January 06, 2005

The more often you see 419 (advance-fee) and phishing scam messages in your inbox, the more you wonder how anybody would fall for these scams. But lots of folks who aren't email/spam/scam veterans receive these messages and respond to them for a variety of reasons, including greed (getting something for nothing) and being polite ("Ooh, how nice that someone sent me an email: I must respond").

Just the other day, I was wondering about the psychology of scammers when I encountered a Web page that provides some psychological insight into the other side of the equation: scam victims. Follow the link to a course handout by Trish Roberts-Miller of the University of Texas (no longer on staff, from what I can tell). She teachestaught courses in the Division of Composition and Rhetoric at UT. One of her courses iswas titled "Demagoguery," and I'm assuming this handout iswas associated with that class.

In the paper (based on a book, Psychology: The Influence of Persuasion), you'll learn about 10 ways to find the "sucker" gene in the human DNA. A few of these traits I readily identify among those who, for example, allow themselves to be conned into sending money to advance-fee scammers in Nigeria and wherever. It explains why one retired gentleman in Florida hocked his house and emptied his savings to hand over more than $300,000 in the hope of hitting a multi-million commission for transferring (non-existent) funds out of an African country. This happened even after a local law enforcement officer advised him it was a complete scam. It makes you wonder why the 419 scammers bother advising potential victims to keep the business secret—once a sucker is on the hook, nothing can disuade him or her.

The best evidence that these scams continue to work is that they continue to come.

December 28, 2004

This is a good question to ask about any piece of email from a source with whom you do business and who has your personal and credit card information stored in their computers. This includes banks, credit card companies, and even online stores. Thanks to the effectiveness of "phishers" who try to get you to give up your login names and passwords, everyone should truly be suspicious of every email message purporting to come from such institutions.

There are times, however, when such institutions really do send you a message. How do you know when it's legitimate?

The biggest part of the answer lies in the message's headers, which are normally hidden from view. I spend quite a few pages in Spam Wars showing readers how to decipher the most important parts of a message header. While an uncomfortably high amount of header information can be forged, there is a wee bit that is exceedingly difficult to forge. Therein lies the truth you can use to distinguish a Bad Guy from The Real Thing.

You must first find out which Received: header line is the one written by your mail server when it receives the message from the outside. This can be more difficult to identify on corporate email systems if they cause all messages to go through spam filter services and other routing within the company. Again, Spam Wars shows you how to find the key Received: header line.

Here is an example of the key Received: header line from a message that really came from eBay (recipient's address is disguised):

Received: from mx47.sjc.ebay.com (mxpool23.ebay.com [66.135.197.29]) by x_x.com (8.12.11) id iB771mSQ087247 for ; Tue, 7 Dec 2004 00:01:49 -0700 (MST)

Most incoming email servers record the numeric IP address of the sending email server inside the square brackets shown above. This server also does a reverse DNS lookup to see how the computer at that IP address identifies itself on the Internet (shown within the parentheses that also holds the IP address in square brackets). These two pieces of information are written by your email server, and are practically guaranteed to be accurate. The other identity coming before the parentheses is supplied by the sending computer directly. Although not forged in this case, it can easily report anything a Bad Guy wants it to.

In this example, the reverse DNS lookup reveals an "ebay.com" address, a good sign. You can also go one step further to look up more of the identity of the owner of the IP address. Use one of the many free (or donationware) "whois" lookup services on the Internet. I like the one provided by openrbl.org. Enter the IP address into the text box on the form and click the Submit button. A moment later, you'll be able to scroll down to find the owner information of the domain associated with that IP address. It shows that the domain was first registered in 1995—no fly-by-night scammer here. It also shows that eBay owns a whole block of IP addresses, another good sign that the message is legitimate.

In contrast, here is the same header line from a phony eBay message (domain replaced by y_y.com; part of the source IP address is disguised):

Received: from y_y.com (y_y.com [12.159.189.XXX]) by x_x.com (8.12.11) id iB3E4XkD082744 for ; Fri, 3 Dec 2004 07:04:33 -0700 (MST)

As revealed in the whois lookup, the IP address is owned by some other company, in this case, a geological consulting company whose computer has been taken over to act as a mailing computer for the phishing scams. This message didn't come from eBay.

Be careful to read the whois registration information carefully. Some phishers register domain names that may contain the words "paypal" or "ebay" (or other institution), but the registrations are very new or are filled out with a bogus address.

Of course there are other clues. For example, a real message from PayPal advises you to "Log in to your PayPal account" without providing a clickable link to do so. That's not to say the message won't contain links elsewhere, but phishing messages always provide a clickable link for you to "log in" to your account—a dead giveaway that the link will take you to a Bad Place.

The best way to access sites in response to all messages—legitimate and il—is to use items you have personally and previously added to your Bookmarks/Favorites list as a result of manually navigating to the sites. Assuming you have kept your operating system software patched and up to date, make sure the Address field of the browser displays the desired site before entering any information into a field. A well-designed site will provide these forms on pages served through secure connections, as indicated by the security icon in the browser's border regions (ignore "secure connection" advisories on the page itself).

Be careful out there.