Three Little Phishes – security lessons from the week just past…

We come across a lot of spams, scams and phishing attempts here at Naked Security.

Some come to our “send us a comment” email address, because it’s widely publicised.

Some come to our personal addresses, especially those of us who have had the same email for many years.

And many – the most interesting! – are reported by our readers in the hope that we can use them as a security warning for other people.

So, we picked three recent cybercrime tricks that you can use to remind yourself, your friends, and your family, what to look out for.

We’re calling them the Three Little Phishes.


Advance Fee Fraud, or AFF, is a scam that goes back years – hundreds of years at least – and works just as the name suggests.

There’s usually some sort of business deal, with substantial money waiting for you, that you’re invited to join, often because the other participants need someone outside their own country to act as a partner.

Sometimes the deal feels at least vaguely legitimate, such as assisting a business go international, or helping to disburse charitable donations overseas.

But sometimes you’re being tempted knowingly to join a scam, such as helping to claim an inheritance by saying you knew a person you’ve never actually heard of.

Either way, the scam is on you, because as soon as you express any interest, you will be wheedled into paying up one fee for registration, and a second fee for processing, and a third fee for lawyer’s services…

…and so on, until you finally come to your senses and realise that the fees only ever go one way: to the crooks.

Usually, the crooks get you interested and onto the hook, then they reel you in and persuade you to start handing over the never-ending fees.

But here’s a spam from the past week in which the crooks coming perfectly clean up front about the advance fee.

Presumably, the idea is that prospective victims not only pre-qualify themselves, thus saving the effort of talking them around, but actually contribute to the fraud right at the start – a sort of “advance advance fee fraud”:


We have registered your ATM CARD of US$4.5M with a Courier Company with registration code of NNNNNNN. Please Contact with delivery information such as, Your Name, Your Address and Your Telephone Number: Shiping company Office:

Note you are to pay $95.00 for delivery charge.


It’s easy to laugh at people who get drawn into scams of this sort, because to most of us the treachery seems obvious.

Nevertheless, at least some people still seem to think that they can engage with the scammers, find out more, and maybe even scam them in reverse.

Don’t do it – just hit [Delete].


Whether it’s a purchase you never made on iTunes, or claims of suspicious password attempts on your banking site, the Attend to Your Account scam is a trick to persuade you to login, allegedly for verification purposes.

Of course, for convenience, you’re presented with a handy login link that takes you to a page much like the real thing, where incautious users may enter information such as email address, password, security question answer, and more…

…only to find that they’ve just “logged in” to an imposter site that has harvested their personal information.

Most of these phishing scams (so called because they “phish” for your password) are obvious in hindsight, but by sending large quantities of email, the crooks get lucky more often that you might think.

Perhaps that fake iTunes email arrived the day after you had an unusual error trying to make a genuine purchase, or the bank account warning turned up a few hours after your credit card was unexpectedly declined?

The iTunes error might be nothing more than a network outage by your ISP, and the credit card problem down to a faulty card reader at the checkout, but the coincidence might be just enough to catch you off your guard.

Like this scam we received this week:

The scam should be obvious, not only because of the spelling mistakes in the email, but also because, if you had an account, you’d already be logged into it in order to read the email.

Nevertheless, if you’re in a hurry, or uncertain, or have multiple webmail inboxes, some of which you clean up only occasionally, you might be tempted to click through.

Don’t do it – never login from links offered up in emails.


This one was reported in the past week by a Naked Security reader who meant to visit an investment site, but mistyped the web address slightly, and ended up at a web page playing the Here’s Something Shiny game.

Crooks – and, sadly, some legitimate companies, too – love to register “near miss” URLs so that minor typing errors bring you to a catchy, destination instead of causing a “server not found” message.

The trick is called typosquatting, because it involves camping on misspelled domain names in the hope of picking up visitors who never meant to visit at all.

We took a programmatic look at typosquatting just under four years ago, by using automated tools to visit thousands of off-by-one server names, such as FACEBOK and GOOOGLE, and we found that Apple was the brand that appeared most frequently – and unofficially, if not always dishonestly – on mis-spelled websites.

And it was a surprisingly legitimate-looking, though entirely unofficial, Apple-related site that our reader reported.

The new iPhone 6s was the drawcard, with a series of Apple-like pages inviting you into a limited test group:

There was even a series of bogus Facebook-like posts claiming to show fellow participants in the test:

Once again, at the end you’re urged to sign up – and to pay just £1 for shipping.

Even though the fee feels almost as though it adds an air of legitimacy, it’s still an advance fee, requested under false pretences.

Don’t do it – there is no iPhone, and you can never un-send your contact information!


💡 LEARN MORE: Advance Fee Fraud ►

💡 LEARN MORE: Anatomy of an iTunes phish ►

💡 LEARN MORE: Bank account phishing ►

💡 LEARN MORE: Typosquatting ►

💡 LEARN MORE: Bait-and-switch scams ►

Worried penguin and three sharks courtesy of Shutterstock.