“Phishing” scams

One of the things to watch out for in your e-mail is the notorious “phishing spam”: this is spam that tries to get you to log in to your online bank or similar. The aim is to direct you to a fake web site which will look exactly like your real bank and invite you to type in your security details. Once you type in your details, of course, you’ve given them to the spammer, not the bank, and they will then be used to drain money from your account.

Phishing attempts are pretty easy to detect with a minimum of knowledge. There’s no point in checking who the e-mail seems to be from — it’s perfectly simple to send e-mail that looks like it comes from whoever you choose. Three danger signs to check for:

1. Not addressed to you personally. My bank would always write to “Dear Paul Doherty” or “Dear Mr Doherty”, and would also include my postcode, account number or some other information not given in my e-mail address. Spammers only have your e-mail address, so they invariably write to “Dear Customer” or similar, or to no-one at all.

2. Poor English. Most phishing spammers aren’t English, so they write it with a phrase book, and it usually shows.

3. Link in the e-mail is misleading. You need a little knowledge to check this, but it’s the clincher. The spammer will want to make any link look as if it goes to the bank, but really it must go to an imitation website.

One thing everyone should know is how to check what website a link really goes to, and how to decode a website address.

Different e-mail programs show the real place a link goes to in different ways: find out how yours does it. Mine does it if I just hover the mouse over the link. Check that address carefully — even if it looks like it goes to barclays.co.uk, a common trick is to register a fake website with a similar name: nationvide instead of nationwide, paypa1 instead of paypal, RB0S instead of RBOS.

Mostly, though, spammers just rely on people not being able to work out what website is being referred to. Here’s how to check it: starting from the left and just after http://, scan to the right until you find another slash (/) – stop there. If the bit immediately to the left of that has three letters (typically .com) that and the word immediately before it is the (international) website address. If if has two letters (typically .cn or .ru) that and the two words before it is the (national) website address. (.cn is China and .ru is Russia.) And If there are no words, just numbers, it’s suspicious by definition.

Here’s three recent examples (click to enlarge).

Abbey phishing spam

1. Addressed to generic name.

2. Suspect English (“launch the procedure of the member login update”, “does apologize for any inconvenience caused to you and is very grateful for your help”) and too many exclamation marks.

3. Link is actually to website xml48.com — the “ref” probably identifies the e-mail address that fell for this trick, so that it can be targeted with more attacks, which is why I’ve obscured it.

4. Why would a genuine bank write “If you are not a client of Abbey National Internet Banking please ignore this letter!” – it would know who its customers were.

Paypal Phishing spamp

1. It’s addressed to generic “Dear PayPal user”.

2. The English is OK on this one (but it says “Us” instead of “Contact Us”).

3. The website is — all numbers, no words, very suspicious. (And, if you know, ~engelbert is the directory of a user called Engelbert — probably someone whose account has been hacked by the spammer and used to host the fake site).

4. There is no “To” address.

RBS phishing spam

1. Not addressed to anyone specific.

2. Suspect English (“As of that result”)

3. Website is novacom.zaural.ru — a Russian site.

Fake anti-virus programs

This is an old post from 2008, but it’s still very relevant. The screenshots are out of date, but they give the idea.

Sadly, there’s more fake anti-malware programs out there than there are real ones. (Malware is a general term for viruses, trojans, spyware, and so on.) Often a small infection sneaks on to your PC (usually because you’ve clicked unwisely on an e-mail message or downloaded something unfortunate from a website). This infection then starts popping up messages that look like Windows is warning you that your PC is infected, and inviting you to download something to scan it and remove the infection. This often looks like it might be from Microsoft.

If you download the advertised software — because that’s what this is, sneaky advertising — it will make matters much worse. The software will probably invite you to send money or enter credit card details, it will pretend to find lots of infections that you don’t really have, and it will probably add more infections.

Here’s some screenshots of a common one (courtesy of Bleeping Computer). Click on any picture for a bigger image:

Antivirus Xp




This sort of thing is, sadly, very common. If you think your PC is infected, you should take professional advice unless you are quite sure you know what you’re doing. Downloading stuff like this will make matters worse, not better. With the right knowledge and tools, however, this sort of thing is usually pretty straightforward to remove.

There’s a list of rogue sites and software here, but it’s now more than a year out of date. It will give you some idea of how many fake sites there are, and how much fake software there is, however. This one has a website:



The website is hosted on a computer in China, and registered to a — probably fake — company (Goya Interco LLC) with a claimed address in Finland. The domain was registered on 17 June 2008. The website is superficially convincing, but there are some tell-tale features:

  • Spelling mistakes: establishement, 100’000, realiable
  • Slightly curious English and grammar
  • Unfeasible claims: “Since its first establishement in 2001, antivirusxp2008 …”
  • No company name, address or contact details (all contact is by filling in a web form — no e-mail addresses or telephone numbers are given).

It looks good though, and is a good reason why you should not judge by appearances.

A very similar fake removal program is analysed here.