Scam Emails – Amazon & Barclays

I don’t get many spam emails, thankfully, but one or two inevitably pop up sometimes. And I thought it might be useful to start flagging scams up here on the blog, just to give people an idea of things to look out for. If it makes just one or two people a bit more aware, then I figure it’s worth it. So I’ve got a couple to mention here.

Introduction

Before I get into the detail, it is important to note that big companies often have pages about spoof emails on their own websites, which clarify the kind of information that they won’t ask for. In the case of the two companies below, here are some useful links:

• Amazon:
  Security & Privacy Index
  About Identifying Whether an E-mail is from Amazon
  Report a Suspicious E-mail
• Barclays:
  Security Advice Index
  How do I know if an email I’ve received from Barclays is genuine?
  What should I do if I get an email asking for my Online Banking details?

Other banks, some shops and other sites may also have pages like these, usually in the Help or Security sections of their websites. It’s well worth looking them up so you know how to identify their genuine emails.

Also, if you ever have any doubts about an email, you can contact the company directly to check – but never do it via a link or an address in the email you’re suspicious about. Go to the website yourself, via Google or one of your existing bookmarks, and use the contact details there. They can soon tell you if an email is legitimate or not.

Emails

So here are the emails I’ve had, and I’ll go on to explain why they’re clearly fake. Obviously these aren’t the only types of scam emails you can get relating to these or other companies, they just happen to be ones I’ve received recently. The Barclays one in particular has been popping up in my Junk folder with some regularity recently, all much the same but with subtle variations. They’re wasting their time with me, that’s for sure. Especially as I don’t have any accounts with Barclays for a start.

Amazon Billing Information Scam

From: Amazon.com, Inc (auto-confirm@amazon.co.uk)

To: auto-confirm@amazon.co.uk

Subject: Update Your Amazon Billing Information

Dear Customer,

It has come to our attention that your account Billing Information records are out of date. That requires you to update your Billing Information. Failure to update your records will result in account termination.

Click on the reference link below and enter your login information on the following page to confirm your Billing Information records…

Click on {Link claiming to be Amazon.com sign in page} to confirm your Billing Information records.

Thanks,
Amazon Customer Support

Barclays Important Documents Scam

From: Barclays Bank PLC (veubanks@uab.edu)

To: veubanks@uab.edu

Subject: You have 3 new documents waiting for you

Dear valued customer,

You have a new message waiting for you in the secure area of the Barclays Cloud It.

Please follow step 1 of 2 & 3 carefully to view important documents.

{Link claiming to be Barclays Online}

Please note: Kindly have your PINsentry card reader to access documents for safety of your online service.

Sean Gilchrist
Digital Banking

Suspicious Signs

Although the emails attempt to look official – with logos and disclaimers copied from the real sites, there are various aspects that give the game away. So let’s pull some of them apart. There will be other aspects that higher level computer experts would be able to look at, but we don’t need to worry about that here.

Just spotting one of these anomalies should be enough to arouse suspicion, so don’t worry if some of it seems to go to far or isn’t very obvious. Just spotting one of these things is important, and it’s better to be too suspicious than not enough. You should certainly be on your guard if you’re being asked for your login details, payment information, etc, when you know it’s already on the site.

These are the summary points that I will expand upon below:

• The “From” address in each case is fake. It’s obvious for the Barclays email, less so for the Amazon one, but with a bit of thought that is clearly fake too.
• The “To” address isn’t your address, it’s the scammer’s. Your address is on the “blind copy” list. Why would your own address be hidden from you for a personal email?
• The emails address you as “Dear Customer”, not by name. Again very odd for a supposedly personal email.
• In the body text, there are little issues with grammar throughout the text in each message. And if you copy some of that body text into Google, more scams are revealed.
• The links they want you to click on go to addresses that are nothing to do with the company, which will probably infect your machine and steal your login details. Always check the properties of a link (don’t actually visit it) to see where it’s real destination is, regardless of what the text on display might tell you.

The “From” Address

It is easy to spoof where an email comes from, by pretending it’s a different address to the real one. So never automatically assume that the From address is proof of an email’s origin. Sometimes it will be obvious that it’s fake, but not always, as these two cases show. You can check the From address in Mail on the Mac by clicking the From name at the top of the email, as I’ve done in the screenshots above. On the Gmail website you can click an arrow near the From and To details at the top of the message to show the info. Other email clients should have similar features somewhere, or may even show the address automatically next to the name.

The Barclays email has a From address from the domain uab.edu. That clearly is nothing to do with Barclays at all. In fact, searching for it in Google (never try visiting fake addresses directly, it’s safer to Google them), shows it’s from the University of Alabama at Birmingham! It appears to be a real person’s address, but it’s pretty much certain that person isn’t the scammer. Scammers are dumb, sure, but not so stupid that they’d give out their real details! No, that person’s address has been spoofed, either because it’s been scooped up in a database somewhere, or their machine is on a botnet. Doesn’t matter – the fact that it’s clearly not from Barclays says everything already.

The Amazon email is a bit more complicated, because it appears to come from a true Amazon address. Amazon do use the auto-confirm address – but it’s to confirm orders that you’ve placed, as you may well know if you’ve placed orders with them. But why would you get an email about billing information from that address? Amazon would never ask for this information from you anyway, as they state on their site, but even if they did, the address would surely be customer services or accounts or something like that?

So why fake the auto-confirm address? Because it’s most likely to get through. Millions of people get order receipts from that address every day, so most mail servers let it through.

To get a little more technical for a brief moment, when I opened the source text of the email (by clicking Show Original in Gmail), it appears even Google had issues with it:

Authentication-Results: mx.google.com; spf=fail (google.com: domain of auto-confirm@amazon.co.uk does not designate 138.47.18.52 as permitted sender) smtp.mailfrom=auto-confirm@amazon.co.uk;

This appears to be saying “Hey, I know the IP addresses of servers that are allowed to send from that address, and this isn’t one of them.” Basically, every device connected to the internet has a unique number assigned to it – its IP address – and Google is familiar with the ones that Amazon uses. It still let it through though, perhaps because I order from Amazon regularly and often get emails from that address. In addition, the same source text also has references to smtp.LaTech.edu scattered throughout. And it seems extremely unlikely that Amazon emails would be sent via Louisiana Tech University!

So already we have good reason not to trust either email, but let’s carry on…

The “To” Address

You’d think that an email destined for you would be addressed to you, right? Especially if it’s about personal information or documents.

Strangely, though, these are not. In fact, the To address is the same as the From address. That is to say, these people appear to be sending the emails to themselves! But then, how is the email getting to you?

The fact that you can’t see your address means it’s on the BCC – or Blind Carbon Copy – address list. And this field in an email can have legitimate uses. If you’re sending an email to multiple people, but you don’t want all the recipients knowing each other’s addresses, then you can put them in the BCC field instead of the To field. You may need to have something in the To field though, so adding your own address can be used then.

But for important emails that you need to react to personally, there’s no reason to use this. It should be your address and nobody else’s. The fact that it’s not here is another cause for alarm. Because you can’t actually see the list of recipients, you don’t know if it’s solely for you, or if they’ve mailed it to hundreds, thousands or millions of others too. Why would they hide your own address from you in this situation? Very odd.

“Dear Customer”

Simple one this – you’re not being addressed by name. If it was really the company emailing you, they’d be able to add your name to the salutation line easily, as it’s on their database. Spammers often cannot do this, though, so they’re forced to use generic greetings. So if you’re not being addressed by name, ask yourself why.

That said, however, there is a scam going around where a scammer claims they’re a lawful citizen who has found your information online – and provides your name and address as proof. They then invite you to open an attachment to see more details. Whatever you do, never open the attachment or click any links they provide. The fact that they’ve given a real name and address does not make them trustworthy – if anything. the mere fact that they’ve got that information means they cannot be trusted. After all, how did they find that database to begin with? It’s not something you can stumble upon by chance!

You can read more about the scam here. Chances are you won’t be affected by it, but it’s worth being aware of these things.

Body Text

Scammers often use poor or unusual spelling and grammar in their emails, because they come from places where the first language isn’t English. Not always – some scammers are fairly good – but many scams are very badly written. And in the emails above, there are a few little oddities. They might seem a bit silly or pedantic, and maybe they are. But they all stop the emails looking fully professional to my mind.

For the Amazon email:

• “Billing Information”. This phrase is used very repetitively, more so than is necessary in such a short email. Sometimes it’s called “Billing Information records” as well, and the word “records” feels superfluous here. Besides, it’s only you, so surely you would only have one record of your information with them, not multiple? Why is it plural?
• “Click on the reference link below” – Reference link? Why can’t you just say click on the link? The word “reference” makes no sense to me, it doesn’t feel natural.
• “enter your login information on the following page to confirm your Billing Information records…” – As well as the suspicious request for login information, why does this sentence end with 3 full stops? It only needs one, as the sentence has finished. After all, the next line starts a new sentence.

And for the Barclays email:

• “Dear valued customer” – Yeah, I’m so valued, you don’t even know my name, huh?
• “Please follow step 1 of 2 & 3 carefully” – Huh? Whatever way I read that sentence, it makes no sense whatsoever. Even if the ‘of’ was replaced with ‘and’, it would still look wrong, because nobody would tell you to complete 3 steps like that.
• “to view important documents.” – Shouldn’t it refer to “your” important documents? Or does logging in allow me to view any important documents? Just feels unnatural without the “your” there.
• “Please note: Kindly have your PINsentry card reader” – Kindly? Why would it be kind of me to have it? An odd word to use in a professional email. Maybe “You need” to have your reader handy, but I wouldn’t say “kindly”.

You can also check dodgy text in emails by copying a suspicious line and entering it into Google’s search box (or whatever search engine you like to use). Make sure to put speech marks around it “like this”, so it searches for the whole sentence. Doing that for part of the Amazon email reveals tons of links indicating that the same email message is being used to target Apple users, while copies of the Barclays email are present on Spamdex, which keeps records of spam emails.

Clickable Links

This is the important part to the scammer. They want to persuade you to click on the link, so they can infect you with viruses, steal your login information, etc. The website you get taken to might look legitimate, but it’s easy to copy someone else’s pages and make it look real. Or it might take you to a page that supposedly doesn’t exist, but actually does exist and is quietly infecting you in the background.

The links might appear to show a real address or piece of text, but that’s easy to fake. You can make links say whatever you want, as you may well know if you’ve ever added a link to a blog post or website. Every link has two key elements:

• Link Address (URL) – This is where the link will actually take you if you click on it.
• Link Text – This is how the link will be displayed to the user.

The link text is the most important aspect, because it can say anything. It can say “click here”, or “visit my website”, etc – and it can show an address that is completely different to the actual address that it will send you to. For instance, the following link will actually take you to the BBC News website – www.google.co.uk. See what I mean? Easy.

To check where a link is really going, it may be enough to simply hover your mouse cursor over it, and the address will appear in a pop-up. Or you might be able to click on it and view the properties, especially if you’re checking your mail in a desktop web browser. Other programs may differ, but there should be some way of checking where the link is going without actually visiting it – just clicking on a link to open the page can be enough to download nasty things, so don’t click it if you don’t trust it.

For the Amazon email, the scammer has created a link where the text appears to show a real Amazon address. But if you hover over it, you’ll see the destination of that link starts with divingwhitsundays.com, which clearly isn’t the real Amazon site! It does have references to amazon.co.uk within the long link, but not at the start, which is where it should be.

In the Barclays email, the address does start with barclays.co.uk – but the address doesn’t stop there. If it were the real Barclays domain, there would be a forward slash after the .co.uk part, and then it would specify the page within that site. But instead, there are more sections separated by dots first, and the actual address is really lengthy. The first time you encounter a forward slash is after braidingcenter.com, which again clearly isn’t Barclays! So the link won’t go to Barclays.co.uk at all. Very sneaky!

So remember, if you’re not sure about a link to a company’s website that you get in an email, don’t click on it. Instead, go via Google or a bookmark in your browser to the actual site, so that you know the address is safe.

In conclusion, therefore, all of those factors make it crystal clear that the emails are fake, so I simply deleted them without clicking on any of the links. And that’s what you should do too if you receive scams like this. At the end of the day, always be wary of requests for login or personal information, and stay safe. 🙂