SpamSpotting

Most of the time, you should be able to spot scam emails on your own, without the need of a snarky I.T. professional like myself. Here is an example of an email received by a client recently:

From: OutlookAdmin365 [mailto:MicrosoftExchangep29e71ec88ae4615bbc3jab6ce41@mimirglobal.com]
Sent: Tuesday, February 20, 2018 10:34 AM
To: John Doe <john@doe.com>
Subject:
Action Required: Unfamilair Login- john@doe.com

Hello john@doe.com,

 Someone attempted to sign in with your email ( john@doe.com ) from an unknown location.
Date Received: [ 13 February 2017 02:02am] 

We restricted the attempt and we put a lock on your account   john@doe.com for incoming and outgoing message till you sign in from a familiar location

 

SIGN-IN FROM A FAMILIAR LOCATION

 

Thanks for taking these additional steps to safe guard your email.

© 2017 Outlook Corporation. All rights reserved. | Acceptable Use Policy | Privacy Notice 

 

 

So, let’s start at the email address it was sent from. Don’t be fooled by the friendly email name, in this case, “OutlookAdmin365.” That by itself seems somewhat plausible, but then look at the actual email address of “MicrosoftExchangep29e71ec88ae4615bbc3jab6ce41@mimirglobal.com.” That is clearly not a normal email address. When do you ever see the random characters as a part of the prefix of an email address? Well, you don’t. And the part after the “@” is equally weird – what would mimirglobal.com have to do with Microsoft 365? Sure, it could be from a hosting company that resells 365 like GoDaddy or something, but here, that is not the case.

At this point, I am done – I have seen all I need to know this is fake. I could look up that company and see who they are, if they exist, but I don’t need to, because I know they have nothing to do with my client’s email. But, since there are so many issues with this email, I will go on.

SUBJECT LINE

Subject: Action Required: Unfamilair Login- john@doe.com. Red circle is weird. Whatever. Ah, our first spelling error appears right in the subject. I am unfamiliar with the “word” unfamilair.

THE GREETING

Hello john@doe.com, If it seems like a bad robot not associated with Hollywood Director J. J. Abrams put that in there, I would agree. Professional emails are not greeted like that. I recently got an email myself from a local service provider trying to get me to meet with some low-level salesperson that was greeted, Hello Kannenberg. I did not meet with that salesperson.

THE BODY

So, this first sentence is relatively legit:

Someone attempted to sign in with your email ( john@doe.com ) from an unknown location.
Date Received: [ 13 February 2017 02:02am] 

You may be used to websites telling you something similar when you log in from a computer you don’t normally use. So this part is done well enough, although an American company would not write the date in that format as a general rule, but that is nitpicking.

Now, the next part is not so good.  We restricted the attempt and we put a lock on your account   john@doe.com for incoming and outgoing message till you sign in from a familiar location. Always look for awkward language, like a non-native English-speaker is trying to tell you something. Most legit companies, even if they are not based in the US will still format emails without using awkward phrases like “restricted the attempt.” That is not something we say. In any situation. Try to use that in a phrase that sounds natural. “We restricted his attempt to rob the bank.” “He tried to shoot a three-pointer, but I restricted his attempt.” “My date was going well, but she restricted my attempt to Netflix and chill.” See – doesn’t work.

Then we have some singular/plural awkwardness. “We put a lock on your account… for incoming and outgoing message….” First, it should be “messages” and the whole phrase is again, said in a very clunky way. And, still in that phrase “till you sign in…” The word they were looking for was “until.” Spell check won’t catch that one, because one can, of course, till ones own field. Yes, I often heard the phrase “wait till dad gets home” as a child, but had my mother written it down for me, I am certain that she would have used the word “until.”

THE LINK

All I can say is, don’t click on the link. Never. In this case, what could that link possible take you to? That is not how logging into email works. Obviously I removed the link from this email, but you can almost always right-click on a link in an email, and see what the address is. In this email, it started with “ireneshouse.gr….” Is that a link to your email server? Does it match the sender’s email in any way? Is it something you have seen before? What is .gr, and who is Irene?

SIGN OFF

Not much to say here, but the word is safeguard. It isn’t two words.

FINE PRINT

Even that is wrong here. You can’t tell from my example, but there were no links. It says Acceptable Use Policy and Privacy Notice, but they are just words – no link to click on, no explanation, no nothing.

 

So, in the end, this is a particularly easy one to pick apart. They won’t all be though. Some of the UPS/FedEx ones are pretty good, and we are always waiting for a package, so the urge to check on something is great at almost any time in our lives. If you have an IT resource, of course you can always use it. But, MOST of the time, you can figure this out on your own. Hey, that’s what I said at the top of this post too. Full circle… full circle.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s