How to Spot a Fake Email, Part 2: The Anatomy of a Scam

In our post on how to spot a fake email, we covered some easy ways to identify the spams, scams and spoofs that inevitably land in your inbox.

But it's not easy to write one post covering everything. And it’s not uncommon for us to receive a few reports a day from our clients of scamming: there's a lot of it out there, much of it increasingly hard to identify.

That's why we're going to break it down further today and take you through the anatomy of a scam email.

We received a report recently from a client of a scam which was slightly more interesting, and one which didn’t involve any malicious links.

The scam was to try to get the client engaged in a conversation by alerting them to an email that would be sent as a follow-up, with a view to extort money. What was interesting was how the sender had clearly targeted the scam and put in place some rudimentary but rather clever misdirection to get around some of the things I was talking about in the last article.

Not perfect by any means, but to the untrained eye, pretty convincing.

The Setup

It started with a normal text email. The display name was one of the company directors, but the email address was something entirely different. Very little effort seems to have gone into it so far. The client has managed signatures, so it can’t have come from his company account as the signature is missing, and no attempt appears to have been made to make it appear like it has come from that account.

But who knows, maybe he sent it from his personal email by mistake? You would be forgiven for thinking it was real, especially as it also has none of the links and attachments you would expect from a normal phishing email.

What’s interesting is the setup. The email is indicating that the recipient will be receiving a follow up shortly from a reputable accounting firm, from a specific person. The client replied, then sensing something was wrong let us know. Given that there is no ‘call to action’ my response was that there was no need to be concerned; just replying isn’t enough to compromise you, but that she should expect a follow up as this is clearly setting up an engagement.

The Pitch

Sure enough, before too long a second email was sent from the ‘Matthias Bayliss’ referenced in the setup.

If we look at this using some of the tricks we learnt about in the first article, it’s starting to look more and more legitimate. The email has a signature and comes from what looks like an apparently legitimate-looking domain for that company, Furthermore, if we go to it takes you to the real web page for the company,

It’s really starting to look like the real thing. Still no obviously suspicious links or attachments, so little here that raises any concern.

But, of course, not everything is as it seems…

The Coverup

I’m going to get a little technical now but bear with me!

A domain consists of two basic parts: the Top Level Domain (TLD) which is the bit at the end like .com , , .org, etc; and the rest (the custom bit that is unique). The TLD part is managed by a variety of global registrars. They can indicate a geographic location like .uk, or something more global like .com. Sometimes they indicate an organization rather than a company, like .org which is often used by charities. Some are new trendy TLDs like .guru .food or .ninja and have only relatively recently been introduced.

While a little unusual, .io is a real TLD. But it’s exactly this unusual-ness that starts to give away that something is not quite right. Why would a company like Allen & Overy be sending emails from this unusual domain when they have a perfectly good .com available?

Digging a little deeper we can start to see what’s going on. Domains are registered in control panels which computers query to find out where things are, like the website or email servers for the company. An organization should place great importance on their domains and would usually have them all registered in the same place. They would also tend to stick to using one for public-facing purposes. It would be unusual – or a sign that the IT department might not quite have a grip on things – to be using more than one domain for public-facing communication, though there are many back-end reasons to use different ones.

If we look at the DNS record for the real domain, we have something to compare it to:

  • Email hosted at Mimecast, a very well-known and ‘proper’ email service provider
  • DMARC records published, which provides some security against spoofing and generally a sign that people know what they are doing
  • We can see what name servers are reporting the results

Now if we look at the domain from the email, we get a different story:

I might be a bit snobbish about these things, but a registrar called Namecheap Hosting Inc is unlikely to be the first choice of the IT Department for a large law firm for domain management and email services, especially when they are using Mimecast for their email on the domain on which their public website is hosted. Mimecast is a serious paid-for email service. Why send emails from another service provided by ‘Namecheap Inc’? Also, why set up DMARC security against the domain that is not being used to send email, and not set it up on the domain that is being used?

If you don’t follow me, then don’t worry! The point is only that:

  • We can see what the real domain is and how it’s set up from the public records
  • The real domain is configured to prevent spoofing, hence why a different domain is used to send the email
  • We can see that the domain that sent the email is not set up in the same way
  • Not only that, but it’s set up relatively badly in comparison and hosted somewhere completely different

The fact that the spoof domain directs you to the real website is, I think, quite a nice touch. It’s one of the things you might check to see if it was real or not. All that is required to achieve this is to set up a simple forwarding rule on the host.

What Came Next?

At this point, once it was obvious what was happening, the client stopped engaging. What would have almost certainly happened next was, after she replied to “Matthias” he would have sent some bank details for a payment against these spurious consulting charges the Director advised about in the setup email. The client is a construction company of a reasonable size, so the amount would likely have been relatively substantial but within the normal range of what they would be used to dealing with.

Had it been followed through the money would be lost.

As ever, vigilance is your best weapon against fraud. IT controls can go a long way, but there are always ways around it – especially if you know what you are doing and know that your target audience doesn’t.

Having the controls in place is important. Having someone around you can ask if in doubt is important. Checking the veracity of the request before you make a payment is, well, if not priceless then certainly very valuable!

See Also: How To Spot a Fake Email (Part 1)

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter.
Get the best IT tips and Office ideas in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Further reading

how to tame your inbox

How To Regain Control of Your Inbox

Remember the days when your inbox was all shiny and new and empty? When every email arrived with an excited “ping” and you enthusiastically dove in to read and reply? 

Us neither.

Let’s face it, most inboxes nowadays are more like tentacled sea-monsters. They have you in their grasp, not the other way around. They’re uncontrollable. They’re scary.

Read More »
why you need multifactor authentication

Why Use Multi-Factor Authentication?

As we move increasingly towards online services, securing your account is more important than ever.

While computer viruses still exist, they’re no longer the route of choice for hackers to get control of your data. Instead, the prevalence of online services means that the bad guys are targeting your cloud services, such as your email and file storage.

Read More »
how to take effective work breaks

Hitting Refresh: How To Take Effective Work Breaks

What do your work breaks look like?

Do you gobble down a sandwich with one hand while typing with the other and call it a lunch “break”?

Do you get away from your desk but stay glued to your phone?

Because here’s the thing: not all breaks are created equal.

Read More »

Cookie Notice

This website uses cookies to ensure you get the best experience on our website. Learn More.

it support team macnamara on the case

Want the best IT tips & ideas?

Subcribe to our mailing list and get top IT tips & tactics in your inbox.

Scroll to Top