You can see the email below:



The first thing you should always look at in any email is the From: details. The important bit is the part between the <> brackets as this will often reveal the identity of the sending domain name. In this case you should be able to spot an obvious clue that all is not right. Why is the sending domain name naturalsun.com.ar?

Does that seem right to you when it is clear that this user has a Yahoo UK email account?

I hope not.

It should be clear that this is nothing to do with Yahoo but is just the domain name of a business based in Argentina, hence the AR country code, that the criminals have spoofed for their email scam. Spoofing legitimate domain names is frequently done to try and avoid their emails being detected as spam.

Just in case you are curious this is what their website home page looks like:



No idea what it is selling but it doesn’t look like its got anything to do with Yahoo email to me.

The email also contains the usual big clues that it is a scam.

• Poor grammar.
• An embedded (Click Here) link that you are meant to click on.
• A time limit to take action.
• The threat of having data deleted.
• Nothing to identify the organisation the email is coming from.

Any one of the things in the list above should make you suspicious about an email. If you get a few of them then it will be a scam. If you get all of them just delete it as its definitely a scam.

With any embedded link there is a very simple test that you should always apply before you click on it. Simply hover the pointer over the link and look to see where the link goes to. When I hovered over the link in the email I could clearly see the following location:

http://rai-spa.kz/index..php/mailbox/index.php?email=fred.bloggs346@yahoo.co.uk

I have changed the name after the = symbol but everything else is original. These criminals like to get around as now we have travelled from Argentina to Kazakhstan, as denoted by the KZ country code. I recommend that you familiarise yourself with the top level country codes as it makes it easier to spot them in scams like this. You can find a list of them here:

https://www.worldstandards.eu/other/tlds/

You may be able to find your initials in the list. My initials, TM, are the country code for Turkmenistan. Not all of them are obvious either. Look out for country codes as they are a reliable indicator for scam emails.

There is one final clue in that long URL that should set the alarm bells ringing. No website that is going to request sensitive, private or confidential information, like a password, should ever start with HTTP://. They should always start with HTTPS:// as that is the secure standard used by all websites handling data that has to be transmitted in a completely secure way. That is why on-line banking, shopping and other sites handling sensitive data always use it.

If you put all these clues together and you still don’t see the email as a scam then you are beyond help and you are going to get scammed. Emails like this one will get through to your mailbox no matter how good you think your security and junk systems are. The bottom line is simple. The only person who can protect you the most is you so make sure you know how to spot scams like this one. Otherwise sooner or later you will become a victim.

My customer had thought that something was wrong with his email service simply because he had not received any emails for a few days. If you think that there may be a problem with your email service then ask someone to send you an email. If you receive it then nothing is wrong your end. It really is that simple.

Don’t try this at home.

I often investigate these scams as thoroughly as I can as it helps me to understand what the criminals are up to and what new tricks they may be using. I have the right systems in place to do this and understand the risks of doing so. You should never click on the links or go to the websites as it is too dangerous.

When I clicked on the link, using one of my most secure and well protected systems, my browser threw up the following warning:




Not all browsers would show this but I was pleased to see that even if some gullible person had not spotted all those clues then they still had a chance of being prevented from making a very big mistake. Nobody should be able to miss that warning.

I however, needed to press on as I wanted to see the criminals fake webpage. Eventually I got to the webpage on the machine in Kazakhstan and here it is:



Assuming that you have failed to spot all the warning signs in the email and your browser did not warn you then you could have ended up with this on your screen. If you are a Yahoo email user at this point you really should be wondering why the login page looks so different.

For those of you that don’t use Yahoo here is their usual login page:




Spot the difference?

I would hope that no Yahoo user would be daft enough to think that the criminals webpage is genuine. Then again if someone has been daft enough to get this far without spotting the danger then we can probably assume that they will put their password in.

The Criminals Are Not Daft

You may have noticed that I have entered a password into the password box on the fake web page as I want to see what happens next. My password consisted of a suitable message for the criminals. The first time I entered it and clicked the Sign-in button it showed me a few fake messages to give me the impression that it was trying to connect me to the email account. Then it gave me an error message and told me that the password I had entered was incorrect.

You may have worked out what has happened. The criminals showed me some fake messages so they could buy some time whilst they try to access the Yahoo account with the stolen password. When they could not access the account they showed me the error message. If you did think that then you are wrong.

A common security trick is to enter your password wrong the first time on any site that you may be suspicious about. If you get a message telling you that the password is wrong then the site must be genuine as how could they know that you entered the wrong password?

It might seem like a good trick and I’ve heard of people that use it but its a really bad idea because the criminals know about it. Many of the fake web sites I visit will tell me the password is wrong the first time I enter one no matter what I put in. I could probably give them the correct password and they would still give me an error message after the first attempt.

On the second attempt they will accept the password so I tried again with my same message to them as my password. This time after more fake messages I was rewarded with the following web page:



Apparently the account has been verified and as a reward I have got an extra 15 GB of storage for the email account. I don’t think so.

All that has happened is that the criminals have now ‘stolen’ what they think is my customers password. They will have been trying to access his account almost as soon as the reward screen appeared. I do hope at least one of the criminals can understand English so they get my message to them.

What does intrigue me are the 10 different email services listed at the bottom of the page. I have a feeling that the criminals are sending out the same email to people using all of these services and not just to Yahoo users.

Hopefully, you will now be in a much better position to spot this type of scam and prevent yourself from becoming another victim. For many criminals gaining access to an email account is the holy grail because it often contains a lot of valuable and useful information. Please keep your email account(s) well protected with a strong password.

Use Two Factor Authentication (2FA) if it is available as an option as that way even if the criminals get your password they still won’t be able to access your account. Don’t leave anything sensitive, confidential or private in your email system. If you do and a criminal does get in then you will regret it.

If you want more detailed advice about your email security please call or email me and I will be happy to help.