Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3

Author Topic: Convincing fake invoice  (Read 1046 times)

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3101
Convincing fake invoice
« on: February 14, 2017, 12:20:10 PM »

Just a word of warning....

Last year I got a quote from a local company to do some work.  In the end I declined their quote, went with another company.

But last week in my spam folder I found a very convincing email from the first company, subject 'RE: Your Invoice'.  Everything looked correct, company logo, names, phone numbers, and all headers OK, it really did appear to be from the Company.

It contained a link supposedly to an invoice and that link was identified by Google as suspect, hence marked as spam.   I don't know what would then have happened if I'd opened the link, I guess either malware payload, or just inviting me to pay cash into their bank. 

I have now phoned the company who apologised and confirmed they are aware they had recently been hacked in some bad way.   But the point is, if I had actually employed them to do the work and was expecting an invoice, I have to admit.... I may well have been taken in.    :o

Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 38273
  • Penguins CAN fly
    • DSLstats
Re: Convincing fake invoice
« Reply #1 on: February 14, 2017, 01:19:47 PM »

None of us can afford to be complacent, can we? Most scams are quite obvious, but from time to time a very persuasive one turns up. You have to be vigilant all the time.
Logged
  Eric

broadstairs

  • Kitizen
  • ****
  • Posts: 2461
Re: Convincing fake invoice
« Reply #2 on: February 14, 2017, 03:27:08 PM »

I must admit I always open my own bookmark when requested to contact a company via an email no matter who they are, I never these days click on a link and that even goes for my bank & credit card company. If it comes from a company I've never had dealings with it goes in the trash folder.

I must admit that since my hosting company move me to Krystal their email spam trap is 100% better than the old one, I'm finding  20-30 emails a day quarantined which so far I've reviewed and it has been 100% correct. So far virtually nothing is getting through to me. They use something called SpamExperts.

Stuart
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:ZyXEL VMG8924-B10A

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3101
Re: Convincing fake invoice
« Reply #3 on: February 14, 2017, 07:37:26 PM »

That's good advice Stuart.

But the problem is, the majority of small businesses these days do like being paid via online transfers, and they do send their perfectly legitimate invoices via email.  You don't have to hit 'reply', you just have to make the payment, typed in by your own hand, to the sort code and account shown on the invoice.  And if the invoice is from a company that's been  genuinely employed, for an amount that's  expected, I think a lot of people would simply pay.  But of course, the sort code & account are fake, they are the crook's bank account.

Worse still, I think it's treated as theft rather than banking fraud, so the bank won't refund your money, and the genuine company that did the work will still want paid.   :'(

FWIW, my own last line of defence is that as far as i can get away with it, I don't use online banking.   I write a cheque and either hand it over face to face, or post it to the company's office address.   I'm not popular for that as online payments are a lot more convenient for the recipient, but nobody has yet turned me down for the work needing done.   :-[
Logged

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4365
Re: Convincing fake invoice
« Reply #4 on: February 15, 2017, 12:40:36 AM »

A tip is to hover over the link in the email, and it will show the "true" domain name where its redirected to not the fake name visible in the email text.  You can do this without clicking on it.

The screenie I attached here I hovered over the Final Fantasy VIII link at top and url showed at bottom inside the circle I drawn.
« Last Edit: February 15, 2017, 12:43:50 AM by Chrysalis »
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 2066
Re: Convincing fake invoice
« Reply #5 on: February 15, 2017, 06:22:48 AM »

7LM surely a phonecall to the company you have to pay confirming details is sufficient?

I got an email at work the other day from a large local company we used in the past saying some of its customers had received fake letters saying that it's bank account had changed, when it hadn't.
Logged

Sebby

  • Member
  • **
  • Posts: 47
Re: Convincing fake invoice
« Reply #6 on: February 15, 2017, 07:43:49 AM »

This is a really good example of why all companies should be using DMARC email authentication.
Logged
Using Tapatalk

d2d4j

  • Reg Member
  • ***
  • Posts: 401
Re: Convincing fake invoice
« Reply #7 on: February 15, 2017, 09:25:06 AM »

Hi

Dmarc would help, as would spf and do/dkims but where a users email account has been hacked, these records would only server to prove the email was genuine.

There is no substitute for common sense, vigilance and always double check by phone, using your known number (not a number taken from the email), to verbally confirm bank detail changes.

I have seen this happen

Many thanks

John
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3101
Re: Convincing fake invoice
« Reply #8 on: February 15, 2017, 10:00:31 AM »

In this case, SPF and DKIM both passed authentication.   As d2d4j suggests, the crooks had probably broken into the company's genuine online email account.

In this day and age of telecomms deregulation, I don't completely trust phone numbers either.   Can there be any guarantee you call hasn't somehow been illegally forwarded to another (crooked) line?
Logged

Sebby

  • Member
  • **
  • Posts: 47
Re: Convincing fake invoice
« Reply #9 on: February 15, 2017, 11:16:34 AM »

Very true. If they're sending from the company's actual infrastructure then email authentication isn't going to help.
Logged
Using Tapatalk

petef

  • Member
  • **
  • Posts: 40
Re: Convincing fake invoice
« Reply #10 on: February 15, 2017, 11:57:52 PM »

I generally examine the raw source of suspicious emails. My experience has been that the earlier adopters of SPF and DKIM tended to be the scammers before legitimate senders got their act together (if they have). DMARC works if the email is sent from the prime web presence of a company. However I find it tricky to distinguish between bona fide third party emailing services and  spammers.

Does anyone know of a white list of trusted mass emailers?
Logged

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4365
Re: Convincing fake invoice
« Reply #11 on: February 16, 2017, 01:01:01 AM »

Yep this is why I changed the default spamassassin behaviour to not provide negative scoring for pass dkim/spf (higher score is used to mark spam).  Instead I give them a neutral 0 score.  As the frequency of spam delivered from hosts that pass dkim/spf is getting higher by the day.
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

Weaver

  • Kitizen
  • ****
  • Posts: 4004
  • Retd sw dev; A&A; 3 × 7km ADSL2; IPv6; Firebrick
Re: Convincing fake invoice
« Reply #12 on: March 07, 2017, 10:17:31 AM »

UKServers, discussed in earlier thread, handles my email and they use spamassasin, which is server-side software. I have spamassassin’s threshold figure set quite low, and have a gap between "marking" and nuking emails (on the server side). It is set to block exes too, so naive users can't receive malware in straight attachments, although I forget what happens about zip files or ridiculous things like Office documents and their insane embedded programs (macros / VBA programs).

Neither attachments nor malicious web stuff are issues here in Weaver-Land as everything is like Fort Knox and users can't run anything they have tried to download anyway.

I really need to read up on DKIM and DMARC.

I publish SPF. Q: Does anyone know if spamassassin takes it into account on inbound email by default? I haven't seen any parameters relating to it for inbound email in UKServers' UI.

I have my own very small server-side white- and blacklists which are just built up based on experience not on external data sources.

I would be very grateful to hear about any tips for reliable blacklists. UKServers already uses several of these public databases optionally, and I have them all turned on, despite the health warnings. Q: Could anyone help with any suggestions of known persistent nuisances?

I would have to think about whitelist databases. Q: Any thoughts?

Q: Did someone say that scammers publish SPF declarations?

I wish that my email service had a facility where I could much more easily block nuisance emails server-side, in one-click fashion. This is asking for the moon on a stick. Email clients need an enhanced UI, then we need a protocol for talking to a SP’s server, and then finally the server-side engine to implement the rules. Because spammers keep rotating “From:” addresses, content-based checking would be much more useful in such a one-click system, so we would need to either upload the whole nuisance email or, far better, send either a UID if possible or a hash. Then the server could derive some kind of filter entry based on the entire thing plus its headers / metadata.

At least a "nuke emails _like_ this one" facility that is wholly server-side, including a UI provided by their server would be doable, just not one-click. It would require that the server hold copies of recently received emails somewhere for a while even if the client had supposedly emptied the server out.

I ought to have some kind of UI covering (i) what to do when SPF checks fail, and (ii) some marking of emails that have failed, if we let failed ones through. Does anyone know about the availability of such stuff on servers?

[Moderator edited to merge three consecutive posts into one.]
« Last Edit: March 07, 2017, 09:36:02 PM by burakkucat »
Logged

d2d4j

  • Reg Member
  • ***
  • Posts: 401
Re: Convincing fake invoice
« Reply #13 on: March 07, 2017, 11:03:14 AM »

Hi weaver

I hope you don't mind, but your posts are entering in on multiple things a mail server does

A lot depends upon how a mail server is setup, which any reputable ESP, would not divulge

A basic shared mail server could do the following

Full server wide enforcement

Domain level enforcement

User level enforcement

The level of enforcement is set so as the user has partial control, domain level higher control and server wide full control. However, server wide has to take into account one persons spam may not be another person spam, if you see what I mean

You will have no control over any SA plugins, only server admins have this control, but we use a variety of plugins, spf razor pyzor etc...

Access to control these are at user level, from webmail access, settings, spam

Also, yes, spammers are aware of all blocking/checking a mail server does, and a cost of a domain is very cheap, so can set all dns records up.

The idea of spf, dkims/do and dmarc records is to tell the server if email is genuinely been sent from an authorised sending server, and if it is not, what should the mail server do with the email. So this is a way to stop spammers impersonating another domain, if dns records exist. A word or warning, if using these dns records, check and recheck them, or if wrong, you email will most likely fail to be received

There's a lot more but time is short sorry, and your touching on lots of different topics

Many thanks

John
Logged

d2d4j

  • Reg Member
  • ***
  • Posts: 401
Re: Convincing fake invoice
« Reply #14 on: March 07, 2017, 11:05:37 AM »

Hi weaver

Sorry, quickly, you set the action for spf when you create the record, soft, soft fail, hard fail

Many thanks

John
Logged
Pages: [1] 2 3