/ Money

Secret Service: how have scammers spoofed its official email?

The content of this phishing scam may look familiar, but it’s who it appears to have come from that may make you only think twice. What’s the secret behind spoofing an official MI6 email account?

We all know that scam emails will often arrive from addresses that look official, but on closer inspection are actually fake – things like ‘hmrcupdate’ or ‘directdvla’.

But this one is different; ‘sis.gov.uk’ is the Secret Intelligence Service’s official mailbox address. Take a look at this:

We asked the Foreign & Commonwealth Office about this email, in particular about how the scammer was able to use the address.

It thanked us for bringing the email to its attention, but nothing more.

Tracking down the source

I wanted to know more, so I looked for other examples of an SIS scam email online but found nothing.

I couldn’t find anything on social networks, other reports sent to our ScamWatch email addresses or anything that may have come in through our member issue database.

Despite not being able to find it anywhere else, I needed to know how the scammers had managed to spoof arguably one of the most secure mailboxes in the country.

I don’t want to get too technical, but it appears that software exists that allows you to do it, and there’s evidence of it in the coding of the spam email. Here’s how the fake reported:

Received-SPF: Fail (protection.outlook.com: domain of sis.gov.uk does not
designate 195.XXX.XXX.XX as permitted sender)

And here’s how a real one should look:

Received-SPF: pass (google.com: domain of xxxxxxx@fco.gov.uk designates 195.XXX.XXX.X as permitted sender)

SPF records tell you if the sender was allowed to send the email from that domain. Here, the official email passed the SPF test, while the scam failed. But it shouldn’t take checking the source code of an email to work out it’s a spam.

For your eyes only

Remember – always be suspicious of any offer you get out of the blue, especially if there’s the promise of money. Your personal data is what the scammers are after – it’s vital you’re 100% sure you’re not handing it over to fraudsters.

We’ve compiled 10 top tips to spotting scam emails to help you stay ahead of the scammers, including checking whether the branding is correct or if it tries a bit too hard to sound official.

Suspicious of an email? Report it.

We can also help you to spot a scam by watching for things like spelling mistakes, or vague details.

Have you ever received any official-looking scam emails? If so, what did you do? Let us know, and share your examples with us so we can continue to warn others.


This comment was removed at the request of the user

Tim Stevenson says:
24 November 2018

One (but only one) techique to add to your armoury is this. If asked for a password for an account etc. type in a totally bogus one first. If the scammer does not know it, and is instead trying to capture it, it will be accepted. Then walk away and report.

Nice one Tim.

At one place where I used to work, some folk took to typing “unlucky” as the password for initial login attempts. The real system would reject that, but a spoofed login prompt would fail to check and then steal that false password.

Recently I have been receiving scam emails from almost all the major supermarkets and their associated catalogue retailers, these emails are clearly identified by my Symantec software as SPAM, however there is a change in how these emails present themselves by creating a fictitious recipient and placing my own email address as the sender address.

If I try to block the sender I in effect add my own email address to my blocked email sender’s list.

The senders IP address is reported as the US although this may well be a ‘hijacked’ address

This comment was removed at the request of the user

Yes my email address appears in the directional arrows.

But only with this group of scam emails offering vouchers / money off from supermarkets

This can also be known as “joe jobbing”


This comment was removed at the request of the user

This comment was removed at the request of the user

This comment was removed at the request of the user

Symantec Norton Internet Security.

All I was pointing out to others was, if they use the likes of Outlook and they added these emails to their ‘blocked list’ that they effectively block their own email address

There are three other clues. Top line includes a date in American format (month first). Sender’s e-address ends “.co.uk” – a clear error. The computer will ignore the text between .
Then look at the salutation….. from government? I don’t think so!


Martin Chapman says:
24 November 2018

Although you did not want to get “too technical” it would help if you could give some instructions on how to check the SPF records for a domain please.

This comment was removed at the request of the user

Martin Chapman says:
24 November 2018

Duncan, thanks very much.

I regularly- several a day sometimes – get fake emails purporting to come from Amazon or google or a store or tourist office or even a contact. These all want me to click on a link totally unrelated to the “from” address, which I won’t do. My server and address are via Virgin Media, and I have tried to forward some of these to the police fraud site, as requested. The great irony is that Virgin Media won’t let me, because it identifies a potential security threat in the forwarded email, but it happily sent it to me, so Virgin are more secure in what its customers send than receive.

This comment was removed at the request of the user

Just re-read this and spotted the “HM Revenue.co.uk” obvious fake url.

Those of us lucky enough to have to pax tax and such like may already know the correct url would be “…gov.uk/government/organisations/hm-revenue-customs”

I started getting dozens of spam mails from my own address. By hovering over the supposed address I was shown the real one. It got so bad that I closed the account, which led to a whole lot more troubles with sites that used it as an identification. The administration on some of these accounts leaves a lot to be desired!

Tony Gore says:
24 November 2018

Some years ago I persuaded HMRC not to put links in the emails they send out on the basis that they were helping the scammers. Thus for a while (I would have to check if they still do this) they would send you a message but NOT provide the login link – after all, you know where to log in. Just checking a few of my recent emails from HRMC – they do NOT provide any links. Genuine emails state “Do not reply to it or click on any links”. Maybe you should check with HRMC and confirm this, and if they confirm it is still the case, publicise it. This means that genuine emails don’t have links, but scammers do – fairly easy then to spot scams – they are the ones with links.

R Gradeless says:
24 November 2018

I use Spamcop (https://www.spamcop.net/) to find out who has sent the suspect email. Spamcop analyses the email and identifies the actual sender. You then have the option of reporting the email as spam to the domain from which the email was sent. Spamcop maintains a blacklist of domains from which spam emails have been sent. Email services can consult the list and block emails from the offending domains.

You need to register with Spamcop. You receive an email address unique to you to which you can forward suspect emails for analysis. After analysing the email Spamcop sends you an email (usually within seconds) giving a link to a webpage containing the analysis.

25 November 2018

A few months ago, my data allowance strangely
ran out of my mobile. Then I received an text
asking me to sign in to a new contact to unlimited
data for £5 a month.
I 1st of all checked my monthly balance at my provider
web site. I still had data and the £5 data was not from them.

This comment was removed at the request of the user

I have read all the comments in this debate and the helpful suggestions offered; I feel the level of expertise is awesome and way beyond my ability. The comment I would like to make (and I hope nobody takes offence) is that the grammar and general usage of the English language is often appalling and I offer one bit of advice – once you have typed a message make sure you read it over before sending!
Best wishes in your (our) fight against the Scammers.

JayZS says:
28 October 2021

One of the problems is though, that many genuine users also have dreadful spelling and grammar. Also so many warning go out about this that spammers are starting to make sure there are no such errors.

I had not noticed this but it’s not surprising that scammers learn about their weaknesses. Those videos that show how easy it is to pick locks might be helpful to encourage us to choose better locks but perhaps they do more to aid crime.

Stewart SEYMOUR says:
9 January 2021

I absolutely agree with Graham Des Pedlow: The grammar and spelling in some texts is quite appalling. I frequently make errors when writing narratives – but I simply check over what I have written, usually several times, before submitting it; as Graham succinctly puts it, do check the texts/narrative for spelling, grammar, vocabulary, etc.