/ Money

Secret Service: how have scammers spoofed its official email?

24
Profile photo of Amelia Wade Amelia Wade Which? Consumer Rights
Comments 24

The content of this phishing scam may look familiar, but it’s who it appears to have come from that may make you only think twice. What’s the secret behind spoofing an official MI6 email account?

We all know that scam emails will often arrive from addresses that look official, but on closer inspection are actually fake – things like ‘hmrcupdate’ or ‘directdvla’.

But this one is different; ‘sis.gov.uk’ is the Secret Intelligence Service’s official mailbox address. Take a look at this:

We asked the Foreign & Commonwealth Office about this email, in particular about how the scammer was able to use the address.

It thanked us for bringing the email to its attention, but nothing more.

Tracking down the source

I wanted to know more, so I looked for other examples of an SIS scam email online but found nothing.

I couldn’t find anything on social networks, other reports sent to our ScamWatch email addresses or anything that may have come in through our member issue database.

Despite not being able to find it anywhere else, I needed to know how the scammers had managed to spoof arguably one of the most secure mailboxes in the country.

I don’t want to get too technical, but it appears that software exists that allows you to do it, and there’s evidence of it in the coding of the spam email. Here’s how the fake reported:

Received-SPF: Fail (protection.outlook.com: domain of sis.gov.uk does not
designate 195.XXX.XXX.XX as permitted sender)

And here’s how a real one should look:

Received-SPF: pass (google.com: domain of xxxxxxx@fco.gov.uk designates 195.XXX.XXX.X as permitted sender)

SPF records tell you if the sender was allowed to send the email from that domain. Here, the official email passed the SPF test, while the scam failed. But it shouldn’t take checking the source code of an email to work out it’s a spam.

For your eyes only

Remember – always be suspicious of any offer you get out of the blue, especially if there’s the promise of money. Your personal data is what the scammers are after – it’s vital you’re 100% sure you’re not handing it over to fraudsters.

We’ve compiled 10 top tips to spotting scam emails to help you stay ahead of the scammers, including checking whether the branding is correct or if it tries a bit too hard to sound official.

Suspicious of an email? Report it.

We can also help you to spot a scam by watching for things like spelling mistakes, or vague details.

Have you ever received any official-looking scam emails? If so, what did you do? Let us know, and share your examples with us so we can continue to warn others.

Comments
24
duncan lucas says:
23 November 2018

As you know I tend to complain loudly about injustice regardless of politics etc and thats what I continue to do about BT,s useless -open to malware- owned by Americans – surveyed – information used for third parties Email “service ” also known as –
Leaky -BT Mail , it intentionally allows all sorts of malware to be transmitted through it Unsecure server .

Whenever I complain online BT seem to take some action but that lasts as long as it takes scammers can reprogramme their malware. If it wasn’t for the fact my email URL is known wordwide I would belong gone from this “dis-service ”

I was one of the first to get Proton Mail but I dont really use it much – Yandex Mail is slightly better sending malware into junk but its not the answer as it to is not perfect .
Australia has a secure email service that it says the NSA cant poke their nose into and there are several European ones , both US secure (encrypted ) email services were shut down by the NSA as my US friends are very annoyed about .

While checking up on the official reason just given for shutting down which.net I found out that Window
10 users of Microsoft Exchange Server for emails has- back-doors so no joy there for Window users .
if its “free ” it isn’t really Free it comes at a cost and even paid for ones hand over your emails on request –
Google Analytics is so “good ” at info gathering that it doesn’t really need to scan your emails for info to use but– it does— Gmail might be the “bees knees ” to many but in the USA its cut to pieces for its info gathering.

Which ? does a good job on this convo of warning and showing people how to spot scammers -redirect hackers (via fake websites ) but stopping this by making email services Fully secure ? just like the scam sales calls its never going to happen , not in the interests of big business .

It amazes me people say -dont complain its part of the modern “way of life ” – I reply -no its not and it doesn’t need to be.

7
Vote up  |  Vote down   Reply    Report
Share   
Tim Stevenson says:
24 November 2018

One (but only one) techique to add to your armoury is this. If asked for a password for an account etc. type in a totally bogus one first. If the scammer does not know it, and is instead trying to capture it, it will be accepted. Then walk away and report.

10
Vote up  |  Vote down   Reply    Report
Share   
Hide replies ∧
DerekP says:
24 November 2018

Nice one Tim.

At one place where I used to work, some folk took to typing “unlucky” as the password for initial login attempts. The real system would reject that, but a spoofed login prompt would fail to check and then steal that false password.

6
Vote up  |  Vote down   Reply    Report
Share   
co-ordinator says:
24 November 2018

Recently I have been receiving scam emails from almost all the major supermarkets and their associated catalogue retailers, these emails are clearly identified by my Symantec software as SPAM, however there is a change in how these emails present themselves by creating a fictitious recipient and placing my own email address as the sender address.

If I try to block the sender I in effect add my own email address to my blocked email sender’s list.

The senders IP address is reported as the US although this may well be a ‘hijacked’ address

1
Vote up  |  Vote down   Reply    Report
Share   
Hide replies ∧
duncan lucas says:
24 November 2018

Coordinator is your email address inside the direction arrows or not ? — .

You are receiving spoofed emails -to save me a lot of detailed explanation , it boils down to your email service is Insecure read this webpage –
https://www.makeuseof.com/tag/scammers-spoof-email-address/
it does have quite a few trackers though but more to the point NO malware .

0
Vote up  |  Vote down   Reply    Report
Share   
co-ordinator says:
24 November 2018

Yes my email address appears in the directional arrows.

But only with this group of scam emails offering vouchers / money off from supermarkets

0
Vote up  |  Vote down   Reply    Report
Share   
DerekP says:
24 November 2018

This can also be known as “joe jobbing”

wikipedia.org/wiki/Joe_job

0
Vote up  |  Vote down   Reply    Report
Share   
duncan lucas says:
24 November 2018

Whats puzzling me Co-ordinator is that Symantec email service is pretty good for business .
Is it Symantec Email Security.Cloud ?
As far as I know its a paid for service .
Are we talking here of your Symantec email service or Symantec virus protection?
If your email service isn’t Symantec then I need to know who,s it is ?

I spent some time checking into this and although email spoofing can be blocked you have to know some basic coding and it isn’t a “5 minute job ” its related to using a SPF record .
Thats the hard way, the other way is using a dedicated Receive Connector on port 25 its a bit easier.

0
Vote up  |  Vote down   Reply    Report
Share   
duncan lucas says:
24 November 2018

Well what do you know !! -Co-ordinator/Derek , this spoofing business was so much on my mind that I have spent a long time reading up on it and was about to put myself to work (actually use my brain which is usually in neutral ) .

Then a thought occurred to me ( something very unusual ! ) I checked out Thunderbird and there hidden away in the extensions list was —-DKIM -Domain Key Identified Mail and its used for —-detecting and blocking —spoofing .

I wont go into the technical details as I am trying to “conform ” to others wishes but I installed it -had to reboot Thunderbird BUT will it work with the email server ? now that’s a different story but if it does I don’t need to use my brain which will remain in a “just turning over mode ” .
If it works Co-ordinator download Thunderbird as an email client and try it .
Also try out Proton Mail (the free version ) limited storage its pretty secure .

Eureka !! I sent an email to my other email system Yandex email service for which I can receive on Thunderbird > received email from Yandex on Thunderbird > testing> DKIM-Valid (signed by btinternet.com )>>>>> SPF :pass —it works !

0
Vote up  |  Vote down   Reply    Report
Share   
duncan lucas says:
25 November 2018

Now if this still isn’t good enough and you still have problems there is a sort of “ultimate solution ” you could install DMARC , there is a free version for a single (private ) user with less than 10,000 emails a month.
You will,of course , have to sign up to it and provide your email address/password etc see-
https://dmarcian.com/why-dmarc/ other than that its the “hard way “.

0
Vote up  |  Vote down   Reply    Report
Share   
co-ordinator says:
25 November 2018

Symantec Norton Internet Security.

All I was pointing out to others was, if they use the likes of Outlook and they added these emails to their ‘blocked list’ that they effectively block their own email address

1
Vote up  |  Vote down   Reply    Report
Share   
Wallibarbe says:
24 November 2018

There are three other clues. Top line includes a date in American format (month first). Sender’s e-address ends “.co.uk” – a clear error. The computer will ignore the text between .
Then look at the salutation….. from government? I don’t think so!

W

0
Vote up  |  Vote down   Reply    Report
Share   
Martin Chapman says:
24 November 2018

Although you did not want to get “too technical” it would help if you could give some instructions on how to check the SPF records for a domain please.

1
Vote up  |  Vote down   Reply    Report
Share   
Hide replies ∧
duncan lucas says:
24 November 2018

Martin have you tried –
https://www.kitterman.com/spf/validate.html or
https://www.dmarcanalyzer.com/spf/checker/ get back if you need more info.

1
Vote up  |  Vote down   Reply    Report
Share   
Martin Chapman says:
24 November 2018

Duncan, thanks very much.

0
Vote up  |  Vote down   Reply    Report
Share   
Hugh_F says:
24 November 2018

I regularly- several a day sometimes – get fake emails purporting to come from Amazon or google or a store or tourist office or even a contact. These all want me to click on a link totally unrelated to the “from” address, which I won’t do. My server and address are via Virgin Media, and I have tried to forward some of these to the police fraud site, as requested. The great irony is that Virgin Media won’t let me, because it identifies a potential security threat in the forwarded email, but it happily sent it to me, so Virgin are more secure in what its customers send than receive.

0
Vote up  |  Vote down   Reply    Report
Share   
Hide replies ∧
duncan lucas says:
24 November 2018

VM are no more “secure ” than BT Mail both SAVE money
by not having good virus control –the excuse ?-
well your getting it free (so don’t complain ) .

Your email server is insecure Hugh.

-1
Vote up  |  Vote down   Reply    Report
Share   
DerekP says:
24 November 2018

Just re-read this and spotted the “HM Revenue.co.uk” obvious fake url.

Those of us lucky enough to have to pax tax and such like may already know the correct url would be “…gov.uk/government/organisations/hm-revenue-customs”

0
Vote up  |  Vote down   Reply    Report
Share   
glenn hellman says:
24 November 2018

I started getting dozens of spam mails from my own address. By hovering over the supposed address I was shown the real one. It got so bad that I closed the account, which led to a whole lot more troubles with sites that used it as an identification. The administration on some of these accounts leaves a lot to be desired!

1
Vote up  |  Vote down   Reply    Report
Share   
Tony Gore says:
24 November 2018

Some years ago I persuaded HMRC not to put links in the emails they send out on the basis that they were helping the scammers. Thus for a while (I would have to check if they still do this) they would send you a message but NOT provide the login link – after all, you know where to log in. Just checking a few of my recent emails from HRMC – they do NOT provide any links. Genuine emails state “Do not reply to it or click on any links”. Maybe you should check with HRMC and confirm this, and if they confirm it is still the case, publicise it. This means that genuine emails don’t have links, but scammers do – fairly easy then to spot scams – they are the ones with links.

0
Vote up  |  Vote down   Reply    Report
Share   
R Gradeless says:
24 November 2018

I use Spamcop (https://www.spamcop.net/) to find out who has sent the suspect email. Spamcop analyses the email and identifies the actual sender. You then have the option of reporting the email as spam to the domain from which the email was sent. Spamcop maintains a blacklist of domains from which spam emails have been sent. Email services can consult the list and block emails from the offending domains.

You need to register with Spamcop. You receive an email address unique to you to which you can forward suspect emails for analysis. After analysing the email Spamcop sends you an email (usually within seconds) giving a link to a webpage containing the analysis.

0
Vote up  |  Vote down   Reply    Report
Share   
ALBERT ANNAN says:
25 November 2018

A few months ago, my data allowance strangely
ran out of my mobile. Then I received an text
asking me to sign in to a new contact to unlimited
data for £5 a month.
I 1st of all checked my monthly balance at my provider
web site. I still had data and the £5 data was not from them.

0
Vote up  |  Vote down   Reply    Report
Share   
Hide replies ∧
duncan lucas says:
25 November 2018

Albert- if the scammers were able to actually make your data run out as opposed to “showing ” you it had run out then you have a virus in your phone .
Make sure you have the latest update for your phone .

0
Vote up  |  Vote down   Reply    Report
Share   
William (Des)mond PEDLOW says:
27 November 2018

I have read all the comments in this debate and the helpful suggestions offered; I feel the level of expertise is awesome and way beyond my ability. The comment I would like to make (and I hope nobody takes offence) is that the grammar and general usage of the English language is often appalling and I offer one bit of advice – once you have typed a message make sure you read it over before sending!
Best wishes in your (our) fight against the Scammers.
Desperado

1
Vote up  |  Vote down   Reply    Report
Share   
 

Related discussions