09 February 2012

I will NEVER ask for your password

There are a lot of bad things on the Internet, and few are worse than phishing scams. But there is a certain class of phishing scam that has earned a special level of disdain and disgust, at least from me. I’m talking about the phishing scams that target Hotmail customers using my name, my picture, and even my signature. Grrrr.

Let me clear something up right off the bat: I will never ask for your password. No one from Hotmail or Microsoft will ever ask for your password. In fact, no legitimate service will ever ask for your password. If you ever get an email asking for any password to any service, you can be sure, without a shadow of a doubt, that the email is a phishing scam. Just junk it. (Or, in Hotmail, mark it as a phishing scam using the “Mark As” menu.)

Phishing scams

Spammers want to send spam. That’s what they do. As I said in my last post, we’ve made it hard for them to send spam with new accounts due to the effectiveness of our account reputation work. So, spammers have turned to hijacking customer accounts in order to send more spam.
Phishing scams are one of the simplest ways that spammers use to gain control of your account. The spammer sends an email that asks for your password, usually with a threat that your account is about to be closed. You reply, providing your password, and, Voila! Your account (and reputation) is hacked.
Spammers do this on all networks and all services – Hotmail, Gmail, Yahoo!, Facebook, AOL – spammers do not discriminate, and no service is immune.

How my picture got out there

Hotmail sends email to our customers fairly regularly to update people on various things, such as the availability of new software or features, or even to remind people about security measures, like creating a strong password or adding your mobile phone number to your account.
About a year ago, we decided that we would make these messages more personal by including my name, my picture, and my signature.
That decision has really come back to haunt me.

A gift to spammers

Almost immediately, the spammers copied that email, including my picture, name and signature, and modified the content so that it said something like “Your account is about to be shut down unless you reply to this email with your account name and password.”
This is a classic example of a phishing scam, and one of the most common ways that accounts get compromised. Here’s an example:
An example of a phishing scam
The bottom of that same email looks like this:
Phishing scams use Dick Craddock's name and picture
Yep. That’s me, all right. But that email is definitely not from me.

Even smart people fall for it

Phishing messages can look very real and convincing, so even smart, tech-savvy people fall for them. I get asked about this quite a bit.
Here’s a conversation that took place on my public Facebook page. The first person asks, “I got this message, is it really you?” In response, our Development Manager, Eliot, displayed both his penchant for pithiness and his mastery of high school French:
Facebook messages
Phishing scammers know that they’ll get better response rates by using my pictures and my signature to produce email messages that look legitimate. They even translate their scams into multiple languages to broaden their reach.

The telltale signs of a phishing message

As I’ve said, any email that asks for your password is a phishing scam and shouldn’t be trusted. You don’t need to look any further to know the message is a fake. Nonetheless, it’s interesting to see how “creative” the scammers can get. Here are some tactics scammers use to get people to provide their account info:
They copy Hotmail’s marketing images. These phishing messages usually contain the latest image from Hotmail’s own marketing campaigns, like this one:
Hotmail header
They provide a bogus reason for needing your password. The messages usually contain an introduction that offers a false explanation about why they need your password. Some of my favorites include:
  • “We are currently upgrading our data base and e-mail account center.”
  • “We are deleting all unused accounts to create more space for new accounts.”
  • “We encountered a problem with our database and a lot of records were lost, we are restoring our database to enable us serve you better.”
  • “We are having too many congested email due to the anonymous registration of Hotmail Msn-Live Accounts in our database system.”
Rest assured: NONE of these will EVER be a legitimate reason to ask for your password.
They design a subject line to scare you. The subject lines call for your immediate attention and are often intended to be scary. Here are a few common examples:
  • Some variation of “Account Alert!!!”, or “Account upgrade alert,” or “Email account alert.”
  • Some variation of “Account renewal process,” or “Verify your account details.”
  • Some variation of “Email Warning!!!”, or “Verify your email now to avoid being closed!!!!!”
(Scammers really like to use exclamation points!!!! A lot!!!)
They send the email from a bad “From” address. The “From” address in the email is often a dead giveaway. At a glance, it might look like you’ve gotten mail from the Hotmail Team. But if you look at the actual email address, it’s almost always something fishy (phishy?). Typically, scammers just use the name of a Hotmail customer account.

Get educated, educate others

In a perfect world, no one would ever give out their password, and the phishing scams would be ineffective, and would just stop. You’ve already taken a step to helping us get there by reading this post, and now you can help pay it forward by educating others.

Any email that asks for your password is a phishing scam. If anyone ever asks you, “Hey, is this email legit?” just say, “If it asks you for your password, then it is absolutely, definitely, without question a scam! Report it as junk!”

As a final note, some of you might be wondering, Why can’t Hotmail detect these scams? We can detect these scams and do detect many of them. But it’s just a numbers game, and spammers are capable of producing a huge volume of phishing scams, with enough variation in the text and images to fool our filters a small percentage of the time. In addition, it’s important for us to keep the false positives low – meaning that we don’t want to mistakenly identify a legitimate email sent from a good user as spam.

So, until we get to that perfect world without spammers, we’ll be here building better and better systems to battle the bad guys. Thanks for reading, and thanks for using Hotmail.