It has been one of our goals for some time to post details about the constant barrage of email scams (phishing scams) for some time and with the arrival of today’s ACCOUNT SUSPENSION (allegedly from Yahoo) message, this seemed like an opportune time to start. Your first clue that these are bogus comes from hovering (NOT CLICKING) your mouse cursor over whatever link they tell you to click on and looking at the bottom bar in your email client (or web browser if you use webmail) to see where it will take you if you do click on it.
NOTE: Everything posted here is a SCAM. You will find NO legitimate emails in this post.
More Obvious NOTE: No financial institution is likely to email you in an attempt to clear up a problem or update your information. Same for Microsoft. The Beast From Redmond doesn’t know who you are – or care. Likewise for the IRS. They do NOT use email and certainly wouldn’t contact you this way regarding a “refund”. Neither will PayPal. Simply delete any emails that come from these sources. CALL the institution if you’re even remotely considering the message to have some merit (it won’t).
March 26, 2010: Notification of Limited Account Access RXI033 The latest PayPal scheme to steal your login information shows up in the usual guise of making sure your account is “secure” and requiring you to “login” to your account to do it. Needless to say, this is a scam. The obvious key to the lack of validity in this email is the return address: firstname.lastname@example.org. Read it carefully. It is not going to PayPAL.com, but rather PayPAY.com.
Additionally, the actual address of the active links in the message is not a legitimate PayPal address. It looks like it’s going to PayPal at first glance, but closer inspection reveals it is actually going to: http://www.paypal.com.nuryag910ud7.127ey27cdbom3vzbkp3w10.com/cgi-bin/webscr/?login-dispatch&login_email=(your address here)&ref=pp&login-processing=ok (nuryag910ud7.127ey27cdbom3vzbkp3w10.com)
Hello The Computer Wizard, (interesting that the email address this went to was NOT related to The Computer Wizard)
As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.
We requested information from you for the following reason:
A recent review of your account determined that we require some additional information from you in order to provide you with secure service.
Case ID Number: PP-280-903-612
This is a second reminder to log in to PayPal ( goes to http://www.paypal.com.nuryag910ud7.127ey27cdbom3vzbkp3w10.com/cgi-bin/webscr/?login-dispatch&login_email=(your address here)&ref=pp&login-processing=ok) as soon as possible. Once you log in, you will be provided with steps to restore your account access.
Be sure to log in securely by using the following link:
Click here to login and restore your account access ( goes to http://www.paypal.com.nuryag910ud7.127ey27cdbom3vzbkp3w10.com/cgi-bin/webscr/?login-dispatch&login_email=(your address here)&ref=pp&login-processing=ok)
Once you log in, you will be provided with steps to restore your account access. We appreciate your understanding as we work to ensure account safety.
In accordance with PayPal’s User Agreement, your account access will remain limited until the issue has been resolved. Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to log in to your PayPal account as soon as possible to help avoid this.
To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center. If, after reviewing your account information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking “Contact Us”.
We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
PayPal Account Review Department
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link in the top right corner of any PayPal page.
Copyright © 1999-2010 PayPal. All rights reserved.
PayPal Email ID PP522
January 25, 2010: It was only a matter of time until a fake Facebook email surfaced in an attempt to steal your login information – and today’s winner is the Facebook Update Tool message.
In an obvious ploy to steal your Facebook credentials, this email purports to be an account updater. Nothing could be further from the truth. And, in fact, if you are foolish enough to click on the “Update” button, you are redirected to:
Now look at this carefully. First of all, you’ll notice that it starts our with www.facebook.com, so it initially looks OK… but continue reading.
The REAL domain in use is gertfdq.com.hn (notorious Phishing scam site, hosted on an illegal botnet)
Notice the email address embedded at the end? This is the address in the TO: portion of the email header. It’s NOT your email address is it?
Here’s a screenshot of this pest just for reference:
November 30, 2009: So your Sears Card account is in trouble – and who wouldn’t immediately want to rectify this problem? That’s what today’s winners of the Scam ‘O the Day award think. Read on:
[Start of email header]
|Sears Card <email@example.com>|
|Date:||Monday, November 30, 2009 02:32 pm|
|Subject:||Sears Account Information|
|Received:||(qmail 945 invoked by uid 78); 30 Nov 2009 19:29:54 -0000|
|Received:||from unknown (HELO cloudmark1) (10.49.16.94) by 0 with SMTP; 30 Nov 2009 19:29:54 -0000|
|Received:||from [126.96.36.199] ([188.8.131.52:34922] helo=mail.viacruz.com.br) by cm-mr19 (envelope-from <firstname.lastname@example.org>) (ecelerity 184.108.40.206 r(31179/31189)) with ESMTP id 5F/46-02272-23D141B4; Mon, 30 Nov 2009 14:29:54 -0500|
|Received:||by mail.viacruz.com.br (Postfix, from userid 107) id 9677E92E188; Mon, 30 Nov 2009 15:21:52 -0400 (AMT)|
|X-Spam-Checker-Version:||SpamAssassin 3.2.4 (2008-01-01) on mail.vcs|
|X-Spam-Status:||No, score=-0.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_50, HTML_MESSAGE,MIME_HTML_ONLY autolearn=no version=3.2.4, No|
|Received:||from citibank.com (220.127.116.11.nw.nuvox.net [18.104.22.168]) by mail.viacruz.com.br (Postfix) with ESMTPA id 8626A68529 for <wph>; Mon, 30 Nov 2009 15:10:52 -0400 (AMT)|
|X-unconfigured-debian-site-MailScanner:||Found to be clean, Not scanned: please contact your Internet E-Mail Service Provider for details|
[End of email header]
Subject: Sears Account Information
Please log-in to your Sears Card account.
Your Internet Banking Account may be locked.
Please identify yourself by visiting our Online Banking service:
Sears Card ONLINE
(actually goes to www.basecc.co.kr/fla/a.html)
© 2009 Sears Card Online. All rights reserved.
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.
November 7, 2009: Who wouldn’t want to win 2.5 Million Dollars? Right? What are the odds? Zero, actually. Today’s email scam comes from cyberlottery.com.:
Re: You Have won a cash prize of $2.500,000.00
[Start of email header]
From – Sat Nov 7 06:16:09 2009
Received: (qmail 22067 invoked by uid 78); 7 Nov 2009 12:13:56 -0000
Received: from unknown (HELO cloudmark1) (10.49.16.81)
by 0 with SMTP; 7 Nov 2009 12:13:56 -0000
Received: from [22.214.171.124] ([126.96.36.199:30228] helo=emelgur.com.ec)
by cm-mr6 (envelope-from <email@example.com>)
(ecelerity 188.8.131.52 r(31179/31189)) with ESMTP
id C5/52-12760-48465FA4; Sat, 07 Nov 2009 07:13:56 -0500
Received: from emelgur.com.ec (localhost.localdomain [127.0.0.1])
by emelgur.com.ec (8.12.10/8.12.10) with ESMTP id nA7D63hH030002;
Sat, 7 Nov 2009 08:06:04 -0500
Received: (from apache@localhost)
by emelgur.com.ec (8.12.10/8.12.10/Submit) id nA7D5742029532;
Sat, 7 Nov 2009 13:05:07 GMT
X-Authentication-Warning: emelgur.com.ec: apache set sender to firstname.lastname@example.org using -f
Received: from 184.108.40.206
(SquirrelMail authenticated user emelgur)
by emelgur.com.ec with HTTP;
Sat, 7 Nov 2009 13:05:07 -0000 (GMT)
Date: Sat, 7 Nov 2009 13:05:07 -0000 (GMT)
Subject: Re:You Have won a cash prize of $2,500,000.00
From: “Mrs. Sandra Edward” <email@example.com>
[end of header]
AWARD WINNING NOTICE
Amount Won: $2,500,000.00 USD
This is to formally inform and congratulate you on the result of the online cyber lotto which was conducted from an
exclusive list of 1,000.000 email addresses of individual and corporate bodies selected
by an advanced automated random computer ballot system from the internet. Your e-mail address emerged as a winner in
the category “A” with the following information enclosed.
You are therefore to receive a cash prize of $2,500,000.00. (Two Million Five Hundred Thousand United States Dollars)
To file in for the processing of your prize winnings, you are advised to contact our Certified and Accredited claims
agent for category “A” winners with the information below:
Mr. Brad Brisson
Telephone number : +234(0)8053 102427
You are advice to provide him with the following information and a copy of your international passport or driver’s
license via email attachment or by fax for vetting process which is a standard practice just to
ensure that we are dealing with the right individual.
NOTE: Ensure to quote your Reference Numbers in all your communication with your claims agent. All winnings must be
Claimed not later than seven working days, thereafter unclaimed funds would be included in the
Mrs. Sandra Edward
October 28, 2009: Banking scams have been around for some time. We can be deluged with these from time to time from various local banking institutions claiming to have suspended your account, requiring you to login and straighten out the problem. Of course, this is a scam, because no legitimate financial institution would contact you this way to resolve a problem. Just today, we received NINE of these into different email accounts on our various domains:
|From:||LegacyTexas Bank <firstname.lastname@example.org>|
|Date:||Wednesday, October 28, 2009 08:26 am|
|Subject:||LegacyTexas Bank temporarily suspended your account.|
|Received:||(qmail 25737 invoked by uid 78); 28 Oct 2009 12:26:31 -0000|
|Received:||(qmail 25735 invoked by uid 78); 28 Oct 2009 12:26:31 -0000|
|Received:||from unknown (HELO cloudmark1) (10.49.16.93) by 0 with SMTP; 28 Oct 2009 12:26:31 -0000|
|Received:||from [220.127.116.11] ([18.104.22.168:46620] helo=europlanetservers.gr) by cm-mr18 (envelope-from <email@example.com>) (ecelerity 22.214.171.124 r(31179/31189)) with ESMTP id C2/69-05716-67838EA4; Wed, 28 Oct 2009 08:26:31 -0400|
|Received:||(qmail 18393 invoked from network); 28 Oct 2009 14:26:29 +0200|
|Received:||from unknown (HELO User) (126.96.36.199) by ns1.europlanetservers.gr with SMTP; 28 Oct 2009 14:26:22 +0200|
|X-Mailer:||Microsoft Outlook Express 6.00.2600.0000|
|X-MimeOLE:||Produced By Microsoft MimeOLE V6.00.2600.0000|
LegacyTexas Bank temporarily suspended your account.
Reason: Billing failure.
We need you to complete an account update so we can unlock your account.
To start the update process follow the link below :
Once you have completed the process, we will send you an email notifying
that your account is available again. After that you can access your account at
The information provided will be treated in confidence and stored in our secure database.
If you fail to provide required information your account will be automatically
deleted from Capital One database.
(Notice the inconsistency here: This is allegedly from Legacy Bank, yet refers to a Capitol One account)
October 27, 2009: Today’s banking scam comes (ostensibly) from FDIC:
|Date:||Tuesday, October 27, 2009 10:18 am|
|Subject:||you need to check your Bank Deposit Insurance Coverage|
|Received:||(qmail 9467 invoked by uid 78); 27 Oct 2009 14:19:14 -0000|
|Received:||from unknown (HELO cloudmark1) (10.49.16.91) by 0 with SMTP; 27 Oct 2009 14:19:14 -0000|
|Received:||from [188.8.131.52] ([184.108.40.206:1435] helo=g228218043.adsl.alicedsl.de) by cm-mr16 (envelope-from <firstname.lastname@example.org>) (ecelerity 220.127.116.11 r(31179/31189)) with ESMTP id 40/0C-04885-16107EA4; Tue, 27 Oct 2009 10:19:14 -0400|
|Received:||from 18.104.22.168 by mail2.redcoatpublishing.com; Tue, 27 Oct 2009 15:18:49 +0100|
|X-Mailer:||Microsoft Office Outlook, Build 11.0.5510|
|X-MimeOLE:||Produced By Microsoft MimeOLE V6.00.2800.1158|
You have received this message because you are a holder of a FDIC-insured bank account.
Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.
You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:
- Visit FDIC website: http://www.fdic.gov/bankinsured/failed/personalfile/holder.php?email=(your email address here) &id=11400326282655464830497816725880303974
(actually goes to: http://www.fdic.gov.pouikib.eu/bankinsured/failed/personalfile/holder.php?email=(your email address here) &id=11400326282655464830497816725880303974)
- Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage
Federal Deposit Insurance Corporation
October 25, 2009: Today’s fun email scam comes allegedly from DHL. The atrocious spelling and grammatical errors should be enough to clue in those of us who actually can tell the difference (as good a reason as any to pay attention in school), but the BIG RED FLAG should be: are you actually expecting a DHL shipment? And even if you are… Be very suspicious of any email like this. Better yet, NEVER open an attachment in any email that was not preceded by an email or phone call from someone you know, advising you it was going to arrive. Observe all the bogus email addresses and domain names in the message header. NONE of these have anything to do with DHL. Just looking through the header of any email should tell you whether it is legit or not.
|From:||Manager Patrica Ball <email@example.com>|
[ add to contacts ]
|Date:||Sunday, October 25, 2009 11:37 am|
|Subject:||DHL delivery service. Get your parcel NR.202768|
|Received:||(qmail 29781 invoked by uid 78); 25 Oct 2009 15:38:02 -0000|
|Received:||from unknown (HELO cloudmark1) (10.49.16.91) by 0 with SMTP; 25 Oct 2009 15:38:02 -0000|
|Received:||from [22.214.171.124] ([126.96.36.199:1362] helo=10.82-134-95.bkkb.no) by cm-mr16 (envelope-from <firstname.lastname@example.org>) (ecelerity 188.8.131.52 r(31179/31189)) with ESMTP id 2D/98-04885-9D074EA4; Sun, 25 Oct 2009 11:38:02 -0400|
|Received:||from 184.108.40.206 by dev.null; Sun, 25 Oct 2009 16:37:56 +0100|
|X-Mailer:||Microsoft Outlook Express 5.50.4522.1200|
|X-MimeOLE:||Produced By Microsoft MimeOLE V5.50.4522.1200|
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox.
DHL Express Services.
October 6, 2009: The newest and most expensive email scan is being perpetrated via conventional email as well as Facebook account email. The premise is simple. You receive an email ostensibly from a family member or close friend claiming to be in a faraway country and, having lost their wallet, purse or luggage, find themselves stranded and in need of emergency funds to pay hotel bills, airfare, etc. And who wouldn’t jump at the chance to help a close friend in need, right? This is exactly what the thieves are counting on.
The way this happens is very clever. The criminals send an innocuous-looking email with an attachment that is supposed to be a cute cartoon, joke, news item or other bit of entertainment that actually houses a virus, that when opened, installs a keylogger on your computer. Everything you type into your computer after that point is immediately communicated to the person who sent you the email. Now they know your email account login and can send emails to all your contacts “from you”. Also, they know the login to your bank accounts, credit card accounts, etc. – anywhere you’ve logged into since the infection was unleashed on your computer. how can you protect yourself?
- First, don’t open ANY attachments unless you know exactly what they are. If someone you know sends you an email with an attachment, CALL THEM and ask what it is before you open it.
- Second, Use AVG as your security tool, configured per our recommendations and you will be much safer.
- Third, if someone sends you an email saying they are stranded and in need of money, CALL THEM to see if this is true. Call their friends and relatives to verify their location if you cannot reach them.
- Fourth, and most important: Trust No One. Be suspicious of everything you see, hear and are told on the Internet or via email. One of our favorite sayings applies here: “Just because I’m paranoid doesn’t mean they’re not out to get me.”
Here’s the latest Google Adwords phishing scam directly from today’s mail:
Subject: Account Notice From: Google Adwords
Dear Google Adwords customer,
Your account has expired. You must renew it immediately or your account will be closed.
If you intend to use this service in the future, you must take action at once!
To continue click here, login to your Adwords account and follow the steps.
(http://online-adwords-google.com/) – not a legit Google address
Thank you for using Google Adwords
Google Customer Service DEP.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response.
From – Thu Oct 1 06:41:32 2009
Received: (qmail 7791 invoked by uid 78); 1 Oct 2009 11:36:40 -0000
Received: from unknown (HELO ns-mr16.netsolmail.com) (220.127.116.11)
by 0 with SMTP; 1 Oct 2009 11:36:40 -0000
Received: from hrndva-omtalb.mail.rr.com (hrndva-omtalb.mail.rr.com [18.104.22.168])
by ns-mr16.netsolmail.com (8.13.6/8.13.6) with ESMTP id n91BaeEY012415
for <TCW>; Thu, 1 Oct 2009 07:36:40 -0400
Received: from jbhnet.net ([22.214.171.124]) by hrndva-omta02.mail.rr.com
Thu, 1 Oct 2009 11:36:40 +0000
Received: from localhost.localdomain (u15198697.onlinehome-server.com [126.96.36.199])
(authenticated user email@example.com)
by jbhnet.net (mail.jbhnet.net [127.0.0.1])
with ESMTP id 37-md50000000674.tmp
for <TCW>; Thu, 01 Oct 2009 07:37:49 -0400
From: “Google Adwords”<firstname.lastname@example.org>
Subject: Account Notice
Content-type: text/html; charset=us-ascii
X-Spam-Processed: mail.jbhnet.net, Thu, 01 Oct 2009 07:37:49 -0400
(not processed: message from valid local sender)
Date: Thu, 1 Oct 2009 11:36:40 +0000
(notice it is really <allegedly> sent by email@example.com via a Roadrunner account <mail.rr.com> – clearly NOT from Google)
Subject: ACCOUNT SUSPENSION From: YAHOO MARKETING SERVICES
Your Yahoo Marketing account has expired. You must renew it immediately or your account will be closed. If you intend to use this service in the future, you must take action at once!
To continue click here, login to your Yahoo Marketing account and follow the steps.
(Goes to: marketingsolutions.yahoo.apotterscall.com/ )
Thank you for using Yahoo Marketing!
Yahoo Marketing Services DEP.
Please do not reply to this email. This mailbox is not monitored and you will not receive a respons.
(Note misspelled last word)