/ Scams

How fake Bitcoin emails are spoofing Selfridges’ domain

18
Profile photo of George Martin George Martin Conversation Editor
Comments 18

We’re seeing an increasing number of fake emails successfully spoofing official email domains. Watch out for this fake Bitcoin email arriving from ‘Selfridges’.

Cryptocurrency scams are nothing new – we’ve heard plenty about fake investment schemes/platforms in the past and, in this case, you’ll probably find it pretty unlikely that you’ve suddenly been given more than £25,000 worth of Bitcoin.

However, in this example, it’s the sender’s email that’s drawn our attention:

We’ve covered email spoofing in the past as scammers found a way to use Fairtrade’s domain and, perhaps most interestingly of all, even the Secret Intelligence Service’s back in 2018.

In the past few months we’ve been sent multiple examples of scam emails arriving in people’s inboxes spoofing some of the biggest brands in the country, and this one is no exception.

But how can this be allowed to happen? Chiara Cavaglieri investigates scams and email protection for Which?, she told me:

Most scammers simply use the email ‘display name’ to convince potential victims they are legitimate. But the most dangerous fakes spoof the sender address e.g. so that it appears to come from @yourbank.com.

Companies can protect against this using a standard called DMARC. This stands for ‘domain-based message authentication, reporting and conformance’, and helps your email provider block malicious messages that attempt to spoof the email address of a genuine company. The problem is that too few companies are making use of DMARC, including some banks. This means fraudsters can forge their email addresses with ease.

But that’s only half the story – you also need your email provider to implement DMARC checks. So, even if a company has protected its domain, if your email provider doesn’t make DMARC checks, spoof emails could still land in your inbox.

This particular spoof email was sent to a Microsoft Live Mail user – we’ve noticed that most of the spoof emails reported to Which? are sent to Outlook and Live Mail users so we asked Microsoft if it has had issues with DMARC verification. It told us in May that it is ‘not aware of an increase in spam getting through our filters’ but wouldn’t comment on our question directly.

To play it safe, never assume an email is genuine (even if the sender address looks legitimate). If the message requires action, do it ‘the long way’ e.g. by calling the company on a trusted number (not any phone number included in the email) or typing the website address into your browser (never clicking on links in the email).

We also made Selfridges aware of this email and that its domain is being spoofed. We asked if it would like to add any comment, but it did not respond.

Always question unsolicited emails

Email spoofing might be an old trick, but this is a good reminder to question emails you’re not expecting, especially when they’re promising something for nothing. Some may be more inclined to trust an email that appears to be sent from an official source.

While Selfridges of course wouldn’t send anyone emails promising them Bitcoin riches, it wouldn’t take much to appear more convincing had the content of the email from the spoofed domain been different.

Guide: how to spot a scam

Guide: how to get your money back after a scam

As always, please do report suspicious emails you receive to the National Cyber Security Centre on report@phishing.gov.uk – it can work to have the sites they link to removed.

Have you received suspicious-looking Bitcoin emails? Have you had any other emails spoofing the domain of well-known brands? Let us know in the comments.

Comments
18
VynorHill says:
21 July 2021

What isn’t clear from your article is whether the spoof is an exact copy of the real e-mail address. If that is the case why doesn’t any reply go straight to the correct place and not to the scammer?

0
Vote up  |  Vote down
Share
ReportReply
John Ward says:
21 July 2021

Vynor – Just guessing here, but I expect the ‘Confirm Now’ button has a completely different destination. Any ‘Reply’ function might also have been programmed to by-pass Selfridges.

Is this scam attempt only going to Selfridges account-holders or to anyone at random?

I am surprised there isn’t a way in which the CID or Fraud Squad could set up decoy bank accounts which they can use to populate these requests for personal details so they can track what happens next.

0
Vote up  |  Vote down
Share
ReportReply
George Martin says:
22 July 2021

The main aim of emails like these will get you to click through on a link that takes you to a fake site where you’ll be asked to enter bank details etc. The email address itself won’t be used for correspondence, more as an attempt to bypass spam filters/look more legitimate to recipients.

1
Vote up  |  Vote down
Share
ReportReply
wavechange says:
21 July 2021

That’s yet another scam that offers something for nothing.

I had one today:

Money was DONATED to you.

contact: me for more details.

Since I have not seen this scam before I will forward it to: report@phishing.gov.uk
as mentioned in George’s introduction.

0
Vote up  |  Vote down
Share
ReportReply
John Ward says:
22 July 2021

According to recent e-mails I seem to have benefited in the last few days from enormous bequests in the wills of two apparently unconnected foreign gentlemen of considerable status in their own countries whose executors are in some ways agents of the World Bank and are struggling to find a way to transfer the funds to my bank account! What are the chances of that? Surely one of them must be genuine . . . but which one?

0
Vote up  |  Vote down
Share
ReportReply
malcolm r says:
22 July 2021

You are not unique 🙂
A very nice-sounding – on email – Nigerian (so he said) gentleman had a great deal of money earmarked for me some years ago. I am an optimist and keep watching for its arrival. I expect it has been held up by Covid problems as I assume it was being hand-delivered as cash.

0
Vote up  |  Vote down
Share
ReportReply
Robert E Bauer says:
23 July 2021

Easy!!! Flip a coin! …….simples………..

0
Vote up  |  Vote down
Share
ReportReply
John Ward says:
23 July 2021

I did, Robert . . . both stories are genuine fakes, of course.

0
Vote up  |  Vote down
Share
ReportReply
Steve Williams says:
22 July 2021

PayPal is another one with increasing fake and scam emails being sent, but if on doubt forward it to spoof@paypal.com
They can then act on it 🙂

0
Vote up  |  Vote down
Share
ReportReply
Stuart Jones says:
22 July 2021

as I logged on to my email account I had a duplicate page appear, I just closed the page then
read your email about spoofing emails, I will be doubly careful from now on.

0
Vote up  |  Vote down
Share
ReportReply
dlg says:
22 July 2021

I received an email from a friend in USA from his actual email address, requesting my assistance re an Amazon voucher for his niece! I duly organised @ US$ 200, but when I received a request for a further $ 200, I replied to let me have payment first, but no response.
I telephoned him to confirm, but he knew nothing about it, save for 4 other friends who had received similar requests!
It would seem that his email account had been hijacked, so he changed his email account password. I have yet to hear how he had allowed his email account to fall into the wrong hands.
Trying to be helpful can be expensive!!

0
Vote up  |  Vote down
Share
ReportReply
Chris says:
22 July 2021

My wife had a similar experience with a similar email from a friend in our town. It is all very convincing initially. On reflection, I think the trick is to keep the conversation going and ask questions about the family. That way you will be sure the email is genuine before handing over any money.

0
Vote up  |  Vote down
Share
ReportReply
alfa says:
23 July 2021

Your friend might have clicked on a link in an email from someone he knows that then sent emails to everyone in his address book.

That is what happened to a friend of mine who received 2 emails from her daughter (along with all her daughter’s other contacts).

I can’t remember the contents of the emails now, but they said something along the lines of ‘Found these really cool shoes’ and a link that her daughter would have clicked on.

One of the emails contained words of endearment that a not-very-nice ex-boyfriend called my friend that started her thinking he was stalking her. In her eyes, the ex is an electronics genius and if anything goes wrong with her phone, camera, car, etc., the ex has ‘done something to it’. This non-existent stalking has got out of control and lasted many years now. She now only uses basic electronics and won’t touch any computer or the internet.

At the time, my friend gave me her laptop and I saw the emails that her daughter was adamant she hadn’t sent. I searched the links without clicking on them that confirmed what had happened and told my friend verbally. I just wish I had shown her the proof that might have stopped her ‘stalker’.

0
Vote up  |  Vote down
Share
ReportReply
wavechange says:
23 July 2021

It used to be common for users of free email systems to have their accounts hacked and for an email that appeared to be from them to be sent to everyone in their address book, as Alfa has mentioned. I used to contact people when this happened and most were aware of the problem, but not always. I have not seen this happen for years, so presumably security has been improved.

I suggest that if you receive an unexpected message that appears to be from a friend, give them a ring immediately.

It’s also a good idea to set up a second email account, even if you don’t use it regularly.

0
Vote up  |  Vote down
Share
ReportReply
Margaret says:
25 July 2021

Before handing over any money why don’t you phone the friend or relative to discuss it? Don’t just rely on email.

1
Vote up  |  Vote down
Share
ReportReply
John Ward says:
25 July 2021

Indeed, Margaret; if the person asking for the money was that close a friend, even if in the USA, I would have expected a phone call explaining the situation and asking for a voucher on a loan basis.

At least in this case the stinger didn’t get a second bite.

0
Vote up  |  Vote down
Share
ReportReply
Carol says:
23 July 2021

I am inundated atm with messages saying I have a voice mail. My phone stopped me from opening it as it leads to a suspicious page. I get about 3 a day. Also the voicemails all appear to last for exactly the same length of time….2mins 34 sec.

0
Vote up  |  Vote down
Share
ReportReply
william says:
3 August 2021

My first thought when I started reading this was I bet Selfridges aren’t using DMARC. It’s been around long enough there really is no excuse to not be using it.

Whenever I get a genuine email I check for the Authentication Results for something like dmarc=pass header.from=tvlicensing.co.uk (p=reject sp=reject dis=pass); which in this case shows it’s passed .

And I’m sad to report that almost none of the legit emails has this entry in the email header.

Maybe it needs someone, like Which?, to pressure govt to get all companies to start using it.

0
Vote up  |  Vote down
Share
ReportReply
 

Related discussions