1. The email is pretty basic and does not have any company logos or branding. Example no company logos and or the font is different then other real communications you see. Most companies have standards right down to the type of font they use.
2. The email is from a company you've never had an account with.
3. Email instructs you to click on the link embedded in the email.
4. The TO: email address is not your email address or it says UNDISCLOSED RECIPIENTS
5. The misspelling of words, especially in job titles.
6. Conflicting reasons why this highly important email was sent.
Also, here are some examples of the scam mails. You'll notice my commentary in green.
Halifax Bank Account Suspension notice scam
X-AOL-DATE: Mon, 27 Aug 2007 3:57:39 PM Eastern Daylight Time
Received: from rly-mf07.mail.aol.com (rly-mf07.mail.aol.com [172.20.29.177]) by air-mf06.mail.aol.com (v119.7) with ESMTP id MAILINMF061-97146d32c85285; Mon, 27 Aug 2007 15:57:38 -0400
Received: from terahost.de (terahost.de [184.108.40.206]) by rly-mf07.mail.aol.com (v119.7) with ESMTP id MAILRELAYINMF077-97146d32c85285; Mon, 27 Aug 2007 15:56:54 -0400
Received: (qmail 11540 invoked by uid 33); 27 Aug 2007 21:55:46 +0200
Date: 27 Aug 2007 21:55:46 +0200
Subject: Online Banking Suspended: Update Your Online Service
From: Halifax Bank
X-Mailer: Unknown (No Version)
You'll notice this email has logos in it, however they are linked from the actual site as opposed to being embedded in the email. This means the scammer linked the logos instead of saving them to a hard drive for reference, this is because the referenced logos would identify which computer was used to embed them so the scam just links to the logo instead.
Dear Valued HALIFAX Costumer:
Due to concerns, for the safety and integrity of the HALIFAX
account we have issued this warning message.
It has come to our attention that your Halifax account information needs to be
updated as part of our continuing
commitment to protect your account and to
reduce the instance of fraud on our website.
If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.
Once you have updated your account records your HALIFAX account
service will not be interrupted
and will continue as normal.
To update your HALIFAX records click on the following link:
If you right click on the link and select Properties you will see the real web page you are sent to, for this example the web page is http://aefona.org////language/formslogin.htm
If you do not confirm your current IP address until August 25, 2007, your account will be SUSPENDED for security reasons and we will send you a new Access Code by post which you will need to reactivate your online banking service access. You will receive this within seven days if your current IP address is not confirmed.
James T. Hopkins
Online Security Advisor,
Halifax Bank PLC.
You will be required to login to you account. Please ensure that you do not do this in a public internet cafe.
Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your Halifax Bank PLC account and choose the "Help" link on any page.
Â© HALIFAX Bank PLC 2007. All Rights Reserved.
I don't have an account with Halifax bank and the link in the email goes to somewhere not even remotely associated with Halifax Bank. Next please.
AOL account email scam
X-AOL-DATE: Sat, 25 Aug 2007 6:15:21 AM Eastern Daylight Time
Received: from rly-xa01.mx.aol.com (rly-xa01.mail.aol.com [172.20.64.37]) by air-xa02.mail.aol.com (v119.7) with ESMTP id MAILINXA21-4746d001332eb; Sat, 25 Aug 2007 06:15:20 -0400
Received: from 220.127.116.11 (toroon12-1177864165.sdsl.bell.ca [18.104.22.168]) by rly-xa01.mx.aol.com (v119.7) with ESMTP id MAILRELAYINXA11-4746d001332eb; Sat, 25 Aug 2007 06:15:17 -0400
Received: from [22.214.171.124] by 126.96.36.199 with SMTP; Sat, 25 Aug 2007 05:09:18 -0600
From: "AOL SERVICE"
Reply-To: "AOL SERVICE"
Subject: AOL Service
Date: Sat, 25 Aug 2007 05:09:18 -0600
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
We found out that your AOL Billing information's records are out of date.
This requires an update of your billing information. Please take a several
minutes from your online experience and update your billing records. You
will not have any problems in future with our online services.
However, your refusal to update your records will be finished in your
Please update your records right now.
As you have updated your account records your AOL Sessions will not be interrupted.
Please click the link below to update your billing records:
America Online, Inc.
Okay, any correspondence I get from AOL in regards to me giving up account information has never asked me to click on a link in the email. Not only that there's no logo and nothing that would indicate it is legit. The scammer didn't bother to try and hide the URL destination that well, but just for giggles here were the link really sends you http://my.aol.com.id-39jgr9e83.frgfs.com:8080/aol.com/promocode.htm?84197HNIF4F43NF837NF4378NF3874GBDJKWENRU9132NFEJWOLBW1027GB1ASH0ET5N3JGKREBW73
The other thing my AOL is free I don't have any billing information to give them. Also this is being sent to my AOL account which is within the AOL email system which means only the name AOL SERVICE would show up in the FROM: address not "AOL SERVICE" email@example.com NEXT!
Paypal Scam Email
X-AOL-DATE: Tue, 21 Aug 2007 4:42:23 PM Eastern Daylight Time
Received: from rly-db02.mx.aol.com (rly-db02.mail.aol.com [172.19.130.77]) by air-db02.mail.aol.com (v119.7) with ESMTP id MAILINDB024-aac46cb4e1d1c6; Tue, 21 Aug 2007 16:42:20 -0400
Received: from jocum.org.br (jocum.org.br [188.8.131.52]) by rly-db02.mx.aol.com (v119.7) with ESMTP id MAILRELAYINDB022-aac46cb4e1d1c6; Tue, 21 Aug 2007 16:42:05 -0400
Received: from User ([184.108.40.206])
by jocum.org.br (220.127.116.1160614/8.13.6) with ESMTP id l7LB1GU1075946;
Tue, 21 Aug 2007 11:01:17 GMT
Subject: Important Notification
Date: Tue, 21 Aug 2007 06:05:07 -0600
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Dear PayPal Customer,
This email is to inform you, that we had to block your PayPal Account access because we had to upgrade our servers in order to remove online fraud.
Our terms and conditions you agreed to state that your account must always be under your control or those you designate at all times. We have noticed some unusual activity related to our servers that indicates that other parties may have access and, or control of your informations in your account.
First it was server updates now it's unusual activity on my account, which is it? The least these scammers can do is decide which lame excuse to use.
Please follow this link to confirm your account access information :
Please be aware that until we can verify your identity no further access to your account will be allowed and we will have no other liability for your account or any transactions that may have occurred as a result of your failure to upgrade your account as instructed above.
Thank you for your time and consideration in this matter .
PayPal Account Departement.Yes the whole paypal account departEment is sincerely concerned about my account.
© Copyright 2007, PayPal. All Rights Reserved.
e-mail id : 1211ppl1
No company logo, asking for recipient to click on embedded link which really goes to http://www.sru.ac.th/bud/file/bay/a.htm, the whole email looks nothing like something you would get from paypal. Hell, if you do get a real email from Paypal regarding your account consider yourself part of the privileged from what I understand it's hard to get Paypal to contact you about anything that doesn't involved a auto-canned response.
Until next time be safe.