How not to be Taken by this Fake DCU Phishing Email

Readability

How not to be Taken by this Fake DCU Phishing Email

[cap­tion id=“attachment_105736” align=“aligncenter” width=“548”] mod­i­fied from wiki commons[/caption]

He (Joe Mor­gan) said once you picked up one thing you’d start look­ing for the oth­ers, and you’d see them too. I used to play cards with a guy like that. He’d read your eyes and know what you had. Drive you crazy

Bill James His­tor­i­cal Base­ball Abstract pp349 1985 on Joe Mor­gan & pitchouts

One of the dis­ad­van­tages of hav­ing a very pubic face and email is I receive phish­ing scam emails reg­u­larly.
As a per­son who used to be a tech sup­port rep (why do you think I’m called “dat­e­chguy”?) I rec­og­nize these attempts to scam me pretty quick, but it’s very likely that there are plenty of peo­ple who don’t know the obvi­ous clues to tip a per­son off. This prompts the old Hiwired tech sup­port rep inside to rise up to shout at my fel­low cit­i­zens who are the tar­gets of these scams:

DON“T FALL FOR THIS!

So in this spirit I want to show you a Phish­ing email I recently received and point out the clues that will tell you it’s s scam

Here is the email I received with all the scam clues highlighted,

[cap­tion id=“attachment_105739” align=“aligncenter” width=“800”] Phish­ing email top[/caption]

All of these clues scream “scam” and if you spot one you will learn to spot the oth­ers, let’s go through them all.

Clue 1: A sin­gle notification

Before you even get to the email itself, it shows up in your email pro­gram. Below is the line from mine. This sub­ject line from the email should jump out at you in terms of sus­pi­cion: Bill pay­ment sent

While a com­pany like com­cast or Uni­tel might send an email con­fir­ma­tion of a pay­ment a bank in gen­eral doesn’t send out noti­fi­ca­tions on trans­ac­tions (if they did their servers would be doing noth­ing else all day). Even if your bank was the excep­tion and offered the option of noti­fi­ca­tion or con­fir­ma­tion emails they would only come if you turned them on.

So even with­out open­ing up that email that sub­ject line alone should scream “Not Legit!”

Clue 2: Points off for spelling

A lot of phish­ing email orig­i­nate from places where Eng­lish isn’t the first lan­guage, because of this you will often find mis­takes like this spelling error.

Now it’s not out of the realm of pos­si­bil­ity that a bank might have a spelling error in an email but it IS out of the realm of pos­si­bil­ity that the spelling error would be in the name of the email account send­ing it.

If the sub­ject line didn’t scream “scam” this clue should.

Clue 3: That’s not my email address!
Unless you have your own domain you likely aren’t see­ing this issue but I’ve seen it more and more in blast spams from China and else­where. The idea is to send blasts to all kinds of email com­bi­na­tions under a par­tic­u­lar domain in the hopes of either find­ing a legit email address or get­ting some­one to answer.

But you can be sure that if you have given your email address to your bank they will have your actual address when they email you unlike this uy.

Clue 4: Bait and switch sub­ject with a time limit

Now we get to the meat of the email itself and there are two big clues to tell you this is wrong.

NOte the dif­fer­ence between the sub­ject line: Pay­ment sent and the email Pay­ment sched­uled. In terms of a bank it makes no sense, why declare a pay­ment sent in the sub­ject line if it is only sched­uled? Why not “Pay­ment sched­uled?” For the spam­mer the answer is obvi­ous. While “pay­ment sched­uled” might be a more clever sub­ject line there is less of a chance a per­son might open such an email but the Pay­ment sent is meant to make you say: What Pay­ment? While the noti­fi­ca­tion inside is meant to tell you that you still have three days to act before this bogus hacked pay­ment takes place.

That’s not how banks work, if you made a pay­ment they would say: Pay­ment made, if it was sched­uled the would say Pay­ment sched­uled and there would not be a dead­line in big let­ters for you to stop it.

This is all about mak­ing you panic, don’t.

Clue 5: Hmm I didn’t know DCU was based in the Cen­tral African Republic.

Of all the var­i­ous clues in this email this one is the sin­gle most deci­sive but also the eas­i­est to miss. It’s in link on the Login

There are actu­ally sev­eral clues here and I will take them in reverse order.

The first is the lack of links in that bot­tom sec­tion. This sug­gests the Phish­ers were sloppy and sim­ply decided to use a screen shot copied and pasted in a pro­gram like Paint. The lack of links there is a big give­away that some­thing is wrong. Of course if they left the links in that would have been a prob­lem for them as well as there is always the chance that the user clicks on an authen­tic link and gets to the real DCU site.

The sec­ond is the “for­ward to a friend” choice. Even though it is inac­tive the idea that you would for­ward a copy of such an email to a friend is so ridicu­lous that it should raise an alarm bell or two.

But the real give­away is the actual link in the “Login Now” area. You will note that the address doesn’t go to a DCU domain.

Of all the var­i­ous clues we have noted this is the most impor­tant. Even if the Phisher had excel­lent spelling, and had used the right email address , had said “sched­uled” vs sent or even put in the right links on all the choices above, in the end to steal your pass­word or to take you to an auto launch site to install spy­ware to use to grab all your data they will have to send you to a domain that is dif­fer­ent than the one belong­ing to your bank.

That is the big giveaway.

And even if they were using a sim­i­lar domain name (say dcuu for exam­ple) rather than the gib­ber­ish above you will note that the suf­fix is not .com or .net or .usa but is .cf which stands for the Cen­tral African Republic

Now while I’m sure that white Dig­i­tal Credit Union takes pride in hav­ing a large reach, it’s pretty safe to say that they don’t have a lot of branches in the Cen­tral African Repub­lic, let alone host or reg­is­ter their servers there.

And keep this in mind, some peo­ple believe they are not rich or not impor­tant enough to be worth tar­get­ing by a Phisher, but remem­ber the Annual per capita income in the Cen­tral African Repub­lic in 2017 was $700

A few suck­ers taken for a few grand can make some­one a pretty big man over there. Don’t be one of them.


If you’d like to con­tinue to sup­port inde­pen­dent jour­nal­ism, help defray the $140 a month extra I’ll need for my new host­ing site) and think my CPAC 2018 report­ing is worth­while please con­sider hit­ting DaTip­Jar here.



Con­sider sub­scrib­ing. 7 more sub­scribers at $20 a month will pay the monthly price for the new host/​server.


Choose a Sub­scrip­tion level


Finally might I sug­gest my book Hail Mary the Per­fect Protes­tant (and Catholic) Prayer makes an excel­lent Gift.

modified from wiki commons

He (Joe Morgan) said once you picked up one thing you’d start looking for the others, and you’d see them too. I used to play cards with a guy like that. He’d read your eyes and know what you had. Drive you crazy

Bill James Historical Baseball Abstract pp349 1985 on Joe Morgan & pitchouts

One of the disadvantages of having a very pubic face and email is I receive phishing scam emails regularly.
As a person who used to be a tech support rep (why do you think I’m called “datechguy”?) I recognize these attempts to scam me pretty quick, but it’s very likely that there are plenty of people who don’t know the obvious clues to tip a person off.  This prompts the old Hiwired tech support rep inside to rise up to shout at my fellow citizens who are the targets of these scams:

DON”T FALL FOR THIS!

So in this spirit I want to show you a Phishing email I recently received and point out the clues that will tell you it’s s scam

Here is the email I received with all the scam clues highlighted,

Phishing email top

All of these clues scream “scam” and if you spot one you will learn to spot the others, let’s go through them all.

Clue 1: A single notification

Before you even get to the email itself, it shows up in your email program.  Below is the line from mine.  This subject line from the email should jump out at you in terms of suspicion: Bill payment sent

While a company like comcast or Unitel might send an email confirmation of a payment a bank in general doesn’t send out notifications on transactions (if they did their servers would be doing nothing else all day). Even if your bank was the exception and offered the option of notification or confirmation emails they would only come if you turned them on.

So even without opening up that email that subject line alone should scream “Not Legit!”

Clue 2: Points off for spelling

A lot of phishing email originate from places where English isn’t the first language, because of this you will often find mistakes like this spelling error.

Now it’s not out of the realm of possibility that a bank might have a spelling error in an email but it IS out of the realm of possibility that the spelling error would be in the name of the email account sending it.

If the subject line didn’t scream “scam” this clue should.

Clue 3: That’s not my email address!
Unless you have your own domain you likely aren’t seeing this issue but I’ve seen it more and more in blast spams from China and elsewhere. The idea is to send blasts to all kinds of email combinations under a particular domain in the hopes of either finding a legit email address or getting someone to answer.

But you can be sure that if you have given your email address to your bank they will have your actual address when they email you unlike this uy.

Clue 4: Bait and switch subject with a time limit

Now we get to the meat of the email itself and there are two big clues to tell you this is wrong.

NOte the difference between the subject line: Payment sent and the email Payment scheduled. In terms of a bank it makes no sense, why declare a payment sent in the subject line if it is only scheduled? Why not “Payment scheduled?” For the spammer the answer is obvious. While “payment scheduled” might be a more clever subject line there is less of a chance a person might open such an email but the Payment sent is meant to make you say: What Payment? While the notification inside is meant to tell you that you still have three days to act before this bogus hacked payment takes place.

That’s not how banks work, if you made a payment they would say: Payment made, if it was scheduled the would say Payment scheduled and there would not be a deadline in big letters for you to stop it.

This is all about making you panic, don’t.

Clue 5: Hmm I didn’t know DCU was based in the Central African Republic.

Of all the various clues in this email this one is the single most decisive but also the easiest to miss. It’s in link on the Login

There are actually several clues here and I will take them in reverse order.

The first is the lack of links in that bottom section.  This suggests the Phishers were sloppy and simply decided to use a screen shot copied and pasted in a program like Paint.  The lack of links there is a big giveaway that something is wrong.  Of course if they left the links in that would have been a problem for them as well as there is always the chance that the user clicks on an authentic link and gets to the real DCU site.

The second is the “forward to a friend” choice.  Even though it is inactive the idea that you would forward a copy of such an email to a friend is so ridiculous that it should raise an alarm bell or two.

But the real giveaway is the actual link in the “Login Now” area.  You will note that the address doesn’t go to a DCU domain.

Of all the various clues we have noted this is the most important.  Even if the Phisher had excellent spelling, and had used the right email address , had said “scheduled” vs sent or even put in the right links on all the choices above, in the end to steal your password or to take you to an auto launch site to install spyware to use to grab all your data they will have to send you to a domain that is different than the one belonging to your bank.

That is the big giveaway.

And even if they were using a similar domain name (say dcuu for example) rather than the gibberish above you will note that the suffix is not .com or .net or .usa but is  .cf which stands for the Central African Republic

Now while I’m sure that white Digital Credit Union takes pride in having a large reach, it’s pretty safe to say that they don’t have a lot of branches in the Central African Republic, let alone host or register their servers there.

And keep this in mind, some people believe they are not rich or not important enough to be worth targeting by a Phisher, but remember the Annual per capita income in the Central African Republic in 2017 was $700

A few suckers taken for a few grand can make someone a pretty big man over there.  Don’t be one of them.


If you’d like to continue to support independent journalism, help defray the $140 a month extra I’ll need for my new hosting site) and think my CPAC 2018 reporting is worthwhile please consider hitting DaTipJar here.



Consider subscribing. 7 more subscribers at $20 a month will pay the monthly price for the new host/server.


Choose a Subscription level


Finally might I suggest my book Hail Mary the Perfect Protestant (and Catholic) Prayer makes an excellent Gift.