Scams are not always obvious

Scams are not always obvious

Didn't find your answer?

I received an email with an attachment a couple of weeks ago. I am normally quite sceptical and virus/malware aware and hesitated at first but then clicked to open the attachment which was a word.doc. The word.doc didn't open properly and I didn't have any response to my email to the sender.

The word.doc contained malware which read my HMRC user id /passwords and sent them back to the sender.

The first I knew about it containing malware was a call from HMRC a couple of weeks later telling me that my Agent User ID had been used outside of normal office hours to change a client's correspondence address and to submit a fraudulent amendment to a 2014 TR on their behalf. Had the refund been paid this would have been transferred to the fraudsters bank. The change in address was to stop anyone realising until too late. Thankful that HMRC systems spotted it but I now have to treat every password within my network as having been compromised.

This is the second such mail I have received lately, I didn't open the first and now suspect that it was also malware. So beware!

This is the original email:

Hi there

I have just received a letter from HM Rev stating that I owe £3399.77. I have never been self employed. I started a role in a marketing company a few years ago and registered as self employed as I was all keen etc, but i was only there a few weeks as i was making no money. Unfortunately I never de-registered as i totally forgot. I had a letter about a year or so ago maybe 2 years ago stating i owed money so I rang and stated I've never been self employed. The advisor on the other end said to put it in writing so I did, and heard nothing since now. I havent been working for a long period of time, and also signed on to job seekers at one stage so why they haven't seen that, i don't know. Please find attached the letter i received. Is it possible to be assisted by you in this matter? If yes, what is the best time to call you and book an appointment? 

Replies (35)

Please login or register to join the discussion.

Universe
By SteveOH
26th Mar 2015 13:13

Bit of bad luck there

I have received a couple like this is the recent past and, to be honest, recognised them as scams straight away. Firstly, I think that people would normally telephone an accountant's office with a general request like this (or call in to their office) and not send an email. Secondly, I would never open an email from somebody that I didn't know or wasn't expecting.

I hope that all has now been put right.

Thanks (0)
avatar
By DMGbus
26th Mar 2015 13:31

Anti virus software

In theory Anti Virus software should scan eMail attachments before they are downloaded or opened.  If this was the case then the problem would not arise.

However, certainly with Trend Micro, this has been failing to recognise some malware infected Word, Zip and Excel documents this year.   To test it I did download, but didn't open one such suspect attachment, then specifically scanned it with TrendMicro AV software and it was reported as clean / uninfected.   I then scanned it with BullGuard and it was identified as an infected file.  I then, a week later, scanned the same file again with TrendMicro and it was, on this second scan by TrendMicro identified as infected.

What this demonstrates is that the effectiveness of anti-virus software depends upon how upto date it is at any given moment in time - TrendMicro was not as upto date as Bullguard so would have allowed a computer system to become infected.

As it happens I have a policy of not opening any attachments unless they are from senders who I know and who I'd expect to receive attachments from.  

As an aside I would like to think that HMRC and the Police identified the culprit in the OP's case as the fraudster's recipient bank account details were clearly provided to HMRC to attempt to obtain repayment ... but, oh dear, did the Bank concerned fail to MLR identify the account holder I wonder?    All too often there is a lack of evidence or news of eFraudsters being prosecuted - just maybe if the Banks concerned were made liable for losses where they'd failed to properly identify the account holders then perhaps things would improve.

 

Thanks (3)
James Reeves
By James Reeves
26th Mar 2015 13:37

Interesting approach

It appears that this may be a genuine taxpayer query, posted on both taxation web and the law forum at the end of 2013. The spammer appears to have just lifted the text almost verbatim from the originally posted query and added a sentence about an attachment.

This may be why it seemed realistic, it is not the usual spam gibberish written by a non-native english speaker.

http://www.taxationweb.co.uk/forum/self-employment-misunderstanding-t429...

http://www.thelawforum.co.uk/tax

Do you have antivirus software installed? If so, which one was it, as it presumably should have stopped this from happening?

Thanks (3)
avatar
By Gem7321
26th Mar 2015 13:38

I am dubious about opening anything other than in pdf format, we have received several .docs and .xls with malicious macros

Thanks (0)
Replying to SXGuy:
Portia profile image
By Portia Nina Levin
25th Apr 2015 12:02

(No subject)

Thanks (2)
James Reeves
By James Reeves
26th Mar 2015 13:42

And another thought...

You know that thing we are always being told about making sure we regularly change our passwords...

This post kind of rams that point home, doesn't it...

 

Thanks (0)
avatar
By Ned Ludd
26th Mar 2015 13:46

 

tried putting a link up but it didn't work.

 

had a client defrauded recently and I posted it on here

 

we had the very same e mail.

 

very worrying.

Thanks (1)
avatar
By User deleted
26th Mar 2015 14:16

When will people learn?

If you're not expecting an email, or don't recognise the sender, don't open any attachment or click on any link. It's not rocket science - I would sympathise with the 92 year-old pensioner but, seriously, any professional that falls into such a trap deserves very little sympathy.

If you have any reason to suspect that the mail may be genuine, email a response - preferably from an internet café or other 'safe' PC  and tell the sender that attachments are blocked and ask the to send a copy in the post. (I would never bother, though.)

Thanks (1)
avatar
By GuestXXX
02nd Apr 2015 21:50

.

 

 

Thanks (0)
avatar
By mumpin
26th Mar 2015 15:29

I get loads of these...

I've never opened one, ever.

If someone I know sends me an attachment out of the blue then I dont open it until I've phoned them.

I think you were pretty niave.

Thanks (0)
avatar
By Manwithnoname
26th Mar 2015 15:55

So what have we learned

1) Scammers can be clever and you got a fantastically well done email that could have fooled someone who wasn't (sadly quite justifiably and legitimately) jaded and savy to the world of scams.

2) Everyone on AW, nay everyone with a working brain (be they human or ovine), would instantly see through every such scam email they received. 

Oh except you. 

And potentially me if I had had it. 

And plenty of other people, so chalk it up to experience and up your cynicism a notch for future.

 

Hope it all got sorted.

 

 

Thanks (10)
avatar
By User deleted
26th Mar 2015 16:04

James inadverently gives a good tip above

If you have any doubts at all about the authenticity of an email, just Google the text. Hardly a foolproof safeguard, but it will often confirm what you should already know.

Thanks (3)
avatar
By martin.curtis
26th Mar 2015 16:50

Some good points, thanks

The really cute part was the preview of the word.doc showed that it started life as an HMRC letter. The colours, the banner and the layout in the preview were spot on. I'd also taken several calls that week and received 10 letters from HMRC regarding fines for ex-client's late 2013 SA TR's, and at the time this was just another one. I do receive genuine emails similar to this from new clients, I usually reply asking them to ring me and make an appointment to meet and they have done so. 

My anti-virus is Symantec Endpoint Small Business. It updates daily and covers my server and all slave pc's in the building. It fired no triggers on the day. I have now added Malwarebytes to my armoury and a much much larger dose of cynicism.

Like most it seems, I thought I was pretty savvy but got caught this time. If only they had mentioned Nigeria I'd have been safe

I hope that posting the tale and putting my head above the parapet helps keep scams foremost in peoples minds.

If your reply merely dissed me then you really shouldn't have bothered, as my post suggests, I already know that I made a mistake, I genuinely hope you continue being clever and never make one.

Secondhand_22: I enjoyed the reference to a typewriter but why a lamb? Is that topical or just seasonal.

Mumpin: I believe I was more naive than niave

 

Thanks (10)
avatar
By Maslins
26th Mar 2015 17:34

To all those smug gits mocking anyone so daft as to click these...you wait.  Show me the [***] who's never made a mistake, I don't want to meet them.

Martin, at the risk of being called an idiot myself, we fell foul of something vaguely similar a year or so ago.  I think it was supposedly from Companies House.  It looked very plausible and caught me off guard as coincidentally I seem to recall it tied in with something I'd requested a little while earlier.  Yes had I been in a different frame of mind or anyone else looked at it there were probably tell tale signs it wasn't valid...but hey ho.

Anyway, we got the cryptolocker virus.  So, not anyone trying to use data, more just lockdown every document we have, disabling our access unless we pay a ransom.  Ended up getting it back just about thanks to back ups...but also made me realise you never know how good your back up is until you need it.  Ours was just about up to the task, but could've been much better.  Hindsight's a wonderful thing.

Thanks (7)
avatar
By User deleted
26th Mar 2015 18:24

It's not about making mistakes

If I were to inadvertently open a virus-laden attachment or click on a dodgy link, I'd have only myself to blame.

But, maslins, you say you were caught out a year or so ago. Since then, and indeed since before then, the standard advice has repeatedly been - if you're not expecting an email DO NOT open attachments or click on links.

The OP said that he hesitated at first and then opened the attachment. So it was a(n ill-)considered action. In view of everything that has been published regarding bogus emails, hindsight is irrelevant. It was a stupid thing to do, but at least the OP acknowledges the fact.

Thanks (0)
avatar
By Dave360
26th Mar 2015 19:07

Can you get a virus from a non-macro enabled word document? Just wondering because I thought if there were macros then you'd get a warning first.

Thanks (0)
Replying to whiteways:
avatar
By nogammonsinanundoubledgame
27th Mar 2015 08:34

This ...

Dave360 wrote:

Can you get a virus from a non-macro enabled word document? Just wondering because I thought if there were macros then you'd get a warning first.

I agree.  Assuming that your computer security settings in Office are set to Medium or higher, it should be safe to click on "open" on a word document, and then either stop at the point where it prompts you to enable embedded macros, or to open the file with macros disabled.

Another tip is to mouse over hyperlinks that you are considering clicking on, before clicking.  The "real" URL of the link pops up, and that can provide an indication of dodgyness.

It was news to me that PDF documents are unsafe.  Obviously there are dangers to clicking on hyperlinks in the document, but just opening the file? Is there any way to disable potentially dangerous code in a PDF document as there is in an Office document? Point is of particular relevance because I recently posted a query that contained a link to a pdf document uploaded externally. No responses, and this may be a contributory factor.

Thanks (0)
Replying to Open all hours:
pic
By jndavs
27th Mar 2015 09:29

Nogammonsinanundoubledgame, it's a whole lot worse than that
If you mouse over a hyperlink, a mouse over event is generated. This can be trapped in a similar way to a mouse click event, and you know what happens then.

Any file can potentially harbour a virus. There are instances of malicious code being embedded on JPEG headers, which activates when the image file is viewed - see http://blog.appriver.com/2010/05/malware-hiding-in-image-files/
https://blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-si...

On a less subtle note, if you have your 'show known extensions' option switched off, a file image.jpg.exe will appear as image.jpg

Thanks (3)
avatar
By dnicholson
26th Mar 2015 21:16

Smugness
"Scams are not always obvious"

They're never obvious to those who fall for them.

The smugness of some replies is amazing. Everyone is vulnerable to a properly crafted scam. If you haven't fallen for one yet you just haven't met yours. Be thankful instead of belittling those who have.

Thanks (8)
avatar
By User deleted
26th Mar 2015 22:17

I have little doubt ...

... that at some time in the future someone is going to catch me out. But it will not be as a consequence of my deliberately opening an attachment to an unsolicited email.

Thanks (1)
avatar
By dnicholson
26th Mar 2015 22:23

Really
"But it will not be as a consequence of my deliberately opening an attachment to an unsolicited email."

So your friends/customers/suppliers/advertisers don't send you unsolicited email?

Thanks (0)
avatar
By User deleted
27th Mar 2015 08:27

Yes, really

Here is why I feel safe:

I get very little unsoliicited email from clients, friends etc.

Of that small fraction of email an even smaller fraction contains attachments or links.

Advertisers' emails tend to go straight to the rubbish bin. On the odd occasion that I am interested I will go directly to their website or call them.

The odd rogue email does get through, but:

The style/subject matter of such email is a giveaway 99.9% of the time - straight to junk with it.

Most rogue emails do not address me personally.

Where the email does contain a name I am lucky that my name has several variants. The one used by all that know me is unlikely to be the one stored in their contacts list - so if I ever get an email from a 'friend' addressing me by my real name chances are it will be fake (having been harvested from the "sender"'s contact list).

Now, someone may well find another way of tripping me up but the above is why I am confident in saying it will NEVER be from opening an attachment or link in an unsolicited email.

As guilty as I may be of smugness, some people really need to get down off their high horses and wind their necks in. We were talking above about a specific instance - the OP received an unsolicited email from an unknown sender containing a Word attachment. Despite every warning about opening such attachments he, having thought about it, opened the attachment. And came on here to tell us that it contained a virus. Seriously, what kind of reaction was he expecting? I suppose a thanks for alerting us all to the content of that particular email would be in order, but other than that ...

 

Thanks (0)
Replying to Duggimon:
avatar
By jonbryce
29th Mar 2015 11:08

Re: Yes, really

This looks like a spear phishing attack, where the scammer has taken the trouble to research and individually target you.  They are much more difficult to spot.

Thanks (0)
By JCresswellTax
27th Mar 2015 09:12

Harsh

There are a lot of harsh comments on here to be fair.

I don't believe the OP was looking for sympathy.  He was just advising us of the scam.

So to basically call him stupid for opening it was a bit unnecessary.

Thanks (6)
By ireallyshouldknowthisbut
27th Mar 2015 10:07

.

No doubt the scammers are (a) getting much better as this (b) targeting their emails very well to accountants. 

I do wonder if as time moves on we will need to move to "bank level" security for agents using one of those calculator things to submit data online more securely.  

The 'weakest link' is always the human being operating the equipment. 

 

 

Thanks (0)
avatar
By dnicholson
27th Mar 2015 10:25

More about attitude

@BKD

I can tell that you're prepared, but I think that vigilance comes from believing that it can happen to you. If you've convinced yourself that you'll never click on a bad email link you become more of a target for the (rare) email that convinces you that it's not unsolicited.

Thanks (0)
avatar
By nogammonsinanundoubledgame
27th Mar 2015 10:29

Outlook question

If you have your outlook configured so that you have a preview pane, are you still exposed if you don't "open" the email but do review the preview pane (including for mouse-over events)?

Thanks

With kind regards

Clint Westwood

Thanks (0)
Portia profile image
By Portia Nina Levin
25th Apr 2015 12:03

(No subject)

Thanks (0)
avatar
By chatman
27th Mar 2015 12:06

I would have fallen for that.

Thanks (0)
Replying to ngaccounts:
Red Leader
By Red Leader
27th Mar 2015 12:26

I almost did

chatman wrote:

I would have fallen for that.

Got a similar one that seemed like a genuine enquiry from a prospect. Don't know why but something made me check before opening the attachment. It was a close run thing, though.

Thanks (0)
avatar
By Ermintrude
27th Mar 2015 14:02

Administrator Account

I've just been told by a software writing client to always have a separate Administrator account, and only ever give limited user access to all users including yourself.  Viruses can load themselves straight on if you're online as an administrator.  If you're online as a user though, you'll get a request to enter the admin password when a virus tries to sneak on - so you can nip it in the bud then, by refusing.

Th software writing client doesn't even bother with anti-virus software, just periodically run the Microsoft malware Removal Tool.

 

 

Thanks (0)
Replying to fawltybasil2575:
By Tim Vane
27th Mar 2015 16:21

In that case...

Ermintrude wrote:

Th software writing client doesn't even bother with anti-virus software, just periodically run the Microsoft malware Removal Tool.

...your software writing client is an idiot.

Don't take any software off him.

Thanks (0)
By Charlie Carne
27th Mar 2015 15:43

"opening" an email

I had always understood that there is no significance to the concept of "opening" an email, but only to opening an attachment. If the email itself contains a virus then, if your anti-virus software doesn't trap it, you will be infected, whether you "open" the email in a new window, preview it in Outlook's preview pane or simply delete it from your inbox before doing either. This is because anything malicious contained within the email itself is exposed as soon as it is received by your email client (eg Outlook), whereas malicious code contained in the attachment will normally only be executed if that attachment is opened. Perhaps someone with better technical knowledge than me can let us know if that is correct?

I had further understood (again, I may be completely wrong) that the virus is normally contained either in the attachment or on a web page to which you are directed by a link, in which case it makes no difference whether or how you view or preview the email, as you can only then expose yourself to risk by opening the attachment or clicking a link to an infected site elsewhere.

Thanks (0)
By birdman
28th Mar 2015 14:07

Changing passwords regularly

...as mentioned in a previous post - is there really any point? If someone "gets" your password as it is now, surely they will use it straight away, maybe even changing it themselves? If you do change passwords regularly, I'd imagine you are more likely to need to write it down or make it simple enough to remember, which would defeat the object.

Thanks (0)
By birdman
28th Mar 2015 21:24

Thanks Tim

...I hadn't thought about the email alert, good point. With writing down, I guess I was thinking more along the PIN-type theft of a wallet (or a laptop/PC in this case) - having experienced a walk-in theft of a laptop from our office I was just pleased there were no passwords noted/saved on the machine or the desk area.

Thanks (0)