Fake email spotting 101

The other day, I received the following email.

I was immediately suspicious because I have never dealt with HM Revenue and Customs! Anyway, I decided to look a little deeper and this tutorial was born. What if I had dealt with them before?

Alert #1: Return email address.

The return email address above (useraccount-uMW75hmfKqCrFKnd@telus.net) is somewhat of a giveaway. Firstly, it looks quite odd, being made up of a seemingly random jumble of letters. However, that by itself isn’t necessarily sinister.

The thing to look at here is the domain name. This is the part of the email address immediately following the “@” symbol. In this case, telus.net. A quick Google search reveals that HM Revenue & Customs (the real one) has web addresses, so most probably email addresses also, in the domain hmrc.gov.uk. This makes sense, as it is a government department in the UK. An equally quick Google search reveals that telus.net is a US based telecommunications provider (phone company and internet service provider).

This is the dead giveaway in this case.

But, suppose the email address had been faked and looked completely normal (like joe.bloggs@hmrc.gov.uk), what then?

Anyway, let’s have a closer look at those steps.

Alert #2: Links in the email body.

See in the body of the email there is a link (update now)? Let’s have a look where that leads.

Now, based on our first Google search above, I would expect it to go to somewhere with at least a .gov.uk address. But, how do we tell without clicking on it?

In this example, I am using a web browser to view my emails. When I right-click on the “update now” link, I can select “Copy link address” from the menu (see below). The same technique works in Microsoft Outlook (and many other email programs) as well.

Once I have done this, I can paste it into any text editor (like Notepad or Word) which reveals this…

http://345y6j5jyt.myeffect.net/uebimiau/maruc/index.php

This is quite enough evidence alone to delete the email. There is no .gov.uk in the address only a few random letters (again) in a domain called “myeffect.net”.

Quick Tip:The internet address (or URL) as above is made up of a host name, possibly some folder names then possibly a file name on the end. Using the example above we get the following.

http:// This is the part which tells the browser what type of request to make to the site. This (http://) is the default type which is used if none is specified. If you type www.google.com your browser actually sends http://www.google.com to the Google web server.

345y6j5jyt.myeffect.net This is the host name. The domain name is generally everything after the first full stop in the host name. In this case it is myeffect.net.

/uebimiau/maruc/ This is the folder name which tells the web server where on the web server to start browsing.

Index.php This is the file name which tells the browser which file we want to see. In this case, it is a .php file which is a script which will run on the server and do various actions (like send a file to our computer or ask us for credit card details etc…).

Alert #3: Something’s Missing.

If this was a genuine email to me from any legitimate company or government agency, I would expect to see some information in the body of the email that was known only by the sending company and myself. For example a customer number or my full name and/or residential address. These make the email specific to me rather than more generic as per the example above. A reference number (unless it’s one you are already aware of by other means) and an amount does not make an email specific to you.

More Signs of a Fake Email.

There are many other signs of an email being a scam (or worse) which predominantly centre on the language, grammar or general layout of the text. You will see in the example above that the email ends “HM Revenue & Customs,Yours Sincerely” which I would expect to be the other way around eg. “Yours Sincerely , HM Revenue & Customs”. Sometimes it is evident that the text has been translated from another language into English so it really pays to read it carefully if you are at all unsure.

What to do?

Once you’ve decided that the email is, indeed, a fake just delete it!

If you’re still unsure after reading this article, UPBEAT Business Computing is here to help.

Recent Posts

View all news

Get in touch

Our business is keeping your business running. Enquire today about how UPBEAT can assist with your IT needs.

Contact Us
2016-12-24T03:07:22+00:00 December 20th, 2016|