Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! ip2location Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No!

Every trick in the book:
how hackers take over your computer
(or your bank account)

by Rich Pasco


Spammers will use every trick in the book to get you to click on their links to malicious web sites, or to open their malicious attachments, or to divulge personal information for identity theft. Below are just a few examples. As P.T. Barnum said, “There's a sucker born every minute.” Don't be one of them!

Most are designed to create a sense of alarm and urgency, threatening financial harm, embarrassment or inconvenience unless one takes the bait. Others flatter the recipient and/or hint at sexual benefits. Still others purport to be from a friend with something curiously exciting to share.

Often, the “From:” e-mail address on such fraudulent e-mail messages is forged, or “spoofed”, to resemble that of a well-known service (such as Facebook, MySpace, Verizon or CitiBank). If you have that service in your approved senders list, such junk mail will slip right past your junk-mail filter. You should never trust the “From:” address on any e-mail; it is easy to forge.

There have been an increasing number of incidents where a hacker breaks into an e-mail account and sends junk mail to all that person's contacts. Even if an e-mail seems to be from a friend, it may not be, so proceed with caution. For more information see “Spam from your friends: hacked and spoofed e-mail.”

All the same concerns about e-mail also apply to messages sent via social networking sites like Facebook via mobile phones. Be just as suspicious about strange phone calls and texts as about e-mail messages.


  1. To trick you into divulging personal information, such as account passwords, social security numbers, etc. (for the crime of identity theft).
  2. To trick you into installing software which will give them total control over your computer.
  3. To trick you into sending them money (e.g. to buy phony anti-virus software, to pay a “fine” to unlock your computer, or to aid a friend allegedly victimized by theft while on vacation).


The two most common ways in which scammers spread their scams are:

  1. “Spam” or junk e-mail which pretends to be from a friend or a financial institution
  2. Phony web sites which purport to alert you to a virus in your computer or a necessary software update
The remainder of this article explores each of these two means in greater depth.

Example scam: The USAA Fraud

I present this example first because it involves many deceptions. My sister-in-law posted it to Facebook after it had happened to a friend in mid-March, 2019. Insertions in [brackets] are mine. Be sure to read my analysis and comment below.

I received a text message [apparently] from USAA about a login attempt into my account followed by 3 back to back calls [apparently] from USAA. When I answered I was notified that the fraud department picked up on 3 fraudulent charges on my account and they needed me to deny or confirm those charges.

They said there were 3 transactions:

  • $200 at WalMart
  • $35 UBER ride
  • $77 Best Buy

I confirmed that they were not me. They needed to verify my account information so they sent me a code to my phone that I needed to give them to verify that I was who I claimed to be. I gave them the code and they went through 3 separate verification codes to mark the 3 transactions as Fraud.

Shortly after the 3 transaction code the call got disconnect (this happens frequently in base housing), so I waited a few minutes and called USAA back.

Upon calling USAA it was discovered that the entire first call was a hoax and that temporary code I gave them allowed them to login to our bank account and withdraw $1000 from our checking account. I was so confused. The call was [apparently] from USAA, the text messages looked exactly like the ones I receive all the time when logging into my USAA account [because they were]. How was I supposed to pick up this was fraud when I never gave them any personal information?

The USAA representative told me that the clue I should know is that if USAA calls you, they will never ask for a verification code. They only request one if you call them.

All in all, thank goodness I called when the call had been disconnected. By the time I did, they had changed our address, our email, and were ordering a new bank card to be shipped to the fraudulent address.

We should get the money back within the next week, but damn, that was not something on my radar. Sharing in case anyone else it happens with as well.

Update: Following the call on with USAA everything was changed: login ID, passcode, 4 digit pin, security questions. Soon thereafter I received a text message [apparently] from USAA with a login attempt containing my brand new login ID. Immediately followed by a call from the 1-800 USAA number. I sent it to voicemail where it called 2 more times and I called USAA. They could see the attempt to login to my account, but thankfully since I didn't answer the phone, they were not able to access the bank account. I asked USAA to lock my account (meaning I can't even access it), and I'll wait a few weeks and unlock it.

USAA also added that if they do reach out for a fraud attempt it will almost always be an automated message instructing the user to call USAA themselves, they will never go over information with that first phone call.

Analysis and comment by Rich Pasco

  • Here is what happened: The scammers were trying to log into the victim's USAA account. Since USAA didn't recognize the computer originating that connection, USAA sent a verification code to the their customer's phone. The victim obediently gave it to the scammers who could then use it to complete their login.

  • There is absolutely nothing wrong with USAA. To the contrary, in fact, USAA was appropriately defensive in using two-factor authentication to safeguard the victim's account. The victim would have been perfectly safe if she had not believed the scammers and followed their instructions to give them the codes.

  • Lesson #1: Be skeptical about believing any unsolicited e-mail, text message, or phone call you receive. The “From:” address on an e-mail, or the caller-ID number on a text message or voice call, can easily be spoofed (forged) to make it look legitimate. Also the format and graphic “stationery” is easily copied and forged. (See Caller-ID Spoofing: Spoofing a Known Institution

  • Lesson #2: Do not respond directly to any unsolicited email, text, or call alleging fraud on your account. Instead, immediately call the company at its regular number on the back of your card to assess the problem.

  • Lesson #3: Do set up two-factor authentication (2FA) on all your online accounts. With 2FA, whenever an attempt is made to log in to your account from a computer not recognized by the server, the server sends you either an e-mail message or a cell-phone text message with an access code.

  • What I still don't understand is how the scammer got the victim's cell phone number and USAA username and password, all three of which were used in concert to pull off the scam. Apparently, however they did that is how they also got the replacement credentials for the second attempt.

“Spam” or junk e-mail

Scammers broadcast thousands of e-mail messages which use all kinds of trickery to get you to open an attachment or click on a web link which will take you to a malicious web site, which will either prompt you to enter your personal data or directly load software onto your computer.

The tricky e-mail may pretend to be from your internet service provider or financial institution and ask you to “confirm your details” or “activate your account.” Or it may pretend to come from a known retailer (e.g. Amazon.com) and claim to “confirm” a purchase you allegedly made (but didn't).

The phony e-mail conveys a tone of urgency and a threat of loss if you don't comply quickly. Hackers want you to hurry so you won't have time to think, so they tell you that you will miss out on an offer expiring soon, your card will be charged, your account will be closed, you will be sued, or even that a warrant will be issued for your arrest, unless you quickly take the requested action.

Ways to tell a phony e-mail

  1. It does not directly correspond to any action you recently took. It may claim to be about “system upgrades” or other vague topics. It may allude to a purchase you did not make, a parcel you did not send, or a lottery you did not enter.
  2. It does not address you by your full name, but rather by your e-mail address, or by “dear customer” (even though your full name is on file with your provider).
  3. It contains links which may appear to lead to a legitimate site, but actually lead to a malicious site. See “Where does a link really lead?” below.
  4. The address on the “From:” line is obviously phony, or someone you don't want to hear from. For example, I got a junk mail from david@smashyourfacein.in.net. Note: The converse is not true: Just because an address looks legitimate does not mean that it is. More below.
  5. The address on the “From:” line is your own. If the address on the “From:” line is your own, and you didn't send it to yourself, then you absolutely positively know that it is phony and may dispose of it immediately. Hackers know that you probably have your own address in your address book (contacts), so they spoof your address to get their junk past your spam filter.
  6. It is written in bad English. For example, it may contain the phrase, “needs your urgent attention.”

The address on the “From:” line of an e-mail should never be relied on to determine its origin. That line is easier to forge (or spoof) than the return address on the upper-left corner of a paper envelope. It is inserted by the sender's e-mail software, and so a sender can put anything he wants there, be it Bank of America or Santa Claus. (There are, however, postmarks in the hidden headers of an e-mail which advanced users can interpret to determine a message's true origin. For details see “Where in the world is the hacker located?”)

A phony e-mail may include all the same artwork and formatting (stationery) as a legitimate one. It is very easy for a hacker to copy artwork from a legitimate e-mail to a phony one.

Below is a sample of a phony e-mail, purportedly from American Express. As received, all of the hyperlinks lead to the hacker's web site! What lay there, I don't know because I didn't date click on them, but it would most likely either install malware on my computer or present a login screen looking like Amex's designed to trick me into entering my Amex username and password.

Sample phony e-mail

What to do with a phony e-mail

If you receive such an e-mail, the safest course is to simply delete it. If in doubt about your account with your bank or other service, do not click on the link in the e-mail; instead sign in by going to their known web address from a trusted source (e.g. printed on your last statement). And, if you would like my opinion, feel free to contact me.

I used to believe that there was no harm in simply visiting a web site, and would occasionally click on a link in an e-mail out of curiosity, just to see where it led. I was too smart to enter my personal credentials on any form there, but I wanted to see how the site looked. Unfortunately, twice in one year, my computer got infected by malicious software by my doing so. This is colloquially called a “Drive-by download.” In each case, I was running Windows XP with all the latest security patches from Microsoft, the latest Mozilla Firefox browser, and the latest AVG anti-virus. But still malicious software got installed, apparently from scripts on the web sites.

I've received e-mail from Macintosh users who gloat about how they are not vulnerable to viruses and malicious software. While it is true that far more viruses are targeted at Windows than at Mac OS, and Windows is more vulnerable than Mac OS, Macs are not invincible, and the same general precautions apply. And no OS in the world will protect against a user who gives away his password by typing it into a phony web page.

Where does a link really lead?

Since hackers send out spam (junk mail) with a goal of getting you to click on links to their malicious web pages, it is important to know where a link in an e-mail really leads, before you click on it. With HTML-formatted e-mail (most e-mail with multiple fonts, embedded graphics, etc.), what you see (in the visible text) is not what you get (when you click on it). The visible appearance of a link can be set independently of where it really leads. If you don't believe me, click on this link to see what happens:

In this example, the visible text says Google, but the hidden hyperlink really leads to my own page (which is harmless).

So if you can't trust the visible text to tell where a link leads, how can you tell? The answer depends on your e-mail client application, your operating system, and if you're using a web-based e-mail client, your browser. In some, you can hover your mouse over the link and view its target in your status line. In others, you can right-click on the link and choose "Properties", then look at the address shown on the pop-up. Check with your system's user's manuals to be sure.

If the target address doesn't match the visible text, beware!

The figure below shows a phony message which I actually received, as displayed in my e-mail client, Mozilla Thunderbird. The top circle shows my cursor hovering over the link “let us know immediately” (I did not click on it!) and the bottom shows Thunderbird displaying actual target of that link in the status line. I know the message to be phony because the target is not facebook.com.

Phony Facebook

Examples of E-Mail and Phony Web Site Scams

Phony e-mail messages and web sites purport to tell you that you need a software update or have a virus, or that you have won a prize, and thereby trick you into installing malicious software or calling a malicious phone number. Some may pretend to look like a site you know and trust to trick you into divulging your username, password, or account number.

Take this survey for a coupon

You receive an e-mail (or Facebook post), purportedly from a major retailer, offering a generous coupon in exchange for completing a survey. However, the e-mail is phony (perhaps its “From:” address was spoofed), the survey is a phishing attempt to obtain your personal information for identity theft, and the promised coupon, if it ever materializes at all, is not recognized by the retailer.

The Google Photos or Google Drive Scam


It is because so many people use Google that it is a popular target for scammers to impersonate; they have a high chance that a randomly broadcast e-mail message will actually reach a Google user.

Within a five-minute time span on Saturday, June 22, 2019, I got the three separate e-mail messages shown at the right, all “From:” different addresses, all purporting to be from Google, and begging me to click on the links scattered throughout, none of which actually lead to Google. Of course I didn't actually click on any of those links, because I expect that they would either attempt to download malicious software (malware) to my computer, to trick me into divulging personal information, or both.

My first clue that these were phony: In each of the three photos here, the “From:” address displayed an address other than Google (circled in red). That in itself is a dead give-away that they were phony, but the converse is not true. Even if they did show a Google address, it could easily have been falsified (“spoofed”) and should not in itself be trusted to prove its validity.

If I really cared where it really came from, I could have followed my own instructions under “Where in the world is the hacker located?

The easiest way to determine where the links in the message point, if your e-mail client supports it, is to hover your mouse over each of them and look a the URL displayed on your e-mail client' status line. For more info, see “Where does a link really lead?

The Anti-Virus Expiry Scam

I was visiting the CBS News web site on 2019-06-08 when this advertisement suddenly replaced their page in my browser. It sure looks authentic, doesn't it? Tempted to click on that “Renew Now” link, enter your credit card, and download the latest version? Think again! First of all, I knew it was fake because I don't even have McAfee software on my computer. Second, if I did, I would only obtain it directly from the McAfee web site, certainly not from apps-centerzmd.info (circled in red on this screen shot). If I had entered my credit card number, I would have placed it into the hands of the scammers. And if I installed the software, I would have installed malware (malicious software) onto my computer. Another give-away is the lower-case “a” in “Mcafee” (three places). The real McAfee would never misspell the name of their own company like that!

Fake McAfee Renewal Notice
(Click to enlarge)

One might ask, why did I get this ad in the first place? One possible answer is that CBS News, like other web sites, sells advertising space on their site to agencies which in turn sell ad space to a wide audience of customers. Some such agencies do not carefully vet their ads against code which do what this one did: replace the page on which the ad is displayed (e.g. CBS News) with a full-page version of their (misleading) advertisement. In any event, at this point it is safest to just close the browser without clicking on “Renew Now” or any other links contained in it.

To be clear, the real McAfee had absolutely nothing to do with this phony advertisement (other than, of course, that the phony impersonated them, just as it might impersonate any other well-known company). CBS News is a bit more culpable, for selling ad space to an agency which does not fully vet their ads.

The Vehicle History Report Scam

Here's a scam aimed at people selling used cars online, e.g. via craigslist: Trolls scan used car ads and ask the sellers for a vehicle history report. When you send them one, they tell you they don't trust it and ask you to get one (at your own expense) from their pet company. In fact they have no intention to buy your car but are trying to drum up business for their pet company which makes a huge profit and pays the troll to advertise them.

When selling her van in the summer of 2017, my partner obtained a vehicle history report, which we send to prospective buyers who ask for it. Two of the ostensible buyers, “James Parkin” and “Pete Hansen” sent such similar e-mail messages that their motives are apparent:

VIN scam
(Click to enlarge)

It turns out that according to Network Solutions' WhoIs service, both of the domains usvehiclecheck.com and vinchecksup.com are registered to “Internet Domain Service BS Corp.” How appropriate! Is it any coincidence that both of the recommended sites resolve to exactly the same IP address? According to ip2location [] is hosted by NForce Entertainment B.V. in the Netherlands.

Update 2017-11-15: My friend Don reported today that he actually fell for such a scam and purchased a report from a company advertised like this. After he received the report, he grew concerned about whether his credit card account had been compromised by giving them the card number. We may never know.

The “Unusual sign-in” scam

I got an amusing piece of spam, designed to get me to click on a malicious link. It is amusing because I asked, “How stupid do they think I am?” It claimed a suspicious sign-in to my Microsoft account, but there were several glaring problems:

  1. TIt did not come from Microsoft, not even close. They could have spoofed Microsoft's address onto the From line but didn't. It didn't come from the domain they did spoof, either. That dcccd.edu domain is from the Dallas County TX Community College District. According to the message's hidden headers, it really came from IP address which is in Guizhou, China, according to IP2Location™.
  2. It had no Subject (the Subject line was blank).
  3. The it was addressed to my personal e-mail address (redacted here in red), and the body referred to that address as my Microsoft ID, but I really use a different e-mail address as my Microsoft ID.
  4. The IP address from which the alleged sign-in came is not a valid IP address. IPv4 addresses comprise four numbers from 0 to 255, and IPv6 addresses have a totally different syntax.
  5. The instruction "Please check out document for further instructions" pointed to a web address which was also not Microsoft's (and different from the domain on the From line).
Obviously, I didn't click on the link.

Unusual sign-in

The traffic citation scam

TALLAHASSEE, Fla. - The Department of Highway Safety and Motor Vehicles (DHSMV) is warning consumers that they may be targeted by a company representing itself as the DHSMV demanding payment for fraudulent citations. The company, which is not associated with the DHSMV in any way, will send emails to consumers requesting payment of a citation within a certain timeframe and if the payment is not received on time, the company will falsely require a daily late fee payment.

traffic citation example
Example of phony e-mail (click for enlargement)

Example of phony e-mail

The email sent to consumers includes a linked payment page and email address. While the linked payment page appears to be inactive at this time, the DHSMV is warning consumers that this is a scam and no payment should be made. If a consumer has made a payment, they should refute the charge and take the appropriate security measures with their financial institution.

Consumers should note the following:

  • The DHSMV and Clerks of Court do not email citations to customers;
  • The DHSMV and Clerks of Court do not require citation payment via email;
  • Citation numbers are always seven alpha-numeric digits;
  • If a consumer receives a notice regarding a suspicious citation, they should contact the local Clerk of Court or call the DHSMV immediately.

The Florida Department of Highway Safety and Motor Vehicles (DHSMV) provides highway safety and security through excellence in service, education and enforcement. DHSMV is leading the way to a safer Florida through the efficient and professional execution of its core mission: the issuance of driver licenses, vehicle tags and titles and operation of the Florida Highway Patrol. To learn more about DHSMV and the services offered, visit www.flhsmv.gov, follow us on Twitter @FLHSMV or find us on Facebook. For safe driving tips and techniques, download the official Florida Driver License Handbook.The DHSMV and Clerks of Court do not email citations to customers;

  • The DHSMV and Clerks of Court do not require citation payment via email;
  • Citation numbers are always seven alpha-numeric digits;
  • If a consumer receives a notice regarding a suspicious citation, they should contact the local Clerk of Court or call the DHSMV immediately.

The Florida Department of Highway Safety and Motor Vehicles (DHSMV) provides highway safety and security through excellence in service, education and enforcement. DHSMV is leading the way to a safer Florida through the efficient and professional execution of its core mission: the issuance of driver licenses, vehicle tags and titles and operation of the Florida Highway Patrol. To learn more about DHSMV and the services offered, visit www.flhsmv.gov, follow us on Twitter @FLHSMV or find us on Facebook. For safe driving tips and techniques, download the official Florida Driver License Handbook.

The “suspicious activity” scam

You get an e-mail, apparently from one of your financial services providers, stating that there has been some suspicious activity on your account, so click on this link for details. In reality, the mail is phony, it's From address is spoofed, and the link leads to a site designed to trick you into divulging your login credentials (phishing) or to install malicious software on your computer (drive-by download). If you receive such an e-mail, do not click on any links in it. Instead, if in doubt about your account, visit your financial service's web site via a trusted bookmark and check your account there.

Here is an example of one I recently got. Notice that the link leads to a site in Moscow, according to the useful site ip2location.com.

Suspicious Activity

The “robbed-on-vacation” scam

You get an e-mail, ostensibly from a friend, stating that he or she took an unplanned vacation and was robbed, so please send money. Most likely, your friend is safe at home, and either his e-mail account was hacked or his address was spoofed. You may notice a “Reply-to” line in the header so that your reply goes not to your friend but to the hacker who has created a similar, but subtly different address. If you reply and send money, you will never see your money again. Instead, you should call your friend on the phone and discuss the situation.

The shared file scam

You get an e-mail, ostensibly from a reputable file-sharing service, for example Dropbox or Google docs, stating that someone has used their service to share a file with you, so click here to view. You click on the link. Gotcha! It may lead to a phony look-alike page on the hacker's server which collects your log-in credentials. Some examples:


Google docs
The shared file scam

Several red flags highlight your way:

  1. The e-mail probably did not really come from Dropbox or Google docs, but from the hacker. The address on the message's “From:” line was spoofed.
  2. You probably do not know the person who allegedly sent it to you. It may say something vague like “a friend” or “your financial institution.”
  3. The link does not lead to the file sharing service, but someplace else. (See “Where does a link really lead?” above.)
  4. Although “view” sounds innocuous enough, you really have no idea what you are getting. It could be a malicious executable file to take over your computer.

Read more from Sophos Naked Security

The credit card concern scam

You get an e-mail, ostensibly from the issuer of one of your credit cards, advising you of a security concern with you card, and offering a link to resolve the concern and warning that if you don't act then your card will be declined. But really there is no problem with your card, the e-mail comes from a hacker, and the link leads to a phony site which will either ask for personal details (for the crime of identity theft) or install malicious software onto your computer.

Phony Amex

Notice these clues that the message was phony:

  • It begins “Dear Customer.” Your credit card company knows and will use your name.
  • It refers to “your account.” A legitimate message would tell you which account, e.g. by giving the last four digits of your account number.
  • The link which looks like http://americanexpress.com does not really lead there. See “Where does a link really lead?” above.

The customer reward scam

You get an e-mail, ostensibly from a business of which you are a customer, thanking you for your loyalty and offering a gift card as a reward. Simply click this link to “activate” your reward. Beware!

As likely as not, the real sender of the e-mail has nothing to do with the business they claim to represent (remember, the “From:” address may be spoofed), and the link only leads to misery for you: either it will install malicious software or trick you in to completing a “survey” or otherwise divulging personal information. See “Where does a link really lead?” above.

The phony insurance cards scam

USAA is a reputable insurance company, which e-mails its policyholders their insurance ID cards in PDF format. Nothing wrong with that, no scam there. But scanners have taken the opportunity to forge realistic-looking e-mail messages (see below) which closely mimics USAA's e-mail message, with a few exceptions:
  1. The genuine one is sent to just you; the phony one is sent to a long list of e-mail addresses.
  2. The genuine one addresses you by name, the phony one begins “Dear Driver.”
  3. The genuine one shows your name and the last four digits of your USAA number in the “USAA SECURITY ZONE” in the top-right corner; the phony one shows no name and a random 4 digits.
  4. The genuine one specifies which vehicle USAA insures for you; the phony one does not.
  5. The genuine one carries a PDF file attachment; the phony one carries a ZIP archive containing a malicious executable .SCR file.

Phony USAA

The Phony “Tech Support” Scam

You get a phone call or e-mail stating that they have discovered a problem with your computer and offering to fix it if only you'll allow them remote access to it. They may or may not ask for your credit card number to charge their “support fees.”

A telephone caller may claim to be from Microsoft, which is a good reason to not believe him—Microsoft does not make phone calls! He may invite you to follow a procedure and discover a number among the system files of your computer, which he says “proves” your computer is infected, when in truth every computer has that number.

Or maybe a realistic looking pop-up tells you that you have an infection, and offers a “help” button to learn more and fix it. It may ask you to call a phone number, where a friendly-sounding agent will ask for your credit card number and/or password to allow him remote access to your computer. Likely the pop-up is phony, and the “help” button leads to more misery. Your only concern should be, where did that pop-up come from, and how did it get onto my screen?

In an extreme case, you stumble on a web advertisement which contains code to lock up your browser (apparently your whole computer). Pretending to be ransomware, it displays a demand for payment to unlock it. If the recipient of such an ad would either kill their browser from Task Manager or restart their computer, everything would be fine, but some victims don't know what to do and pay the ransom.

Speaking of malicious ads containing code which locks up your browser, if you encounter such an ad and get rid of it by closing your browser, you certainly don't want to go right back there when you later re-open it. Therefore you should configure your browser's settings to always start up with either a blank page or a page you trust (e.g. google.com), never to automatically return to the last page you visited before you closed it.

Special note to users of Microsoft Edge, which is notorious for always automatically reopening previous tabs, and therefore returning automatically to such malicious ads. Several users have suggested this procedure:

  1. Close your Edge browser, if you haven't already.
  2. Disconnect your computer from the Internet (unplug Ethernet cable or turn off WiFi radio)
  3. Re-open the Edge browser.
  4. Clear all of your browsing history, and then close Edge.
  5. Connect the Internet back up and open Edge again.

Be very careful to whom you give remote control over your computer. Not everyone who claims to be “support” is on your side! Remember that once you give someone remote access to your computer, they may install software giving them permanent control over it. Effectively, they now “own” your computer, even though you house it and feed it electricity.

Here is an example: I was reading a blog page recommended by a dear friend, when my session was interrupted by the advertisement copied below, accompanied by an annoying beep-beep-beep from my speaker. Based on my experience with such matters, this was obviously a phony warning message designed to trick me into either calling the so-called “Help Desk” at the number shown or entering my User Name and Password (I am not sure which ones they wanted, but I was not about to divulge any of them). So I simply closed my browser and re-opened it. No problem. However, my concern is that someone of less technical savvy might be tricked into calling the number (and thus talked into giving them a credit card number for unnecessary "support.") Apparently the author of the blog sells ad space to an agency, which rotates the ads it displays. Even the ad agency may be unaware that one of their customers is posting such misleading and malicious ads.

Microsoft Firefox Critical Error

In one variation, a shady web site pops up a window appearing like a system notification, stating that your computer is infected by a virus. Click here to download the software that will cure it. Only problem is, the pop-up is phony and the software in fact takes over your computer for malicious purposes.

In another variation, an anonymous telephone caller says he's with “The IT Department” or a major software company, and with a routine scan has identified malicious software on your computer. If you'll only permit him remote access to your computer then he will remove it for you. You'd be a fool to grant any stranger even temporary remote access to your computer, and if you did, you'd find that he installs software he needs to permanently give him control over it.

osx warning One common way hackers take control is by popping up a notice telling you that you have a virus and to call a certain number for help in removing it. Just close the window and don't call the number. If you do, call

  1. If you give them your credit card number, then they will fraudulently charge your card. Your bank will have to cancel the card to get them to stop.
  2. If you give them remote access to your computer, then they will install malicious software to give them permanent control.
Do not call that number! What you should do instead is determine how and why that noticed popped up the first place. If it is a web browser window, it is probably an “advertisement” embedded from a dubious site you were browsing. Just closing the window should solve it, Conversely, if it came from anywhere else, you should scan your system for malicious software.

In another variation, you're surfing the web and a window pops up telling you of a serious malfunction and instructing you to call a specific number for technical support. The helpful technician tells you that to fix your computer he will need you to give him remote access. Trouble is, the window was phony and the technician is a hacker who installs software to give him full control of your computer. After that, he owns your computer and all your personal data.

The information about your operating system and browser is routinely made available by web browsers for web servers to use; all this page did was parrot it back as part of the phony warning message. What is especially funny in this case is that the operating system is OS X (by Apple) and the browser is Chrome (by Google) and yet the message says to call Microsoft technicians! That alone should be a dead giveaway that the message is phony.

For more information on Phony “Tech Support” Scams see

The Dual-Extension Trick (Phony cell-phone pictures)

You get an e-mail apparently from a username at vzwpix looking like a ten-digit phone number (spoofed of course), as would suggest pictures from a cell phone. The attachment is not a JPG image but a ZIP file containing a file named 8400587498Img_Picture.jpeg.exe. Luckily you have changed your Windows settings so as not to hide known extensions, so your recognize the executable file and don't open it. Whew!

The ACH Transfer Form

You get an e-mail, ostensibly from a well-known bank, reading:

Please fill out and return the attached ACH form along with a copy of a voided check.
There are two red flags in that one! First, I only give ACH transfer forms and voided checks to businesses I trust, in conjunction with a transaction I have initiated. And second, the attachment is a ZIP archive containing an executable file, which most certainly installs malicious software on the computer of anyone who runs it.

The Phony Friend/Link Request

You receive an e-mail, ostensibly from a social networking site of which you are a member (e.g. Facebook, LinkedIn) saying so-and-so wants to be your friend, so click here accept the link. As soon as you click on the link, your computer is compromised. Or maybe it takes you to a phony login screen (see below). Problem is, the e-mail was a forgery (spoof) which didn't really originate from the service it seemed to, and the link didn't lead to that service but to a hacker's site (which may closely resemble its legitimate counterpart).

Next time, you won't believe the “From:” address on the e-mail (see “Ways to tell a phony e-mail” above) and you will check where the link leads before clicking it (see “Where does a link really lead?” above).

The phony login screen

This scam has been around since the 1960's, but people are still falling for it. You see a log-in screen which looks just like the log-in screen of your e-mail system, social network, bank or other account, so obligingly you enter your username and password. You don't know it, but you have unwittingly given a hacker full control over your account. Next time, you'll be more cautious:

  • Look in your browser's Address bar and make sure the page onto which you're typing really belongs to the service to which you intend to log in.
  • Be especially cautious if a log-in screen pops up at unexpected times. For example if you're already logged into your social networking site or reading your e-mail and you click on a link in a post or e-mail message, and a new log-in screen pops up, it is probably phony. Maybe you shouldn't have clicked on that link in the first place.
See: New, highly effective phishing technique targeting Gmail users, WFLA News Channel 8, Tuesday, January 17, 2017

Breaking News

You receive an e-mail, ostensibly from a reputable news source like CNN, BBC, or MSNBC, stating that someone has shared a news item with you. The headline sounds amazing, so you click on the link to learn more. The link infects your computer with malicious software and your computer now belongs to the hacker.

The Fax (or Scan)

You receive an e-mail telling you that you have received a fax (or a scan) and it is attached. The “From” address is forged to be something familiar so it slips past your spam filter. However, the attachment is not really a fax or document image but an executable file, so as soon as you open it, your computer belongs to the hacker.

Or maybe you get an e-mail from someone you don't know with subject “Scan from a Hewlett-Packard ScanJet” and are tempted to open the attachment. After all, what could be wrong with a scanned image? Gotcha! Problem is, it's not a scanned image, but a link to install malicious software on your computer.

“Someone who cares has sent you a greeting card”

You get an e-mail saying “someone who cares” or “a family member” has sent you a greeting card, so “click here to open it.” Eager to find out who sent it to you, you click on the link or open the attachment. Gotcha! You've been zapped.

Legitimate e-card services will tell you the name of the friend or relative who sent you the card. Even so, before opening it, verify that the link actually leads to a greeting card service you recognize and trust. Depending on your e-mail client, you can usually do this by hovering your mouse over the link while watching the status line. If in doubt, contact the friend and ask if they really sent you a card.

The “You Sent a Payment” scam

You get an e-mail, ostensibly from PayPal or a credit card company, “confirming” that you sent a payment which you know you didn't send. Just click on this link for details, the message says. Gotcha!

The “Air Fare Sale” trick

You get an e-mail ostensibly announcing very low prices on plane tickets (maybe even free) from a major airline. Just click here for details. However, the e-mail comes not from an airline but from a scammer. Gotcha! Remember: If a deal seems to good to be true, it probably is.

“Your bill is now available”

You get an e-mail appearing to be from a popular vendor or financial institution (e.g. Amazon.com, Verizon Wireless, PayPal, CitiBank, etc.) which looks just like a routine notification that your bill is available on-line. A very few clues suggest that the mail is phony: It does not include your real name (e.g. begins “Dear Customer” or “Dear Cardholder”), or the balance due is way in excess of what expect. It includes a link “View your detailed bill.”. Eager to find out the problem, you click on that link. Gotcha! The link installs malicious software. You learn, next time you'll hover your mouse over that link and look at your status line to see where it really leads before clicking on it. If in doubt, you'll go directly to your vendor's web site via a bookmark you trust, to view your account.

The “software update” trick

You get an e-mail purporting to be from a known software publisher like Microsoft or Adobe, claiming that your software is out of date and needs to be updated, so click here to install the update. Only problem is, the e-mail didn't really come from that publisher, and the link installs malicious software. Gotcha!

In one nasty but all too typical example, an e-mail began circulating in November 2019 with a subject line like “Install Latest Microsoft Windows Update now!” or “Critical Microsoft Windows Update!” This alone should arouse suspicion because Microsoft never distributes updates through e-mail. The attachment uses a phony .jpg extension to disguise its executable file as an image. For more about this one, see “Don't download this Windows 10 update – it's packed with ransomware” by Anthony Spadafora, Tech Radar, November 19, 2019

In a variation, you visit a dubious web site offering exciting videos (e.g. late-breaking news or erotic videos), but in the box where you expect a video, you see a notice stating you need an updated video player, so click here to install it. Gotcha!
Phony Flash   phony media player ad
Example phony media player advertisements: Beware!

Remember two important rules:

  • Legitimate software publishers do not send updates by e-mail.
  • Links on untrusted web pages are not trustworthy.

Many applications can be configured to automatically update themselves by connecting directly to their publisher's legitimate server--this is the preferred way to keep your software up to date. And if you do need an update that didn't get installed this way, please directly visit the publisher's web site by going to a known, trusted address, rather than by a link in an unsolicited e-mail or dubious web page.

The “notification pending” trick

An e-mail pretends to come from Facebook, LinkedIn, or another popular social-networking site. The “From:” address is forged (spoofed) accordingly, and the body exhibits a phony but convincing replica of that service's graphics and tells you that you have a notification, friend request, or other message pending on their system, so click here to get it. Gotcha!

The wise user, upon receiving such an e-mail, will not click on the link in the e-mail without first checking where it really leads. (In some e-mail programs, you can hover your mouse over the link and read the status bar.) Better yet, just delete the e-mail and then log into your networking site in the usual way to see what messages may await you there.

Emil Protalinski of ZDNet gives details of one version of this trick in his article Virus warning: Someone tagged or added a photo of you on Facebook.

Your craigslist ad has been posted

You get an e-mail, ostensibly from craigslist, confirming that your advertisement has been posted. Only problem is, the ad isn't yours, and the item advertised isn't one you're selling. So you click on the link provided to view the ad in full. Gotcha! The “From:” line was a forgery (spoof), and even though the visible text shows a craigslist address, the hidden hyperlink leads somewhere else. You need to learn to hover your mouse over a hyperlink to see where it really leads before you click on it.

The “order confirmation” trick

You receive an “order confirmation” e-mail ostensibly from a known retailer (e.g. Amazon.com) or a known credit card (e.g. MasterCard) confirming a purchase you allegedly made. You know you didn't make the purchase, so you click on a link to view the details. Gotcha!

If you suspect that something you didn't order was charged to you, you should go directly to your credit card company by telephone or by the link you trust and usually use—not the link in the e-mail. If you can't corroborate the e-mail, that confirms that it was phony.

The parcel delivery problem

You receive an e-mail message telling you that a parcel you shipped could not be delivered, and please click here (or open the attachment) for details. Gotcha!

The giveaways are that you didn't ship a package recently, the e-mail comes from a shipping agency you don't patronize or doesn't exist (e.g. United States Parcel Service or United Postal Service), and it is very vague except for the insistence that you open the attachment or click on the link. Besides, how would they know your e-mail address, anyway?

Here's another one: I got this e-mail on Wednesday, September 4, 2019. It almost looks genuine, except the “From:” address had nothing to do with FedEx, and the three links “Click here,” “View messages” and “Unsubscribe” were all the same and had nothing to do with FedEx either. Of course I didn't click on them to see where they led; they might install malicious software on my computer or prompt me to divulge personal information:

We've got a new message for you

The travel reservations trick

You get an e-mail ostensibly from an airline, hotel or travel agent saying that they have your reservations, just click here to see the details. You don't recall making any, so you click to investigate. Gotcha!

Unless the e-mail comes from an agent with whom you already made reservations and includes information which a stranger would not know (such as your full name, travel dates, itinerary, flight numbers, etc.) it's safest to just delete it.

“Is this you in this video?”

You get an e-mail message, apparently from a friend, asking “Is this you in this video?” You wonder what videos showing yourself might have been posted on-line, so you click the link. Gotcha!

In a variant of this scheme, the link takes you to a page pretending to be a video player unable to play the video unless you install a new video driver. Gotcha! Please see the “software update” trick above, and my page about executable files.

“I liked your profile ... here's mine”

This one preys on people having profiles on singles dating or social networking sites. You get an enticing e-mail flattering you on your profile and inviting you to click on a link to see their profile, or open an attachment to see their picture. Gotcha!

The dead giveaways are that the e-mail doesn't state which profile the writer saw or where he saw it, or what it was about it he liked. It's vague enough to apply to anybody with a profile anywhere! Also, legitimate social networking services don't give out your e-mail address. If someone responds to your profile, their response will be forwarded by the service, not come directly from the correspondent. If, having read all this, you still feel compelled to reply, then you should ask which profile the person saw and, “Just what about my profile was it that you liked?” Only proceed if you get a credible response to this question.

Here is an obviously phony e-mail message, because it claims to have gotten my e-mail address from Facebook, and Facebook does not give out my e-mail address:
My name is Blessing. i got your email address while browsing today at www.facebook.com, can we be friends? i will like to know you more then. I will tell you more about myself with my picture as soon as i get your reply, I believe we can move from here! (Remember the distance,colour or age does not matter but love matters a lot in life)hoping to read from you, Miss Blessing.

The “job offer” (or opportunity) scam

You're looking for work, and you get an unsolicited e-mail purporting to offer you a job. Full details are in this link; click here. Gotcha!

To defend against this one, look carefully at the e-mail. Was it addressed to you by name (as a legitimate inquiry would be) or just by e-mail address? Did the writer say what it was about your résumé that interested him or her? Does the offer state the physical location of your new workplace? (If not, why not?) Your salary? (Legitimate employers save this for a printed job offer letter.) Does it urgently request immediate action (within minutes or hours)? If it seems to have come from a job-search site where you have a résumé listed, are you sure? Some spammers forge, or “spoof” the address of a well-known job site. As always, never click on a link unless you're sure where it leads. (See “Where does a link really lead?” above.)

The erotic photo trick

An unsolicited e-mail carries an attachment or link with a cover letter claiming it's an erotic photo. For example, here's one I actually got:

Hey. I am attaching a pic of my big boobs. Enjoy my love!
Fortunately, my virus scanner deleted the attachment. Yours may or may not. Here's news story about a similar trick.

“Your e-mail account will be terminated”

This one threatens to cancel the recipient's e-mail account unless certain very personal details are divulged by return e-mail. Of course the e-mail doesn't really come from your service provider (who would already have this information), and your response allows the scammer to steal your identity. Here's one example:

We are currently upgrading our database and as such terminating all
unused accounts to reduce congestion on the network. To prevent
your account from being terminated, you will have to update it by
providing the information requested below:


Email : ......................  Password : ..................  Date
Of Birth : ..............


NOTE: Your data and information will not be interfered with or
tampered we will just record your data back into our data base and
send you an email and after 24hours. Warning!!! Account owners
that refuses to update their account may lose such an account

Message Code: NXDT-4AJ-ACC Thank you, Mail Support Team.

Upgrade on your Webmail Account.
Delete this junk mail. If you still suspect something wrong with your e-mail account, contact your service provider by a trusted means.

The E-mail Update Trick

You get an e-mail telling you that your e-mail account will be suspended unless you install some updates right away, and conveniently the e-mail includes a link to install them. Only problem is, the sender of the message has nothing to do with your e-mail account, and the link actually installs malicious software (malware).

Email Suspension

In the above example, an astute reader might ask why someone at Chung Chang University in Taiwan would be suspending anyone's Yahoo Mail account. An even more astute reader might suspect that the “From:” address might be spoofed and it didn't really come from Chung Chang University.

The wisest response is to ignore or delete this message, and if you are still concerned, check with your e-mail provider by their known and trusted address to see whether updates are really needed.

The “Credit Card Overdue” trick

You get an e-mail claming that your credit card payment is overdue, but the late fee will be waived if you open the attachment right away, or complete and submit this form. Catch is, the e-mail didn't come from your bank, the attachment installs malicious software on your computer, and the form doesn't go to your bank but sends your personal information to the con artist who sent it to you. Gotcha!

What to do instead: Delete the junk mail. If you really suspect something is amiss with your credit card, log in to the bank's web site via a link you trust and check your account activity there.

The “Better Business Bureau” trick

You get an e-mail purporting to be from the Better Business Bureau reporting a complaint against you. Details are in the attachment. However, the e-mail is phony and attachment (or link) leads to malicious software. Gotcha!

The Wedding Invitation

You get an e-mail inviting you to a wedding, except it doesn't name the bride and groom, state the location or give any other important details, which are supposedly on the linked page. If you click for details, your computer belongs to the hacker.

You are Cordially Invited to Celebrate
the Our Wedding
On Tuesday March the 29 at Four O'clock
Followed by a Reception

This example was received in 2013, in which March 29 is not Tuesday. Notice also the bad grammar, “the Our”.

The Lottery

You get an e-mail stating that you've won a lottery, click for details. If you do, maybe you download malware, or maybe you're asked to pay a “processing fee” to claim your winnings.

Questions to ask: Did I buy a ticket in that lottery? Did I give my e-mail address when I did? Does the e-mail make reference to that purchase? Unless all three answers are yes, the e-mail is either a malware scam or a financial scam.

The downloader

A web site offers a free download of a popular, music album, movie, or other software, but to get it you must first download and install an executable download utility (in .exe format). Be very careful! Reputable distributors (like Amazon.com) may provide an innocuous downloader (like Amazon's MP3 Downloader), but other, unscrupulous distributors may include malicious code in their downloader, so that while your music is downloading, so is their ability to take over control of your computer. Remember, opening any executable file gives total control of your computer to its distant and unknown author, so you should only use executable files obtained directly from publishers you know and trust.

The phony self-extracting archive

An archive file is a big file containing lots of little files. For example, a music album might be stored as a single archive containing a separate file for each song or track. Popular archive formats include ZIP and RAR. Normally, an archive file needs an application program to unpack it (extract the individual files it contains), e.g. WinZIP or WinRAR.

For the convenience of people who might receive an archive file, publishers of archive software offer an option to create a self-extracting archive file, which is an executable file (.EXE) comprising an archive file plus extraction software in a single file. So far, all that is legitimate.

Unfortunately, hackers have seized on the opportunity to distribute malicious executable files disguised as self-extracting archives, to trick their recipients into installing their malicious software. Remember, any time you run any executable file, you give its author full control over your computer system.

Therefore, when obtaining archive files, it is strongly recommended that you choose the regular archive format over its self-extracting, executable counterpart. Even if you get the executable format, you still should be able to open it with your trusted archive application without actually executing it. If you can't, do not open it (execute it) directly.


I'm not sure whether this topic belongs on this page, since whether or not it is about truly malicious software is open to argument. But I get really angry enough about sneakware, and I feel like I have to warn people somewhere.

By definition, sneakware is unwanted software which tags along for the ride when installing something you want. In that sense it is a kind of Trojan horse, although the latter term is usually applied to truly malicious software (malware).

Sneakware comprises commercial applications which are not truly malicious, because some users deliberately and voluntarily choose to install them. However, because their publishers stand to gain by getting as many users as possible, they pay the publishers of unrelated software to bundle their installers together, so that when a consumer installs a desired piece of software, the sneakware gets installed too.


When installing any software, particularly that which is distributed free or at very low cost, pay careful attention to the questions it asks when being installed. In the installer, don't be afraid to always choose the “advanced” installation over the “standard” one. Do not just click OK, OK, OK all the way through on each screen. Instead, read carefully the options presented (especially the pre-checked ones) and ask yourself whether they truly represent your wishes. If you don't understand them, ask a more computer-literate friend to explain them. Some of the options to be careful about are:
  • Make [this software] the default application to open everything it can [thus replacing the associations you have already made between file types and your favorite applications to open them. If you're like me you probably already have a preferred way of opening the files on your system, and you may not want this newcomer to replace them.
  • Also install the ________ browser Unless you're installing a browser (software to display web pages) today, why would you want to accept such an offer?
  • Make ________ your default browser
  • Make ________ your default search engine
  • Install the ________ toolbar

The phony Intel® Driver Update Utility

You need a software driver for an old piece of hardware, so you enter a description into Google and you find an advertisement for the “Intel® Driver Update Utility” featuring this screen shot:

phony screen shot

If you accept the bait and download this software, you have just turned full control over your computer to the hackers. Sometimes, the hackers even charge you money for the privilege! The problem is, you didn't get it directly from Intel!

The genuine software

The genuine Intel® Driver Update Utility is available free of charge directly from Intel. To be sure, verify that the URL begins:


As of this writing (December 2015) the screen of the genuine utility looks like this. Notice any difference?

genuine screen shot

Of course, any hacker could clone any screen shot for his ad, just as easily as I did for this article. So you should not rely on screen shots to determine software authenticity. Instead the rule is:

Only download software directly from a publisher you know and trust.

The “Fun Content” Trick

By now, I shouldn't have to state the obvious danger in this advertisement:
Dangerous Ad
Dangerous advertisement: Beware!

The phony browser update

Note: While this example cites Firefox, scams of this sort can affect users of any browser. It is easy for code on a web site to determine which browser the visitor is using, and configure a custom message for that visitor.

You are visiting a web site, when suddenly your browswer screen is replaced by one like shown below. What do you do?

Urgent Firefox update

If you accept the offered “upgrade” then you have compromised your computer. Remember my advice to only install software obtained directly from the publisher. Personally I have never heard of “baehobelmo.org” (see the address bar in the screen shot above), and I can be certain that this site is not part of the Mozilla organization which publishes of Firefox. Also please notice the extension “.js” of file being offered, firefox-patch.js designates an executable file. Opening any executable file surrenders total control of your computer to its distant and unknown author.

What should you do instead? Just close your browser. No harm is done if you don't install the phony “upgrade.” Next, consider how you got to this page. Most likely, the page you were visiting before it appeared embedded some third-party advertising, and that advertising carried a browser redirect taking you to this phony site. If you can identify the ad containing the redirect, inform the webmaster of the page you were visiting that his embedded ad was malicious.

And you should always directly check your browser's publisher for updates. With Mozilla Firefox, that is very easy to do: Just pull down the “Help” menu and choose “About Firefox.” You will get a screen like this one:

About Mozilla Firefox

The words “Firefox is up to date” indcate that no update is needed. If a newer version were available, download instructions would appear here, or depending on your setup, the newer version would automatically install.

The “missing font” scam

Surfing with the popular browser Google Chrome, you happen upon a web site that appears garbled, and an notification says “The web page you are trying to load is displayed incorrectly as it uses the ‘Hoefler Text’ font. To fix the error and display the text, you have to update the ‘Chrome Font Pack’.” So you obediently click the “Update” button, and install “Chrome Font v7.5.1.exe”. Bang! Your system is infected with malware. You violated my number 1 rule: only install executable files obtained directly from publishers you trust.

For more reading

Index to all of Rich Pasco's articles on e-mail and viruses

Rich Pasco's home page

Copyright © 2010-2019 Richard C. Pasco. All rights reserved.