Track Down a Suspicious Email

We received a very suspicious email this morning. On the surface, it looked innocent enough but the clue that told it was a ‘phishing’ email was simple. The email was from Air Canada, Canada’s national airline but the person who received it does not fly…ever. Here’s how we figured it all out. This is the email we received:

Photo of Email 1
Here is the subject line.

 

Photo of Email 2
Here is the email itself. Hotmail has prevented some of it from loading.

If we had recently booked tickets, this email might have tricked us into clicking the links in it. Where do the links lead? Let’s check. If you hover your cursor over each link, you will be able to see the actual link that it leads to. Please don’t make a mistake and click on the link. Ever! This is what we saw when we hovered over the links:

Photo of Email 3
Look down that the very bottom of your browser. See where it says ‘www.lakewoodpool.com/PDF/ticketRX749CA.zip ? Nothing to do with Air Canada there.

 

Photo of Email 4
This one has a contact PDF file which probably has a piece of malware in it.

 

Neither link leads to the Air Canada website. We didn’t click on the links but we did open up a new browser window and typed in ‘www.lakewoodpool.com’. This is what we found:

Photo of Email 5
This website is real but it’s out of date. It hasn’t been updated since January 2010.

We showed you how to check the IP address of a suspicious email here: Check IP Address  First we checked the email source by right clicking the closed email in the junk mail folder. (This is how to do it in Hotmal/Outlook/Live  but your email system may vary. It may not be the same as this but EVERY email system allows you to check the source of any email you receive.) Here is the menu you’re looking for:

Photo of Email 8
Choose ‘View message source’.

 

This is what you see next. Yes, it looks like gibberish but all you have to look for are the numbers that are marked in blue here. Highlight them (click just to the left of the first number, keep the mouse button pressed and drag to the right until you get to the end of the last number, then release your mouse:

Photo of Email 6
Near the top, look for ‘(sender IP is …) That set of numbers is the sender’s IP address.

Next, we headed to http://whois.net/ip-address-lookup/  to find where that IP address is in the world. Whois is a Unix term which is a command, asking literally ‘who is this?’ Here’s what we found:

Photo of Email 9
This IP address is in France…a long way from Canada.

 

We went through this exercise to prove to you that the email in question is a fraud, a phishing email. The senders expected us to click the links and subsequentlydownload their malware. Once our computer is infected with the malware, they could either take control of our computer or gather information about our identity. Identity theft is much more common now than any other kind of criminal activity.

Besides all of this, the email had many clues in it that, hopefully, would make you suspicious.

Clues that an email a fraud or a phishing scam: 

1. If indeed we had purchased a ticket from Air Canada, they would have our name, right? Air Canada or any other company would not send us an email with the opening line: Dear customer.

2. We hadn’t purchased a plane ticket. That’s simple but important. If you haven’t purchased anything from a company but they send you an email which says you have, you can be pretty sure that it’s spam or a phishing scam. This goes for banks, shipping companies and ticket outlets.

3. The links in the email did not lead to an Air Canada site. Hover over any link in the email, then look down near the bottom of your browser window. The real link address will be there. Whatever you do, do not click on any link in any email that you think is suspicious.

4. One of the links contained a zip or compressed file. Malware can be sent via PDFs but usually it is sent in a zip file.

The Lakewoodpool.com site has been hacked by someone, that’s obvious. It hasn’t been updated for two years but someone has guessed the administrator’s password and taken control of the site. Once inside the host server, the criminal is able to send out emails such as this from anywhere in the world.

Hopefully, we’ve educated you a bit in figuring out what an fraudulent email looks like. If you have questions or comments, use the form at the bottom.

Thanks for reading!

 

Leave a Reply

Your email address will not be published. Required fields are marked *