Spot a Fake Email

I pay a lot of bills online via my bank; you probably do too. That’s why I wanted to create this quick little primer about how to spot fake emails. In the last two days, I’ve received five emails pretending to come from nacha.org; the Electronic Payment Association. Each email indicated one of my payments was rejected for some reason and had an attachment that would explain what went wrong. Of course, I was tempted to quickly open the attachments. Who wants late fees?

Then I came to my senses. Why not Google ‘nacha.org spam’? What do you know?; here are the results:

This is always the easiest way to spot a fake email; just Google what it is about. If it is dangerous, you are not the only person who has received it. From the screen shot above, you can see this scam has been around since 2009.

There are also a few more ways to spot fakes, even if you are the un-fortunate victim of something brand new. In the first three emails, each had a different Transaction ID. That meant three payments must have been rejected. Highly un-likely unless my bank account had been hijacked; so I went online and verified it looked ok. I knew nacha.org was a valid institution, so I went to their home page. A scam alert was posted in big print with a very detailed article about what to look for.

The last way I sometimes use to spot fake emails is rather sophisticated. It involves reading the email ‘headers’. How you do this depends on what program you use to read email, but here is what the header of one of these emails looked like:

Received: fromust-127-41.on4.ontelecoms.gr (92.118.127.41) by mail.tskcusa.com (192.168.1.138) with Microsoft SMTP Server id 14.0.722.0; Thu, 26 May 2011 04:57:32 -0500 Received: from [23.152.204.50] (helo=utkyeyivnnqukdh.bhqfyjmzhdqdts.su) by cust-127-41.on4.ontelecoms.gr with esmtpa (Exim 4.69) (envelope-from ) id 1MMTQ5-6244ki-XU for skozy@tskcinc.com; Thu, 26 May 2011 02:01:14 -0800 Date: Thu, 26 May 2011 02:01:14 -0800 From: payments@nacha.org X-Mailer: The Bat! (v3.51.10) Home X-Priority: 3 (Normal) Message-ID: <8723423907.QBGHPKFE501816@rizunckbb.pldefif.biz> To: Subject: ACH payment canceled MIME-Version: 1.0 Content-Type: text/html; charset=”iso-8859-1″ Content-Transfer-Encoding: 7bit Return-Path: blenchesl815@gmail.com X-MS-Exchange-Organization-AuthSource: TSKC1.tskcinc.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-PRD: nacha.org X-MS-Exchange-Organization-SenderIdResult: SoftFail Received-SPF: SoftFail (TSKC1.tskcinc.com: domain of transitioning payments@nacha.org discourages use of 92.118.127.41 as permitted sender) X-MS-Exchange-Organization-SCL: 3 X-MS-Exchange-Organization-PCL: 2 X-MS-Exchange-Organization-Antispam-Report: DV:3.3.10116.537;SID:SenderIDStatus SoftFail;OrigIP:92.118.127.41

The very first line of the header provides the verification it is fake. Even though it appears to come from: payments@nacha.org (7th line), the real sender was “cust-127-41.on4.ontelecoms.gr” from internet address 92.118.127.41. The return path indicates it even came from a gmail account (12th line). Other parts of the whole header indicate it bounces off of at least one proxy server in an attempt to not be caught by the spam filters of the world.

Because my business assistant knows how to read email headers, I could no longer fool her with fake messages from Steven Jobs about the dream job she has always wanted! RIP Steven, you changed the computer landscape forever…