Email provides us a convenient and powerful communications tool. Unfortunately, it also provides scammers and other malicious individuals an easy means for luring potential victims. The scams they attempt run from old-fashioned bait-and-switch operations to phishing schemes using a combination of email and bogus web sites to trick victims into divulging sensitive information. To protect yourself from these scams, you should understand what they are, what they look like, and how they work.

The following sections provide information to help you spot an email scam when it lands in your mailbox. They describe some, but by no means all, of the many email-based scams you’re likely to encounter. Armed with this information, you will better recognize email scams, even those not specifically mentioned here.

Bogus Business Opportunities
These scams promise the opportunity to make a great deal of money with very little effort. They’re normally full of enticements such as “Work only hours a week,” “Be your own boss,” “Set your own hours,” and “Work from home.” The email offering these “opportunities” often have subject lines that look like the following:

• Make a Regular Income with Online Auctions
• Get Rich Click
• Put your computer to work for you!
• Use the Internet to make money
• eBay Insider Secrets Revealed

In most cases, the email gives very little detail about the nature of the business opportunity. Most provide an address or web site from which you can, for a fee, obtain an “information kit” about the opportunity. These opportunities, however, usually amount to nothing more than pyramid schemes in which the “opportunity” involves your ability to recruit more unsuspecting people to buy into the scam. Eventually, the scam is uncovered or the pool of new recruits runs dry and it fails.

Health and Diet Scams
Health and diet scams prey on the insecurities some people have about the state of their well-being. These insecurities make some people particularly susceptible to the scams because they may be reluctant or embarrassed to discuss their problems with a doctor, or they can’t afford to buy legitimate drugs or treatment. The scams attempt to lure consumers with promises of quick fixes and amazing results, discount pricing, fast delivery, waived prescription requirements, privacy, and discreet packaging. The email offering these items will have subject lines that look like the following:

• Need to lose weight for summer?
• Increase your sexual performance drastically
• Control your weight!
• Natural health remedy that works
• Reduce body fat and build lean muscle without exercise
• Young at any age
• Take years off your appearance
• Gives energy and burns fat

Though they may be backed by customer testimonials, beware: the products don’t work.

Discount Software Offers
These scams frequently consist of advertisements for cheap versions of commercial software like Windows XP or Photoshop. The discounts offered may be hard to believe, and with good reason: the scammers either do not deliver the promised software at all, or provide illegal, pirated versions preloaded with Trojan horse software the scammer or other malicious individuals can use to exploit your computer and the information it contains.

419 Advanced Fee Fraud
These schemes are quite elaborate and despite their somewhat preposterous appearance manage to hook a surprising number of victims. Essentially, these scams attempt to entice the victim into a bogus plot to acquire and split a large sum of cash. Many perpetrators of this kind of fraud have been Nigerian citizens. Consequently, the name “419 scheme” is taken from the section of the Nigerian penal code that addresses fraud. 419 scams are recognizable by their subject lines, which frequently call for an urgent response or refer to a personal introduction, and sender names, which are frequently (though not always) African or African inspired.

A 419 advance fee fraud begins with an email that looks like this:

• Date: Wednesday, August 24, 2005 5:55 PM -0700

• From: “Mr. Henry Bassey Udoma” [email protected]

• To: [email protected]

Subject: From: Henry (Regarding Dr. H. Paul Jacobi)

From: Henry(Regarding Dr. H.Paul Jacobi)

Hello,

I am sending you this private email to make a passionate appeal to you for assistance. Kindly accept my apology for contacting you this way and forgive me if this is not acceptable to you. My name is Henry Bassey Udoma; I am an auditor at one of the Nigerian Banks. On Tuesday, 19 January, 1999, one Dr. H. Paul Jacobia foreigner, made a numbered time (Fixed) Deposit, valued at £10,550,000.00 (Ten Million, Five Hundred and Fifty Thousand Pounds) for twelve calendar months in my Bank Branch.

Upon Maturity, we sent a routine notification to his forwarding address but got no reply. After a month, we sent a reminder and finally we discovered from his company that Dr. Paul A. Jacobi was aboard the EgyptAir Flight 990, which crashed into the Atlantic Ocean on October 31, 1999. After further investigation, it was discovered that he died without making a WILL and all attempts to trace his next of kin proved abortive….

These schemes work by getting the victim to take the initial bait, then slowly convincing him or her of the legitimacy of the plot through a series of forged documents, carefully crafted communications, and even visits by the victim to the country of origin for meetings with bogus “officials” in phony “government offices.” At key junctures in the scam, the perpetrators will ask the victim to advance them money to pay bogus fees or bribes. Additionally, they may extract what amounts to an extortion payment by threatening to cut the victim out of the plot. Once the perpetrators believe they’ve gotten all they could from the victim, they cut off communication and vanish. In short, if you discover an email in your inbox proposing a complicated arrangement to secure and split funds in a foreign land, you can safely assume someone is trying to ensnare you in a 419 scam.

Social Engineering/Phishing Email
Social engineering is a strategy for obtaining information people wouldn’t normally divulge, or prompting an action people normally wouldn’t perform, by preying on their natural curiosity and/or willingness to trust. Perpetrators of scams and other malicious individuals combine social engineering with email in a number of ways.

Phishing Email
Phishing emails are crafted to look as if they’ve been sent from a legitimate organization. These emails attempt to fool you into visiting a bogus web site to either download malware (viruses and other software intended to compromise your computer) or reveal sensitive personal information. The perpetrators of phishing scams carefully craft the bogus web site to look like the real thing.

For instance, an email can be crafted to look like it is from a major bank. It might have an alarming subject line, such as “Problem with Your Account.” The body of the message will claim there is a problem with your bank account and that, in order to validate your account, you must click a link included in the email and complete an online form.

The email is sent as spam to tens of thousands of recipients. Some, perhaps many, recipients are customers of the institution. Believing the email to be real, some of these recipients will click the link in the email without noticing that it takes them to a web address that only resembles the address of the real institution. If the email is sent and viewed as HTML, the visible link may be the URL of the institution, but the actual link information coded in the HTML will take the user to the bogus site.

The bogus site will look astonishingly like the real thing, and will present an online form asking for information like your account number, your address, your online banking username and password — all the information an attacker needs to steal your identity and raid your bank account.

Bogus communications purporting to be from banks, credit card companies, and other financial institutions have been widely employed in phishing scams, as have emails from online auction and retail services. Carefully examine any email from your bank and other financial institutions. Most have instituted policies against asking for personal or account information in emails, so you should regard any email making such a request with extreme skepticism.

Phishing emails have also been disguised in a number of other ways. Some of the most common phishing emails include the following:

• Fake communications from online payment and auction services, or from internet service providers – These emails claim there is a “problem”with your account and request that you access a (bogus) web page to provide personal and account information.
• Fake accusation of violating Patriot Act – This email purports to be from the Federal Deposit Insurance Corporation (FDIC). It says that the FDIC is refusing to ensure your account because of “suspected violations of the USA Patriot Act.” It requests you provide information through an online form to “verify your identity.” It’s really an attempt to steal your identity.
• Fake communications from an IT Department – These emails will attempt to ferret passwords and other information phishers can use to penetrate your organization’s networks and computers.
• Low-tech versions of any of the above asking you to fax back information on a printed form you can download from a (bogus) web site.

The Anti-Phishing Working Group maintains a helpful phishing archive. The archive catalogues reported phishing scams and presents not only the content of the phishing email, but also screen captures of the bogus web sites and URLs used in the scams. A review of several of the phishing scams catalogued in the archive can provide you insight into how these scams work and arm you with the information you need to avoid falling for them.

Trojan Horse Email
Trojan horse email offers the promise of something you might be interested in — an attachment containing a joke, a photograph, or a patch for a software vulnerability. When opened, however, the attachment may do any or all of the following:

• Create a security vulnerability on your computer
• Open a secret “backdoor” to allow an attacker future illicit access to your computer
• Install software that logs your keystrokes and sends the logs to an attacker, allowing the attacker to ferret out your passwords and other important information
• Install software that monitors your online transactions and activities
• Provide an attacker access to your files
• Turn your computer into a “bot” an attacker can use to send spam, launch denial-of-service attacks, or spread the virus to other computers

Trojan horse emails have come in a variety of packages over the years. One of the most notorious was the “Love Bug” virus, attached to an email with the subject line “I Love You” and which asked the recipient to view the attached “love letter.” Other Trojan horse emails have included the following:

• Email posing as virtual postcard
• Email masquerading as security bulletin from a software vendor requesting the recipient apply an attached “patch”
• Email with the subject line “funny” encouraging the recipient to view the attached “joke”
• Email claiming to be from an anti-virus vendor encouraging the recipient to install the attached “virus sweeper” free of charge

Virus-Generated Email
Note that, in some cases, a familiar “from” address does not ensure safety. Many viruses spread by first searching for all email addresses on an infected computer and then sending themselves to these addresses. So, if your friend’s computer has become infected with such a virus, you could receive an email that may, in fact, come from your friend’s computer but which was not actually authored by your friend. If you have any doubts, VERIFY the message with the person you believe to be the sender before opening any email attachment.

Note: This article was produced and copyrighted by the US-CERT. This article was used with permission as stated in Terms of Use, Copyright Permission.

The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation’s Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.