The anatomy of a scam email message

Scamming people has never been easier. Currently, one of the more successful methods used by cybercriminals is fraudulent email messages. Let's see if we can change that.

Scamming people has never been easier. Currently, one of the more successful methods used by cybercriminals is fraudulent email messages. Let's see if we can change that.


Lately, my spam filter has been bombarded with different scam and phishing email. Seeing that some were pretty sophisticated, I thought it best to share my research. That way if one slips by your spam filter, you will still recognize the signs of a con in the making.

Scam 1: You have won

In a recent article, I interviewed security consultant Shellee Hale. She mentioned that one successful social-engineering technique is to offer prizes or a reward. I have to agree, being told you are a winner is enticing. That 600,000 pounds would have been nice:

This particular approach may seem fairly common. What makes it unique is that you do not have to enter. That has been a problem for scammers. How can you win if you did not enter? Either way, be suspect. Also, notice the email was sent from the domain, which is typically reserved for customers of AT&T, the ISP. That's another hint that something is wrong.

The next part of the email shows what the cybercriminals are really after. Personal information that can be sold on the Internet black market:

After reading that part of the email, all sorts of alarms should be going off. No honest business or financial institution will ask you to send personal information via email.

Scam 2: I didn't send that

Security pundits warn how social-networking sites like Facebook and Twitter are ripe for exploiting. Why? Their popularity and member's willingness to share personal information. Just today, an investor who's also on Facebook's board of directors had his account compromised — ouch.

Another example is the following email supposedly from Twitter:

On the surface, the email looks real enough. Even the Twitter Support link near the bottom is legitimate. So more than likely, users will not be on the defensive, just wanting to fix the problem.

The full URL is the nasty bit. Clicking on it, sends you to a website whose sole purpose is to download malware onto your computer. Possibly, scareware that will completely hijack the computer or maybe a key logger that sits quietly in the background stealing all your personal information.

Sadly, this type of scam email has a high success rate. Fortunate for me, Red Condor, my spam filter service, checks email addresses and found that "engineer at" is not legitimate:

The email actually came from "j??????n@icd.????????.com" which you can see is a good address, but definitely not one associated with Twitter:

Something else I wanted to mention. I have received the same email from many different senders. That usually means compromised computers belonging to a botnet are being used to propagate this particular malicious email.

Cybercriminals do this for two reasons. They can send an inordinate amount of email without the owner of each compromised computer becoming suspicious. It also prevents security analysts from back tracking the attackers.

Scam 3: Your mailbox is full

The following scam email uses a different twist. It's quite effective, since nobody wants to lose email:

From: System Administrator <removed>

Reply-to: System Administrator <removed>


Date: Sat, May 1, 2010 at 6:20 AM

Subject: Final Warning!

Your mailbox has exceeded the storage limit which is 20GB as set by your Administrator. You are currently running on 20.9GB, you may not be able to send or receive new mail until you re-validate your mailbox. To re-validate your mailbox please click the link below:


If the link above don't work please copy and paste the link to your browser window.


System Administrator

There are several clues that should raise alarms:

  • One or two prior warnings are normal procedure. It gives the user a chance to clean the mailbox out.
  • The storage limit mentioned in the email was not the same size as provided by the email account.
  • This is supposed to be an automated message. Bad use of grammar; "the link above don't work" should make anyone suspicious.

If users happen to click on the link advertised in this email, they are sent to a compromised website. Where once again, any number of malicious applications could be downloaded and installed.

There is help

If you ask the experts, skepticism is still the best way to combat email scams. If that's less than comforting, you will be glad to know there are organizations out there that offer help. The Anti-Phishing Working Group (APWG) is one example:

APWG is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.

One page on their website is especially useful. It explains in understandable terms, what people should be watching out for. I make sure to send that link to anyone concerned about phishing scams.

Another useful website is The people at MillerSmiles share APWG's enthusiasm about wanting to eliminate phishing and email scams:

"MillerSmiles stands out as the prime international source of information about spoof emails and phishing scams, with a vast library of real examples including details and images of the emails themselves and related bogus web content."

It's MillerSmiles searchable database of existing phishing schemes that's unique. Users can check questionable email messages, by entering the following information; subject, content, apparent sender, or Web URL:

Final thoughts

Until taking advantage of people stops being a problem, we need to be aware of the latest scam techniques. I offered a few examples that I recently encountered. I would appreciate learning about your encounters with scam and phishing email messages.


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks