Looking For The Best Vancouver and Fraser Valley IT Services?

Direct:(604) 864-_0992 | Toll Free: (877) 864-_0992

Here Phishie Phishie Phishie

Scammer emails have always been an issue and some scammers are extremely clever in tricking unsuspecting and trusting recipients into falling for their scams.  Email users need to be educated on how to identify and deal with these types of emails.

You may ask, “How do illegitimate messages make it through the anti-spam filters?”

The answer is no anti-spam filter is 100% accurate.  Scammer emails are formatted in a way that evades detection.  Scammers rely on tweaking tiny details in the message and avoid adding anything the filters can easily identify to mark the message as spam.  Filters use a scoring mechanism and pattern recognition to identify garbage.  It’s extremely effective.  For most domains the mail filters block over 90% of the garbage.  So if only a couple small details are changed, and the mail is targeted at specific domains instead of sent out a few hundred thousand at a time, it takes longer for the filters to catch on to the new trend.

When you receive an email that seems unusual you usually start to pay more attention.  An email from your boss that is telling you to send a wire transfer immediately, for example, would put most people on high alert.  For almost everyone, that’s going to be unexpected email from the boss.  Email is not a typical way to put in requests like that.

Another devious slant is to send notifications of invoices and other documents.  A lot of companies do send invoices by email!  But an infected attachment is too easy to block, so instead the scammers will send a link to a document.  Clicking on the link moves the user away from email and towards an external source that is easier to control and contaminate.  This should also be an immediate red flag to the end user.  Documents should be attached to the email, not referenced to a website.

In every case there are telltale signs that the email is not legitimate.  The sender, for example, may have a name that is recognized, but the email address will usually be slightly different.

For example, the user “John Doe” <jdoe@ema1l.com> – it’s not immediately obvious that the ‘i’ has been replaced with a 1.  A cursory glance at the sender looks good, but a closer inspection will reveal the address is not quite right.

Another trick is to change the visible reply-to address or name, such as jdoe@email.com <jdoe@ema1l.com>.

As soon as your suspicions are triggered, you should start paying attention to the details.

  • You should pay attention to the sender name and email address – it will usually be not quite right in some way such as misspelled or from a domain/organization not familiar to you
  • You should be immediately suspicious of any email that’s unexpected and coming from an unknown source
  • You should hover your mouse over any links embedded in the email – the URL to the link is not immediately visible but you can still see where it’s going to take you.  Those URL’s are usually enigmatic or to common public sites that everyone has access to
  • You should also know how to find and read email headers – not just the ones the scammer wants you to see, but all of the headers

Finding the headers isn’t that difficult but deciphering them can be a little tricky.

In Microsoft Outlook:

  • Open the message to it’s own window
  • Click on File
  • Click on Properties
  • At the bottom is a section for Internet Headers – this is the info a scammer doesn’t want you to look at

Email Headers tell the whole story about where the message originated from and it’s path to your inbox.  They always start the same – “Received: from” through every system and mail server, followed by the more familiar headers you’ll see at the top of your message, but more detail about who actually sent the message.

Here’s an example of what headers look like:

NOTE (I’ve put in bold the important headers. This is an actual email but I’ve obscured the source and destination for the purposes of this demonstration)

Received: from SN6PR10MB2719.namprd10.prod.outlook.com (2603:10b6:320:31::26)
by MWHPR1001MB2144.namprd10.prod.outlook.com with HTTPS via
MWHPR18CA0040.NAMPRD18.PROD.OUTLOOK.COM; Tue, 20 Nov 2018 18:14:29 +0000
Received: from DM5PR10CA0019.namprd10.prod.outlook.com (2603:10b6:4:2::29) by
SN6PR10MB2719.namprd10.prod.outlook.com (2603:10b6:805:4a::12) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1361.14; Tue, 20 Nov 2018 18:14:28 +0000
Received: from TO1CAN01FT005.eop-CAN01.prod.protection.outlook.com
(2a01:111:f400:7e5d::200) by DM5PR10CA0019.outlook.office365.com
(2603:10b6:4:2::29) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1339.21 via Frontend
Transport; Tue, 20 Nov 2018 18:14:28 +0000
Authentication-Results: spf=pass (sender IP is 1.1.1.1)
smtp.mailfrom=somewhere.ca; somewhereelse.com; dkim=none (message not signed)
header.d=none;somewherelese.com; dmarc=bestguesspass action=none
header.from=somewhere.ca;compauth=pass reason=109
Received-SPF: Pass (protection.outlook.com: domain of somewhere.ca designates
1.1.1.1 as permitted sender) receiver=protection.outlook.com;
client-ip=1.1.1.1; helo=asp.reflexion.net;
Received: from asp.reflexion.net (1.1.1.1) by
TO1CAN01FT005.mail.protection.outlook.com (1.1.1.1) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1339.10 via Frontend Transport; Tue, 20 Nov 2018 18:14:27 +0000
Received: (qmail 19519 invoked from network); 20 Nov 2018 18:14:26 -0000
Received: from unknown (HELO rtc-sm-02.app.dca.reflexion.local) (10.81.150.2)
by 0 (rfx-qmail) with SMTP; 20 Nov 2018 18:14:26 -0000
Received: by rtc-sm-02.app.dca.reflexion.local
(Reflexion email security v9.00.1) with SMTP;
Tue, 20 Nov 2018 13:14:26 -0500 (EST)
Received: (qmail 8257 invoked from network); 20 Nov 2018 18:14:26 -0000
Received: from unknown (HELO exchange.somewhere.ca) (1.1.1.1)
by 0 (rfx-qmail) with (AES256-SHA encrypted) SMTP; 20 Nov 2018 18:14:26 -0000
Received: from MAILSERVER.somewhere.local (192.168.1.5) by
MAILSERVER.somewhere.local (192.168.1.5) with Microsoft SMTP Server (TLS)
id 15.0.1395.4; Tue, 20 Nov 2018 10:14:25 -0800
Received: from MAILSERVER.somewhere.local ([fe80::d414:2710:2a2a:ce30]) by
MAILSERVER.somewhere.local ([fe80::d414:2710:2a2a:ce30%12]) with mapi id
15.00.1395.000; Tue, 20 Nov 2018 10:14:25 -0800
From: John Doe <johndoe@somewhere.ca>
To: John Smith <john.smith@somewhereelse.com>
Subject: Re: Hello
Thread-Topic: Hello
Thread-Index: AQHUgPnLyQSzuNXCHE+0e5BgSid55KVZfeQA
Date: Tue, 20 Nov 2018 18:14:24 +0000
Message-ID: <13166D99-E99A-43CF-BC54-C094FFCAF5EB@somewhere.ca>
References: <IP-0A0A01172TUSzbAU000015b3@ip-0A0A0117>
In-Reply-To: <IP-0A0A01172TUSzbAU000015b3@ip-0A0A0117>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.9.1)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.16.31.51]
Content-Type: multipart/related;
boundary=”_004_13166D99E99A43CFBC54C094FFCAF5EBsomewhereca_”;
type=”multipart/alternative”
MIME-Version: 1.0
Return-Path: jdoe@somewhere.ca
X-MS-Exchange-Organization-ExpirationStartTime: 20 Nov 2018 18:14:27.4825
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
e8dcbfff-51ae-4dc7-658c-08d64f14023a
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 879edbff-3840-49a2-8fab-d4f7b1550130:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Matching-Connectors:
131872112675294385;(8c7daedc-f85f-4a88-c8c8-08d450bc8ffd);()
X-Forefront-Antispam-Report:
CIP:208.70.211.149;IPV:NLI;CTRY:US;EFV:NLI;SFV:SFE;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:SN6PR10MB2719;H:asp.reflexion.net;FPR:;SPF:None;LANG:en;
X-Microsoft-Exchange-Diagnostics:
1;TO1CAN01FT005;1:cyzge3fkWDJJdoA9E8sevUqNS1HFOFt0izaLa2+0UR5wifywb865jVpvMEZMYYD9UzUWFEBLAX9yl5G1W3mz5dup4BmRyHtmkMOwyC8gWjY/uKDz1g8pJA1Vz94bCMee
X-MS-Exchange-Organization-AuthSource:
TO1CAN01FT005.eop-CAN01.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: e8dcbfff-51ae-4dc7-658c-08d64f14023a

I removed all the Exchange/Microsoft  anti-spam headers to shorten this a bit, but expect headers to contain a LOT of information.

Most of the information is machine code and protocols that won’t make any sense to you, and there’s no reason for anyone but an IT Specialist to be able to read and understand them, so don’t worry about that.  Just pay attention to the RECEIVED headers, and the FROM headers.  There are often more FROM headers embedded in the message than you’d expect, and they cannot all be completely masked or the mail server won’t process the message at all.  If they don’t all line up with exactly the same information, chances are this is a scammer and you are validated to delete the message.

If you still aren’t sure, you can send the message as an attachment to support@wavepointit.com.  This will generate a ticket and give us the original message complete with headers to analyse.  You cannot forward the message! That replaces the original headers of how the message got to you with headers on how your message got to us.

To send the message to us for analysis, create a new message, address it to support@wavepointit.com, and drag the message you want us to analyse into the body of the new message.  This will create an attachment that we can then review.