Beware This Scam Attempt!

Advert

New Replies

Report Bug

Help/FAQs

Beware This Scam Attempt!

This topic has 22 replies, 9 voices, and was last updated 27 August 2024 at 21:05 by Nigel Graham 2.

Viewing 23 posts - 1 through 23 (of 23 total)

Author

Posts
22 August 2024 at 23:19 #748466
Nigel Graham 2
Participant
@nigelgraham2
In light of all the hoo-hah about full-fibre broadband, this one is particularly dangerous because it uses your name and the real name and address of your local library, wrapped up in a very close facsimile of the BT’s letter-head:

“

Hello Nigel,

In the near future, we’ll be switching your home phone service to BT’s new Digital Voice, so we can continue to give you the best service today and for the future.

We know that you might have questions or want some more information, so we’re coming to [your town name] in person, where we’ll have a team on hand who can tell you what Digital Voice is, why the change is necessary, and what it means for you.

Where and when

We’re holding a drop-in on 3rd September between 10:00-14:00 at:

[local] Library and Learning Centre
[Its real address including correct post-code, although with the street name mis-spelt]

You don’t have to pre-book, just turn up.

Do you think you’ll attend? Click here to let us know:

”

Followed by three buttons: YES. NO, MAYBE

Then small print, some abstracted from BT, including further links.

Just as I was reaching for my calendar, something made me look again, closely.

– Rather bad formatting including a double-line break in mid-sentence, and some words broken on two lines,

– the spelling error, the tautology,

– the sending address looking not quite right for BT,

– the over-familiar salutation,

– a service-type name new to me,

– the self-contradictory “booking”…

then the “View Source” tool showed a rather strange routing via something called “.amazonses.”

I telephoned BT and after the usual ‘Press 8 To Be Driven Up The Wall’ rigmarole made contact with a very helpful lady in Warrington (she said). She confirmed this e-message was fraudulent, the service name is fiction, the sending address not correct for BT.

I blocked the sender and domain, and forwarded the message to BT’s own phishing-report service.

.

This was not long after I’d seen off, co-incidentally, one of those Asian call-centre blokes with an English name, ringing to tell he was Microsoft and my computer had reported…

“Which computer do you mean?” I asked politely, starting an exchange that soon made him realise I was not going to fall for his nonsense.
Advert

23 August 2024 at 06:36 #748472
Diogenes
Participant
@diogenes
Are you being changed over to DV, or has it happened already?
23 August 2024 at 08:13 #748479
Michael Gilligan
Participant
@michaelgilligan61133
On 22 August 2024 at 23:19 Nigel Graham 2 Said:

[…]

I telephoned BT and after the usual ‘Press 8 To Be Driven Up The Wall’ rigmarole made contact with a very helpful lady in Warrington (she said). She confirmed this e-message was fraudulent, the service name is fiction, the sending address not correct for BT.

[…]

Well-caught, Nigel

The Digital Voice moniker is quite legitimate:

https://www.bt.com/broadband/digital-voice

but after decades as a BT sufferer, I could believe almost any level of incompetence in their communications.

MichaelG.

[ left BT in 2022, and am much happier with Zen ]
23 August 2024 at 08:22 #748482
Michael Gilligan
Participant
@michaelgilligan61133
[ FOOTNOTE ]

Here’s a screen-grab from the page that I linked:
23 August 2024 at 09:21 #748498
Hopper
Participant
@hopper
You need this https://www.mailwasher.net/ It’s free and it works pretty well.

Spam is part of the environment in the 21st Century. Life is too short to spend time dealing with it on a one-at-a-time basis.
23 August 2024 at 22:38 #748607
Nigel Graham 2
Participant
@nigelgraham2
Michael –

The only problem I have with BT is its bewildering web-site! Once you contact someone they are normally very helpful.

Their unsolicited communications – both information and advertising – are fine, and very clear.

The clues that the message was false, included various small mistakes like poor formatting; but most important was the strange routing revealed by BTInternet’s own ‘View Source’ tool.

…

That hidden address included the word amazonses…

Given my recent brush with the Amazon on-line retailer, that odd word aroused my suspicions still further. I had written about six weeks ago to the US company’s London office, about the original problem with it, but have yet to receive a reply.

Amazon’s web-site is even more cluttered and baffling as BT’s, but I searched again this morning and eventually found a discrete customer-services e-mail address not needing my alleged, and locked, account.

So I sent a message explaining the original problem with Amazon, asking for the alleged account to be erased, but also mentioning the “amazonses” on the fake BT message.

To my surprise I had an acknowledgement very rapidly, promising to investigate.
23 August 2024 at 22:55 #748608
Michael Gilligan
Participant
@michaelgilligan61133
Nigel,

Our experiences with BT evidently differ … so be it.

What I can help you with, however, is this:

https://aws.amazon.com/ses/

Aside from all the physical ‘fulfilment’ services, Amazon is a very big provider of ‘cloud-related ‘ services.

MichaelG.
23 August 2024 at 23:04 #748610
Nigel Graham 2
Participant
@nigelgraham2
Odder and odder.

Diogenes – No, I am still on the proper service!

……..

Are there any programmers or similar here, please? I cannot read server-control codes but there seems a peculiar likeness in what I have received, visible only by using the analysis tool on the normal tool-bar but really intended for IT professionals.

I closed this site then out of curiosity ran ‘View Source’ on the reply from Amazon, which they managed to send twice.

I also thought the message English slightly odd, but the firm might be using an overseas call-centre. Anyway, this is the routing. Notice the word “amasonses”?

So from Amazon... supposedly:

Return-Path: <202408231138107c70a43d5a7348e78cc326feae90p0eu-C1NYSK3ECZRIDF@bounces.amazon.co.uk>
Received: from btprdrgi023.btinternet.com ([10.248.67.160])
by btprdfep059.mx.internal with ESMTP
id <20240823113810.FFOU10764.btprdfep059.mx.internal@btprdrgi023.btinternet.com>
for <****@****>; Fri, 23 Aug 2024 12:38:10 +0100
Authentication-Results: btinternet.com;
dmarc=pass header.from=amazon.co.uk;
dkim=pass;
dkim=pass;
spf=none smtp.helo=a1-126.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=bounces.amazon.co.uk;
arc=none smtp.client-ip=54.240.1.126;
bimi=skipped
X-OWM-SPF-MAILFROM: Pass
X-OWM-SPF: 0
Received-SPF: none (btprdrgi023.btinternet.com: domain
a1-126.smtp-out.eu-west-1.amazonses.com does not designate permitted sender
hosts) identity=helo; receiver=btprdrgi023.btinternet.com;

After that it is even more computerese.

This is the equivalent for the fake BT message (it is still in my Deleted folder).

Return-Path: <010201917955a23a-03c259c6-0513-4690-bdbc-7bf9531cee93-000000@eu-west-1.amazonses.com>
Received: from btprdrgi039.btinternet.com ([10.248.67.31])
by btprdfep009.mx.internal with ESMTP
id <20240822090541.RATC1724510.btprdfep009.mx.internal@btprdrgi039.btinternet.com>
for <****@****>; Thu, 22 Aug 2024 10:05:41 +0100
Authentication-Results: btinternet.com;
dmarc=pass header.from=message.bt.com;
dkim=pass;
dkim=pass;
spf=none smtp.helo=e239-18.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=eu-west-1.amazonses.com;
arc=none smtp.client-ip=23.251.239.18;
bimi=skipped
X-OWM-SPF-MAILFROM: Pass
X-OWM-SPF: 0
Received-SPF: none (btprdrgi039.btinternet.com: domain
e239-18.smtp-out.eu-west-1.amazonses.com does not designate permitted sender
hosts) identity=helo; receiver=btprdrgi039.btinternet.com;
client-ip=23.251.239.18; helo=e239-18.smtp-out.eu-west-1.amazonses.com;
Received-SPF: pass (btprdrgi039.btinternet.com: domain eu-west-1.amazonses.com

……

Hoax BT:

spf=none smtp.helo=a1-126.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=bounces.amazon.co.uk;

HOAX??? Amazon:

spf=none smtp.helo=e239-18.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=eu-west-1.amazonses.com;

I am going to report the “Amazon” message as a phishing attempt…… Luckily its message simply asked me for the e-address used by Amazon for the account it thinks I have, so its senders have learnt nothing new.
24 August 2024 at 06:57 #748614
Diogenes
Participant
@diogenes
A bit of shallow digging revealed that ‘Amazonses’ is ‘Amazon Simple Email Service’ – it’s a genuine email handling platform that they provide for marketing purposes so that third parties (BT, in this case) can do things like sort mailing lists, identify responses, and issue tickets or quantify attendees..

Search ‘what is amazonses?’
24 August 2024 at 08:59 #748620
Michael Gilligan
Participant
@michaelgilligan61133
On 24 August 2024 at 06:57 Diogenes Said:

A bit of shallow digging revealed that ‘Amazonses’ is ‘Amazon Simple Email Service’ – it’s a genuine email handling platform […]

As linked in my post #748608 above

MichaelG.
24 August 2024 at 10:24 #748628
SillyOldDuffer
Moderator
@sillyoldduffer
On 24 August 2024 at 08:59 Michael Gilligan Said:

On 24 August 2024 at 06:57 Diogenes Said:

A bit of shallow digging revealed that ‘Amazonses’ is ‘Amazon Simple Email Service’ – it’s a genuine email handling platform […]

As linked in my post #748608 above

MichaelG.

Michael’s link contains this Amazonses selling point: Reach more customers’ inboxes as a trusted sender with email deliverability tools and IP management.   The source is more impressive than a fly-by-night hotmail account!   The service is sold to businesses, not individuals, and though I would expect customer credentials to be checked carefully, there are plenty of clever crooks about!

Amazonses isn’t untrustworthy in itself, and I see nothing technical in the email header published by Nigel above to indicate the email from “BT” is a wrong-un.   It’s possible though that someone naughty has managed to fool Amazon, and are now using Amazonses to masquerade as BT.

I’m not sure the BT lady in Warrington gave Nigel good advice! When ringing a help-line, don’t expect the human on the other end to know anything about corporate IT contracts, or how the email system works!   Unable to prove one way or another that Nigel has a real problem, it makes good sense for BT to tell him not to trust it.

As it happens I also have had a couple of BT emails warming me up to the idea my account will be moved to Digital Voice.   Nothing in the emails I’ve had to suggest they’re not genuine, and plenty to indicate they’re real.   The email header starts:

Return-Path: <01020190eee159e0-a5cd89db-8f13-4bbc-9fb5-4a9df643bb13-000000@eu-west-1.amazonses.com>
Received: from btprdrgi004.btinternet.com ([10.248.67.2])
by btprdfep024.mx.internal with ESMTP
id <20240726115104.SKXI3081103.btprdfep024.mx.internal@btprdrgi004.btinternet.com>

In other words, the email originated with ‘btprdrgi004.btinternet.com’, and was sent to be via eu-west-1.amazonses.com.   The most likely reason BT would do use amazonses rather than send direct is load management. Switching to Digital Voice involves millions of accounts, and the programme is likely to generate more email than BT’s in-house system is sized for.    Services like amazonses are ideal for providing temporary muscle – rather than spend millions beefing up an in-house system, buy capacity in the cloud on a short-term contract.

Though I suspect this particular example is a false alarm, Nigel is correct to treat it as a real threat. He carries the can if it turns out to be wrong, not me! Better safe than sorry…

Dave
24 August 2024 at 11:24 #748651
Michael Gilligan
Participant
@michaelgilligan61133
Thanks for your better-informed input, Dave !!

… it helps clarify the murky waters for the rest of us.

MichaelG.
24 August 2024 at 11:33 #748657
Hopper
Participant
@hopper
Which is surprising, given the BT operator verbally told Nigel the email was a fake! Who can you trust these days?
24 August 2024 at 11:44 #748662
Michael Gilligan
Participant
@michaelgilligan61133
On 23 August 2024 at 22:55 Michael Gilligan Said:

Nigel,

Our experiences with BT evidently differ … so be it.

[…]

^^^
24 August 2024 at 11:54 #748668
Chris Crew
Participant
@chriscrew66644
Had a phone call yesterday on the ‘land-line’ number, so I was immediately on guard as it’s only the scammers who ever call it these days. A very pleasant well-spoken female voice asked me how I was, to which I replied ‘fine thank you, who is calling, please?’ After identifying itself as some sort of service, the voice then attempted to ask some questions about my house but I gave evasive answers having already determined that I was going to terminate the call at some point soon. However, I did have time to notice a slight delay between my answer and the next question, about as long as it takes you to clear your throat, you might say. It then began to dawn on me that I may not be not talking to a real cold-caller at all but, possibly, an AI generated representation of one and the short silences were the time taken for the program to generate the next question. I can’t be certain but it’s worth bearing in mind and looking out for if you receive such a call, try to notice the slight pauses in the responses as the call progresses. Has anyone else had calls like this?
24 August 2024 at 12:47 #748680
modeng2000
Participant
@modeng2000
I have had calls like this only a male voice.

John
24 August 2024 at 14:18 #748685
Michael Gilligan
Participant
@michaelgilligan61133
On 23 August 2024 at 23:04 Nigel Graham 2 Said:

Odder and odder.

[…]

I am going to report the “Amazon” message as a phishing attempt…… Luckily its message simply asked me for the e-address used by Amazon for the account it thinks I have, so its senders have learnt nothing new.

[ my emboldening ]

I really don’t wish to pry, Nigel but are you any closer to getting this matter resolved ?

I’m sure it will ‘go against the grain’ but if you try logging-in to Amazon UK using your eMail address … you will get this ‘pop-up’

.

.

In your shoes, I would simply request the OTP and follow my nose !

MichaelG.
24 August 2024 at 16:53 #748709
Grindstone Cowboy
Participant
@grindstonecowboy
On 24 August 2024 at 11:54 Chris Crew Said:

… I gave evasive answers having already determined that I was going to terminate the call at some point soon. However, I did have time to notice a slight delay between my answer and the next question, about as long as it takes you to clear your throat, you might say. It then began to dawn on me that I may not be not talking to a real cold-caller at all but, possibly, an AI generated representation of one …

You can try giving completely ridiculous answers e.g. “How are you?” “I’m a banana trifle”.

If they are real, it’ll confuse them, if it’s AI, see how it responds 🙂

Rob
24 August 2024 at 23:14 #748751
Nigel Graham 2
Participant
@nigelgraham2
Thank you, Gents, for the help!

I think I will pop into the library and ask innocently if they have more details about the presentation. If they know nothing about it I will then reveal why I asked.

Regarding Amazon, no I still have not resolved the problem.

I did try as you suggest, Michael, but it demanded a pass-word and though it sent a replacement, that failed. I had the impression it expired too rapidly for me to use it.

It is if Amazon is determined to control how people use its site so tightly you cannot question it.

.

Rob – Another approach is to try to talk over it. A real person will object to being interrupted.

The “banana trifle” trick is most likely to make real callers ring off immediately, their usual response as soon as they are rumbled. Could be fun though, stringing a robot along at the gang’s expense!

It might be programmed to switch off at totally absurd answers not fitting the expected pattern. Swearing at it might bring the same termination.

I discovered one pattern of response live callers claiming being from Microsoft or the “Windows Corporation” dislike is something like, “I have two computers on-line, so do you mean the Sun Microsystems or the HP 45 one?” Each detail must of course be as bare-faced a lie as the caller’s.

(Those computers were real…. in the 1980s-90s. If I recall the model correctly the Hewlett-Packard 45 was a very simple instrument, driving HP-made signal analysers, graph-plotters, etc. by user-written, HP-BASIC programmes and parallel-port cables. The Sun I saw used its own form of “windows” display, very pared-down and requiring mainly command-line operation; but apparently a sums-box far more powerful than early MS-using PCs.)

On one silent call, I repeated over and over again a soft bleat, hoping anyone monitoring would think I was some sort of electronic machine. I kept it up until the call ended automatically.
25 August 2024 at 01:33 #748760
Anonymous
None of what you guys do is going to make any difference to this situation.Is your time of such little value?
27 August 2024 at 18:15 #749320
Nigel Graham 2
Participant
@nigelgraham2
Peter – I posted it partly as a warning.

………

Sequel

I visited the library today and this verified the promised BT presentation is real…

BUT…

The e-post telling me did not look right in several ways, BT’s own help department was suspicious too and said there was no record of BT having sent me any messages over this time.

The librarian advised me not to touch the three buttons on the message and to delete it. (I hadn’t, and I have – oh, and I reported it to BT’s own scam-reporting service.)

By coincidence a couple of weeks ago I also received a message about my closing a savings account with a certain company. I queried this and today received a reply that the company had not sent me any such message – might it refer to another policy? Since the only other policy I think I have with it is a company pension, that is hardly likely.

[I say “think” because fund managers are prone to selling them to other firms with ever more opaque names that don’t reveal what they do.]

.

I think this shows the more sophisticated gangs are becoming much more skilled at accurately copying company “letter-heads” and making their lies ever more convincing. It’s time companies started embedding anti-copying software in their letter-heads and pro-formas, as I believe the photo-gallery companies do.
27 August 2024 at 18:47 #749350
SillyOldDuffer
Moderator
@sillyoldduffer
On 25 August 2024 at 01:33 Peter Greene Said:

None of what you guys do is going to make any difference to this situation.Is your time of such little value?

I like to think it makes a small difference. An operation was mounted in Bangladesh a few weeks ago after UK authorities collecting complaints traced the call-centre. It won’t stop them, but criminals hate becoming known to police and that makes me feel better!

If I have spare time, I like to waste theirs. The baddies have to pay for a building and tele-comms equipment, so me giving them the run-around costs them money and stops them finding someone more vulnerable in the meantime.

I suspect if everybody the criminals rang deliberately wasted their time, they’d have to give up.

Dave
27 August 2024 at 21:05 #749411
Nigel Graham 2
Participant
@nigelgraham2
They probably need only catch one in a thousand to make the wasted calls worthwhile, if the victim has enough money to steal.

It is worrying that the two messages I received, allegedly from BT and a finance company, looked so real, and that the first might have been be a rip-off of a genuine message. I don’t know if that is possible but I am thinking of perhaps a parallel to the false QR codes that have been found stuck over the genuine ones on car-park meters.
Author

Posts