/ Money

EE phishing email: scam website taken down

A website designed to steal bank details has been taken down after we reported a phishing email to EE’s security team. Here’s the email you need to be wary of.

Following on from last week’s Netflix phishing email warning, another well-known brand’s customers are being targeted by scammers in the same way.

Just like other examples we’ve seen, the email tells you that your payment has failed due to billing details expiring or changing.

‘The payment for your latest EE bill failed’

A look at the email address this has arrived from will tell you that this has nothing to do with EE, however, if you were to miss it, you could be forgiven for thinking the email was genuine.

The professional layout and use of EE’s branding makes for a surprisingly legitimate appearance, while it’s also one of the most well-written scam emails I’ve seen this year.

How to spot an email scam

The threat of the disconnection of your service is an attempt to rush you into making a bad choice. If you receive an email like this, make sure you take your time.

Check the email address it’s come from and look for other clues – for example, my eyes were drawn to the bizarre question mark in the footer of the email.

If you’re not sure about an email you’ve received, contact the brand through its official channels and discuss it with them directly.

What happens if you click through?

If you were to click through on ‘update and verify billing details’, you would have been taken through to a fake site and instructed to enter your bank details and other personal information.

The scammers behind the site would then have had complete access to the card details you’d entered, along with your full name and address.

Fortunately this site in particular has now been taken down after quick work from EE’s security team. When we reported the phishing email to EE, a spokesperson said:

“Our dedicated fraud team works hard to keep our customers safe from scams and customers should forward any suspicious emails to phishing@ee.co.uk so they can be investigated.

Our security team will then work quickly to take down any fraudulent websites contained in the email to protect people. Customers should always double check the sender’s email address, as it may not be from who it says it is.

If a customer thinks they may have been a victim of a scam then they should contact Action Fraud immediately.”

If you’ve landed on a website and you’re not sure it’s legitimate, take a look at our eight-step guide to identifying a fake, fraudulent or scam website.

Have you received this email or a similar one from another brand? How did you deal with it? Let us know in the comments.

Comments

George – thanks for sharing. Nice to hear that EE were able to take effective action here.

In practical sense the simplest way to check if an email is a scam is to check its address , its very simply done online no need even to download an app .
I have checked out this website very little tracking only Google and most Windows users use Google and data is not held , just enter the email address and click on check –yes I have tested it, it works –
https://email-checker.net/
It does not come any simpler any non tech member of the public can use it easily.

Thanks for the link. I also tried it, but it only seemed to work for about 50% of the test cases I used.

Now that’s interesting Derek ,any chance of giving me one that doesn’t work so I can perform tests ?

Duncan its checks seems to give three outcomes equivalent to yes, no and can’t tell. Using quite a few real addresses gave the can’t outcome.

I didn’t find any problems with standard email addresses if it goes through an email proxy that throws up errors not just in that checker but in my own checker .
I get emails from Hackread Thunderbird suspects they are scams but any real scamming email addresses came up as scams.
It checks the route out but if its diverted for any reason even legitimate you wont get a right answer .

Derek have a read of this simply put comment on whether an email that’s marked as “possible scam ” might not be.-
https://askleo.com/why-does-thunderbird-think-this-message-might-be-a-scam/
Okay Derek try this more comprehensive checker a check is free for a check but if using in bulk you have to pay at least it will test one of your “dud ” email addresses.-
[URL removed by moderators]

Thanks I’ll try those later when I’m sat at a proper PC.

Thanks Duncan, that second email checker seemed to be more decisive than the first one.

I also rechecked the first one and I think I actually got a false positive from it – i.e. it told me that a made-up false email was real. Of course, I don’t know for sure that the made up email won’t be real, but I do judge that to be very unlikely.

That last one caused my AVG to become agitated, Duncan; wouldn’t let me get to the site without warning me:

We’ve just saved you from an infected website

Infected URL: [URL removed by moderators]

Threat: URL:Phishing

This URL contains malicious code that could harm your computer.
If you’re willing to risk it, you can turn off your AVG Web Shield to continue.
But we strongly recommend walking away from this one.

EE has an email address to report suspected phishing, as George says in his introduction: phishing@ee.co.uk

Maybe other companies should provide an email addresses in this format to report problems. Having an email address rather than a web form makes it easy to attach photos or other information as evidence.

Not on my checkers Ian – only 2 main trackers- Google & Yandex not even on Malwarebytes virus /malware shown , its probably Yandex as its Russian.
But I will recheck a bit deeper.

You do know AVG has a history of false positives Ian and you can report them to them
its so bad that a small business organisation tell you to-
https://smallbusiness.chron.com/turn-off-false-positive-avg-69481.html

I have a virus checker in LInux it too gives out false positives even -“Warning ” which turn out to be of no consequence so I have two or more malware checkers .
If you are so sure can you get AVG to display text giving in detail exactly what its bothered about ?

Okay to save any argument I took your posting of the URL and used VIRUS TOTAL which is used by millions round the world —
only TWO out of THIRTY THREE thought it was phishing –
https://www.virustotal.com/gui/url/8be7ad74194c98b681167295405a2d939068ef6b4d9878e60e709ea8dae10a8d/detection
See what I am getting at ? even my own Malwarebytes which is a good one shows it as clean – Emsisoft-ESET-Phishtank-Spam 404-etc etc etc — now whose advice do you take – two out of 33 or all those major ones ?

It is always better to be safe than sorry when dealing with posted Web links.

Yes Derek but its my reputation that’s on the line here– why doesn’t Ian ask Virus Total why they don’t use AVG in their long list ?
I know the reason –“unreliable ” its well known throughout the web.

AVG was fairly specific, Duncan: “This URL contains malicious code that could harm your computer.” Now, it could be fine – but this is for a Mac, so could be Mac specific.

The thing is that this is the first alert I’ve had in months, so AVG rarely flags anything up. When it does, are you saying I should ignore it?

I’ve now tried it on two other browsers, and all three are blocking it. It would seem that the code on the site is designed to infect com.apple.webkit/networking on the Mac.

Ian forget my reputation Virus Total tests it on various platforms and they don’t (unless you take a Russian one + another ) as “proof” out of the other 33 virus companies some really big names and good reputation,say its phishing or even malware , never the less although I don’t have a Mac system I will check to make sure it applies to Mac ,it certainly does to Windows & Linux , I will get back shortly.

Well seemingly Virus Total does test all three systems including Mac https://support.virustotal.com/hc/en-us/articles/115002179065-Desktop-Apps
and this is how it works Ian-
https://support.virustotal.com/hc/en-us/articles/115002126889-How-it-works
Notice they use 70 engines and check out the multiple tests and say its a good way of finding false positives –read it all Ian.
Here is Macworld itself on its latest viruses-
https://www.macworld.co.uk/feature/mac-software/can-macs-get-viruses-3454926/

Indeed, and this paragraph seems to suggest I was wise not to follow the link:

“A report by Malwarebytes in March 2018 suggested that Mac malware grew by 270 percent in 2017. The same company reported that it had already seen an increase in Mac malware in 2019, with 16 million instances recorded in April – which is four times more than the previous record.”

Total virus itself shows four engines describing the URL as malicious, one of which was Google Safebrowsing.

However, I may have got to the bottom of things. The link you posted was for email-checkers . . com whereas the email checking service is actually https://www.email-checker.com

It appears that some dubious individuals have created a site that looks like the real thing but where the URL has an ‘s’ on the end and then embedded malicious code inside. They’re depending, I suspect, on people not being too careful when they copy URLs.

On the plus side it seems AVG was right.

Ian I rechecked on Virus Total with – my 21November post using the exact same URL and got the same result .
Okay I missed Google but that still is only 4 out of that long list of 70 (top left hand corner ) including the very well known –Bit Defender-Avira-Emsisoft ( high quality company ) -Comodo ( which issues safety certificates for websites ) -Spamhaus ( used by big business ) -EST-G-Data etc etc .
What I will do is use my Yandex email service which has strong virus control and input that to the website to see if any malware gets sent to me at least I will be able to check its routing .
I found that email-checkers.com is the public front of -mailcheck.co which does add in the www , there is link on that webpage to take you too it so its not a phishing website set up to catch people but just a front for mailcheck , if it was phishing then there would be no link to it unless you think that the actions of input are being transferred to mailcheck which that I will agree with , maybe devious but not malware.
Mailcheck gets the all clear so it looks like its methods of business aren’t too kosher shall we say ?

DerekP says:
26 November 2019

Digging a bit deeper into the “checkers” site, it has section titles such as:

“Does the email address checker was invented to benefit everyone?”

“Dealing with trust issues: how does Email Checker really ork?” (sic)

So all the characteristics of a spam email, in fact?

Indeed.

Also, many of the page options just seem to link back to the home page – or at least they do when viewing the page as user Guest on a Chromebook.

Sometimes, there are mitigating circumstances for poor English on a web page or in an app. For example, the authors might be acknowledged world experts in a given field, but might not use English as their native language.

DerekP says:
27 November 2019

…and here on XP(!!!) AVG also blocks the “checkers” site.

Peter walton says:
28 November 2019

I had a similar problem with my television license, exactly the same M.O. payment failed please resubmit. New it was wrong so telephoned TV Licensing and they confirmed scam. They were very matter of fact about the issue, just delete was advice.

The URL- email checker .net gets passed by Ionos (GB ) a well know business help company and an even better known website URLVOID used by millions passes it –
US server -Atlanta- Georgia -registered-2015-reverse DNS- Linode.com and LInode is–
the largest independent open cloud provider worldwide.
https://www.urlvoid.com/scan/email-checker.net/
It seems passing info to the parent website doesn’t constitute a scam or phishing–bad manners yes.

Ian Biggles says:
6 December 2019

I received a text from number +447517321753 saying “EE. We were unable to process your latest bill. In order to avoid fees, update your billing information via” and then gave a link. I have assumed that this was a scam and did not click on the link.

It is a scam Ian this country are becoming wiser and answering back or hanging up so the scammers are using text now , you are not the first .
+44 is a foreign country phoning the UK its probably a virtual number though.

R Alexander says:
7 December 2019

We got the EE one on the 3rd December as a text from 00447716080517.