How not to be Taken by this Fake DCU Phishing Email

modified from wiki commons

He (Joe Morgan) said once you picked up one thing you’d start looking for the others, and you’d see them too. I used to play cards with a guy like that. He’d read your eyes and know what you had. Drive you crazy

Bill James Historical Baseball Abstract pp349 1985 on Joe Morgan & pitchouts

One of the disadvantages of having a very pubic face and email is I receive phishing scam emails regularly.
As a person who used to be a tech support rep (why do you think I’m called “datechguy”?) I recognize these attempts to scam me pretty quick, but it’s very likely that there are plenty of people who don’t know the obvious clues to tip a person off.  This prompts the old Hiwired tech support rep inside to rise up to shout at my fellow citizens who are the targets of these scams:


So in this spirit I want to show you a Phishing email I recently received and point out the clues that will tell you it’s s scam

Here is the email I received with all the scam clues highlighted,

Phishing email top

All of these clues scream “scam” and if you spot one you will learn to spot the others, let’s go through them all.

Clue 1: A single notification

Before you even get to the email itself, it shows up in your email program.  Below is the line from mine.  This subject line from the email should jump out at you in terms of suspicion: Bill payment sent

While a company like comcast or Unitel might send an email confirmation of a payment a bank in general doesn’t send out notifications on transactions (if they did their servers would be doing nothing else all day). Even if your bank was the exception and offered the option of notification or confirmation emails they would only come if you turned them on.

So even without opening up that email that subject line alone should scream “Not Legit!”

Clue 2: Points off for spelling

A lot of phishing email originate from places where English isn’t the first language, because of this you will often find mistakes like this spelling error.

Now it’s not out of the realm of possibility that a bank might have a spelling error in an email but it IS out of the realm of possibility that the spelling error would be in the name of the email account sending it.

If the subject line didn’t scream “scam” this clue should.

Clue 3: That’s not my email address!
Unless you have your own domain you likely aren’t seeing this issue but I’ve seen it more and more in blast spams from China and elsewhere. The idea is to send blasts to all kinds of email combinations under a particular domain in the hopes of either finding a legit email address or getting someone to answer.

But you can be sure that if you have given your email address to your bank they will have your actual address when they email you unlike this uy.

Clue 4: Bait and switch subject with a time limit

Now we get to the meat of the email itself and there are two big clues to tell you this is wrong.

NOte the difference between the subject line: Payment sent and the email Payment scheduled. In terms of a bank it makes no sense, why declare a payment sent in the subject line if it is only scheduled? Why not “Payment scheduled?” For the spammer the answer is obvious. While “payment scheduled” might be a more clever subject line there is less of a chance a person might open such an email but the Payment sent is meant to make you say: What Payment? While the notification inside is meant to tell you that you still have three days to act before this bogus hacked payment takes place.

That’s not how banks work, if you made a payment they would say: Payment made, if it was scheduled the would say Payment scheduled and there would not be a deadline in big letters for you to stop it.

This is all about making you panic, don’t.

Clue 5: Hmm I didn’t know DCU was based in the Central African Republic.

Of all the various clues in this email this one is the single most decisive but also the easiest to miss. It’s in link on the Login

There are actually several clues here and I will take them in reverse order.

The first is the lack of links in that bottom section.  This suggests the Phishers were sloppy and simply decided to use a screen shot copied and pasted in a program like Paint.  The lack of links there is a big giveaway that something is wrong.  Of course if they left the links in that would have been a problem for them as well as there is always the chance that the user clicks on an authentic link and gets to the real DCU site.

The second is the “forward to a friend” choice.  Even though it is inactive the idea that you would forward a copy of such an email to a friend is so ridiculous that it should raise an alarm bell or two.

But the real giveaway is the actual link in the “Login Now” area.  You will note that the address doesn’t go to a DCU domain.

Of all the various clues we have noted this is the most important.  Even if the Phisher had excellent spelling, and had used the right email address , had said “scheduled” vs sent or even put in the right links on all the choices above, in the end to steal your password or to take you to an auto launch site to install spyware to use to grab all your data they will have to send you to a domain that is different than the one belonging to your bank.

That is the big giveaway.

And even if they were using a similar domain name (say dcuu for example) rather than the gibberish above you will note that the suffix is not .com or .net or .usa but is  .cf which stands for the Central African Republic

Now while I’m sure that white Digital Credit Union takes pride in having a large reach, it’s pretty safe to say that they don’t have a lot of branches in the Central African Republic, let alone host or register their servers there.

And keep this in mind, some people believe they are not rich or not important enough to be worth targeting by a Phisher, but remember the Annual per capita income in the Central African Republic in 2017 was $700

A few suckers taken for a few grand can make someone a pretty big man over there.  Don’t be one of them.

If you’d like to continue to support independent journalism, help defray the $140 a month extra I’ll need for my new hosting site) and think my CPAC 2018 reporting is worthwhile please consider hitting DaTipJar here.

Consider subscribing. 7 more subscribers at $20 a month will pay the monthly price for the new host/server.

Choose a Subscription level

Finally might I suggest my book Hail Mary the Perfect Protestant (and Catholic) Prayer makes an excellent Gift.