23 November 2018 / Money

Secret Service: how have scammers spoofed its official email?

Amelia Wade Which? Consumer Rights

Comments 24

The content of this phishing scam may look familiar, but it’s who it appears to have come from that may make you only think twice. What’s the secret behind spoofing an official MI6 email account?

We all know that scam emails will often arrive from addresses that look official, but on closer inspection are actually fake – things like ‘hmrcupdate’ or ‘directdvla’.

But this one is different; ‘sis.gov.uk’ is the Secret Intelligence Service’s official mailbox address. Take a look at this:

We asked the Foreign & Commonwealth Office about this email, in particular about how the scammer was able to use the address.

It thanked us for bringing the email to its attention, but nothing more.

Tracking down the source

I wanted to know more, so I looked for other examples of an SIS scam email online but found nothing.

I couldn’t find anything on social networks, other reports sent to our ScamWatch email addresses or anything that may have come in through our member issue database.

Despite not being able to find it anywhere else, I needed to know how the scammers had managed to spoof arguably one of the most secure mailboxes in the country.

I don’t want to get too technical, but it appears that software exists that allows you to do it, and there’s evidence of it in the coding of the spam email. Here’s how the fake reported:

Received-SPF: Fail (protection.outlook.com: domain of sis.gov.uk does not
designate 195.XXX.XXX.XX as permitted sender)

And here’s how a real one should look:

Received-SPF: pass (google.com: domain of xxxxxxx@fco.gov.uk designates 195.XXX.XXX.X as permitted sender)

SPF records tell you if the sender was allowed to send the email from that domain. Here, the official email passed the SPF test, while the scam failed. But it shouldn’t take checking the source code of an email to work out it’s a spam.

For your eyes only

Remember – always be suspicious of any offer you get out of the blue, especially if there’s the promise of money. Your personal data is what the scammers are after – it’s vital you’re 100% sure you’re not handing it over to fraudsters.

We’ve compiled 10 top tips to spotting scam emails to help you stay ahead of the scammers, including checking whether the branding is correct or if it tries a bit too hard to sound official.

Suspicious of an email? Report it.

We can also help you to spot a scam by watching for things like spelling mistakes, or vague details.

Have you ever received any official-looking scam emails? If so, what did you do? Let us know, and share your examples with us so we can continue to warn others.