There are a lot of bad things on the Internet, and few are worse than
phishing scams. But there is a certain class of phishing scam that has
earned a special level of disdain and disgust, at least from me. I’m
talking about the phishing scams that target Hotmail customers using my name, my picture, and even my signature. Grrrr.
Let me clear something up right off the bat: I will never ask for your password. No one from Hotmail or Microsoft will ever ask for your password. In fact, no legitimate service will ever ask for your password. If you ever get an email asking for any password to any
service, you can be sure, without a shadow of a doubt, that the email
is a phishing scam. Just junk it. (Or, in Hotmail, mark it as a phishing
scam using the “Mark As” menu.)
Phishing scams
Spammers want to send spam. That’s what they do. As I said in my last post,
we’ve made it hard for them to send spam with new accounts due to the
effectiveness of our account reputation work. So, spammers have turned
to hijacking customer accounts in order to send more spam.
Phishing
scams are one of the simplest ways that spammers use to gain control of
your account. The spammer sends an email that asks for your password,
usually with a threat that your account is about to be closed. You
reply, providing your password, and, Voila! Your account (and
reputation) is hacked.
Spammers do this on all networks and all
services – Hotmail, Gmail, Yahoo!, Facebook, AOL – spammers do not
discriminate, and no service is immune.
How my picture got out there
Hotmail
sends email to our customers fairly regularly to update people on
various things, such as the availability of new software or features, or
even to remind people about security measures, like creating a strong
password or adding your mobile phone number to your account.
About
a year ago, we decided that we would make these messages more personal
by including my name, my picture, and my signature.
That decision has really come back to haunt me.
A gift to spammers
Almost
immediately, the spammers copied that email, including my picture, name
and signature, and modified the content so that it said something like
“Your account is about to be shut down unless you reply to this email
with your account name and password.”
This is a classic example of a phishing scam, and one of the most common ways that accounts get compromised. Here’s an example:
The bottom of that same email looks like this:
Yep. That’s me, all right. But that email is definitely not from me.
Even smart people fall for it
Phishing
messages can look very real and convincing, so even smart, tech-savvy
people fall for them. I get asked about this quite a bit.
Here’s
a conversation that took place on my public Facebook page. The first
person asks, “I got this message, is it really you?” In response, our
Development Manager, Eliot, displayed both his penchant for pithiness
and his mastery of high school French:
Phishing
scammers know that they’ll get better response rates by using my
pictures and my signature to produce email messages that look
legitimate. They even translate their scams into multiple languages to
broaden their reach.
The telltale signs of a phishing message
As I’ve said, any
email that asks for your password is a phishing scam and shouldn’t be
trusted. You don’t need to look any further to know the message is a
fake. Nonetheless, it’s interesting to see how “creative” the scammers
can get. Here are some tactics scammers use to get people to provide
their account info:
They copy Hotmail’s marketing images. These phishing messages usually contain the latest image from Hotmail’s own marketing campaigns, like this one:
They provide a bogus reason for needing your password.
The messages usually contain an introduction that offers a false
explanation about why they need your password. Some of my favorites
include:
- “We are currently upgrading our data base and e-mail account center.”
- “We are deleting all unused accounts to create more space for new accounts.”
- “We encountered a problem with our database and a lot of records were lost, we are restoring our database to enable us serve you better.”
- “We are having too many congested email due to the anonymous registration of Hotmail Msn-Live Accounts in our database system.”
Rest assured: NONE of these will EVER be a legitimate reason to ask for your password.
They design a subject line to scare you. The subject lines call for your immediate attention and are often intended to be scary. Here are a few common examples:
- Some variation of “Account Alert!!!”, or “Account upgrade alert,” or “Email account alert.”
- Some variation of “Account renewal process,” or “Verify your account details.”
- Some variation of “Email Warning!!!”, or “Verify your email now to avoid being closed!!!!!”
(Scammers really like to use exclamation points!!!! A lot!!!)
They send the email from a bad “From” address.
The “From” address in the email is often a dead giveaway. At a glance,
it might look like you’ve gotten mail from the Hotmail Team. But if you
look at the actual email address, it’s almost always something fishy
(phishy?). Typically, scammers just use the name of a Hotmail customer
account.
Get educated, educate others
In a perfect
world, no one would ever give out their password, and the phishing scams
would be ineffective, and would just stop. You’ve already taken a step
to helping us get there by reading this post, and now you can help pay
it forward by educating others.
Any email that asks for
your password is a phishing scam. If anyone ever asks you, “Hey, is this
email legit?” just say, “If it asks you for your password, then it is
absolutely, definitely, without question a scam! Report it as junk!”
As a final note, some of you might be wondering, Why can’t Hotmail detect these scams?
We can detect these scams and do detect many of them. But it’s just a
numbers game, and spammers are capable of producing a huge volume of
phishing scams, with enough variation in the text and images to fool our
filters a small percentage of the time. In addition, it’s important for
us to keep the false positives low – meaning that we don’t want to
mistakenly identify a legitimate email sent from a good user as spam.
So,
until we get to that perfect world without spammers, we’ll be here
building better and better systems to battle the bad guys. Thanks for
reading, and thanks for using Hotmail.
