step where
"In just a few moments you will be able to tell your story in your own
words. But first we would like to collect some information." After I
completed the complaint submission process, I saw the following information:
Thank you for submitting your complaint to the Federal Trade
Commission. Based on the information you have given us, we believe the
following links to our consumer website may be helpful to you:
Government Imposter Scams
If you have any questions or would like us to add additional information
to your complaint, please call 877-382-4357 to speak with a counselor.
The webpages to which the FTC link pointed had a link to another IRS
article on such phone scams titled
IRS Warns of Phone Scam.
Tue, May 29, 2007 10:32 am
Commerce Bank Phishing Email
When I checked my email today, I found a
that ostensibly pointed recipients to
http://commerceconnections-session843435953.commercebank.com/ibank/cmserver/verify.cfm, but which actually pointed to a phishing webpage at
I reported the spoofed site at the
following phishing report wepbages:
Mon, Apr 23, 2007 9:00 pm
PayPal Phishing Page at Hong Kong University Removed
When I checked agin, I found the PayPal phishing page that was located
on a webserver at the Hong Kong Polytechnic University this weekend was
Sun, Apr 22, 2007 2:59 pm
PayPal Phishing at Hong Kong Polytechnic University
When I checked to see if the spoofed
webpages were still present at
, I found the pages
were still accessible. Yesterday, someone forwarded a message to me
which stated an email address had been added to his PayPal account. The
message asked him to confirm the addition by going to a PayPal website, but
the link in the message actually led to the server at the Media Innovation
Centre in the School of Design at the Hong Kong Polytechnic University.
The recipient doesn't have a PayPal account. Whoever created the spam
message probably sent it to thousands of people with no way of knowing
how many of those recipients might have PayPal accounts.
I checked the online directory for the university today and sent another
message regarding the spoofed site; this time I sent the message to
the chair of the School of Design at the
university plus email addresses for people who appeared to be IT people at
the university, and some general contact addresses. Hopefully, one of them
can get the spoofed webpages removed and take action that will result in
the perpetrator being apprehended and disciplined.
Sat, Apr 21, 2007 8:15 pm
PayPal Phishing at a Hong Kong University
A user forwarded an email message to me today that attempts to lure
users to a website
at a university in Hong Kong. The email message asked the recipient to
verify the addition of an email address to his PayPal account by going
to the PayPal website. But the link actually directed anyone who clicked
on it to
. The "hk" at the end
of the domain name indicates the site is in Hong Kong, since "hk" is the
country code for Hong Kong. The "edu" before it indicates it is an
Going to http://mic.polyu.edu.hk/
instead, I found the following information for the site:
I reported the spoofed site to to the contact address listed for the Hong Kong
The webserver being used to host the spoofed PayPal site apparently
belongs to the Multimedia Innovation Centre School of Design at that university.
I also reported this
attempt to PayPal via the PayPal
Report Fake Site/Spoofwebpage.
And I reported the spoofed site at the
following phishing report wepbages:
Thu, Feb 08, 2007 11:19 am
PayPal Phising Site at bourke.pcpro.net.au
Someone forwarded a
email message to me this morning that was an attempt to garner PayPal userids
and passwords as well as personal information, including a credit card number
from unsuspecting PayPal users.
message attempted to trick PayPal users to going to a spoofed PayPal
website to confirm the addition of an email address to a user's PayPal
account. In reality, the link in the message would take the victim to
http://sv1.melbhosting.com.au/%7Eforcast/index.html, which would
redirect him to
http://bourke.pcpro.net.au/icons/.pay/pal/index.html. There he
would see a website mimicking the PayPal site where he would be prompted for
his PayPal userid and password. If he entered a userid and password, he
would see a form asking for personal information, including a credit card
I reported the spoofed site at 10:33 A.M. using PayPal's
Contact Us -
Protections/Privacy/Security - Report Fake Site/Spoof form. I also reported
the site to the Phishing Incident
Reporting and Termination (PIRT) Squad at 10:48 A.M. At 11:15 A.M. the
webpage to which the link pointed,
http://sv1.melbhosting.com.au/%7Eforcast/index.html was removed from
the webserver on which it resided, resulting in a "HTTP 404 - File not found"
message, but the spoofed PayPal site at bourke.pcpro.net.au was still
Sat, Sep 16, 2006 12:23 pm
Fake FDIC Email
E-mails fraudulently claiming to be from the Federal Deposit Insurance
Corporation (FDIC), which insures deposits in banks and thrift
institutions, are attempting to trick recipients into installing unknown
software on personal computers or into accessing a spoofed website. These
e-mails falsely indicate that recipients should install software that was
developed by the FDIC and other agencies or provide personal information
at a spoofed, i.e. fake, website. The software may be a form of spyware or
malicious code and may collect personal or confidential information. The
spoofed website attempts to gain confidential information.
The subject line of such e-mail messages may include any of the following:
Online Access Agreement Update
Urgent Notification - Security Reminder
IMPORTANT: Notification of Federal Deposit Insurance Corporation
The e-mail may request that recipients click on a hyperlink that appears
to be related to the FDIC, which directs recipients to an unknown
executable file to be downloaded, or may direct recipients to a webpage
requesting personal information. While the FDIC is working with the United
States Computer Emergency Readiness Team (CERT) to determine the exact
effects of the executable file, recipients should consider the intent of
the software as a malicious attempt to collect personal or confidential
information, some of which may be used to gain unauthorized access to
on-line banking services or to conduct identity theft.
The FDIC is attempting to identify the source of the e-mails and disrupt
the transmission. Until this is achieved, consumers and financial
institutions are asked to report any similar attempts to obtain this
information to the FDIC by sending information to firstname.lastname@example.org.
For further information on these "phishing" email messages, see the FDIC
Consumer Alerts webpage at
Shop Amazon Local - Subscribe to Deals in Your Neighborhood