Beware This Scam Attempt!

[Nigel Graham 2Participant @nigelgraham2]

In light of all the hoo-hah about full-fibre broadband, this one is particularly dangerous because it uses your name and the real name and address of your local library, wrapped up in a very close facsimile of the BT’s letter-head:

 

“

Hello Nigel,

In the near future, we’ll be switching your home phone service to BT’s new Digital Voice, so we can continue to give you the best service today and for the future.

We know that you might have questions or want some more information, so we’re coming to [your town name] in person, where we’ll have a team on hand who can tell you what Digital Voice is, why the change is necessary, and what it means for you.
 
 
Where and when
 
 
We’re holding a drop-in on 3rd September between 10:00-14:00 at:

[local] Library and Learning Centre
[Its real address including correct post-code, although with the street name mis-spelt]
 
 
You don’t have to pre-book, just turn up.

Do you think you’ll attend? Click here to let us know:

”

Followed by three buttons: YES. NO, MAYBE

Then small print, some abstracted from BT, including further links.

Just as I was reaching for my calendar, something made me look again, closely.

– Rather bad formatting including a double-line break in mid-sentence, and some words broken on two lines,

– the spelling error, the tautology,

– the sending address looking not quite right for BT,

– the over-familiar salutation,

– a service-type name new to me,

– the self-contradictory “booking”…

then the “View Source” tool showed a rather strange routing via something called “.amazonses.”

I telephoned BT and after the usual ‘Press 8 To Be Driven Up The Wall’ rigmarole made contact with a very helpful lady in Warrington (she said). She confirmed this e-message was fraudulent, the service name is fiction, the sending address not correct for BT.

I blocked the sender and domain, and forwarded the message to BT’s own phishing-report service.

.

This was not long after I’d seen off, co-incidentally, one of those Asian call-centre blokes with an English name, ringing to tell he was Microsoft and my computer had reported…

“Which computer do you mean?” I asked politely, starting an exchange that soon made him realise I was not going to fall for his nonsense.

[DiogenesParticipant @diogenes]

Are you being changed over to DV, or has it happened already?

[Nigel Graham 2]

On 22 August 2024 at 23:19 Nigel Graham 2 Said:

[…]

I telephoned BT and after the usual ‘Press 8 To Be Driven Up The Wall’ rigmarole made contact with a very helpful lady in Warrington (she said). She confirmed this e-message was fraudulent, the service name is fiction, the sending address not correct for BT.

[…]

Well-caught, Nigel

The Digital Voice moniker is quite legitimate:

https://www.bt.com/broadband/digital-voice

but  after decades as a BT sufferer, I could believe almost any level of incompetence in their communications.

MichaelG.

[ left BT in 2022, and am much happier with Zen ]

[Michael GilliganParticipant @michaelgilligan61133]

[ FOOTNOTE ]

Here’s a screen-grab from the page that I linked:

[HopperParticipant @hopper]

You need this https://www.mailwasher.net/ It’s free and it works pretty well.

Spam is part of the environment in the 21st Century. Life is too short to spend time dealing with it on a one-at-a-time basis.

[Nigel Graham 2Participant @nigelgraham2]

Michael –

The only problem I have with BT is its bewildering web-site! Once you contact someone they are normally very helpful.

Their unsolicited communications – both information and advertising – are fine, and very clear.

The clues that the message was false, included various small mistakes like poor formatting; but most important was the strange routing revealed by BTInternet’s own ‘View Source’ tool.

…

That hidden address included the word amazonses…

Given my recent brush with the Amazon on-line retailer, that odd word aroused my suspicions still further. I had written about six weeks ago to the US company’s London office, about the original problem with it, but have yet to receive a reply.

Amazon’s web-site is even more cluttered and baffling as BT’s, but I searched again this morning and eventually found a discrete customer-services e-mail address not needing my alleged, and locked, account.

So I sent a message explaining the original problem with Amazon, asking for the alleged account to be erased, but also mentioning the “amazonses” on the fake BT message.

To my surprise I had an acknowledgement very rapidly, promising to investigate.

[Michael GilliganParticipant @michaelgilligan61133]

Nigel,

Our experiences with BT evidently differ … so be it.

What I can help you with, however, is this:

https://aws.amazon.com/ses/

Aside from all the physical ‘fulfilment’ services, Amazon is a very big provider of ‘cloud-related ‘ services.

MichaelG.

[Nigel Graham 2Participant @nigelgraham2]

Odder and odder.

Diogenes – No, I am still on the proper service!

……..

Are there any programmers or similar here, please? I cannot read server-control codes but there seems a peculiar likeness in what I have received, visible only by using the analysis tool on the normal tool-bar but really intended for IT professionals.

 

I closed this site then out of curiosity ran ‘View Source’ on the reply from Amazon, which they managed to send twice.

I also thought the message English slightly odd, but the firm might be using an overseas call-centre. Anyway, this is the routing. Notice the word “amasonses”?

So from Amazon... supposedly:

Return-Path: <202408231138107c70a43d5a7348e78cc326feae90p0eu-C1NYSK3ECZRIDF@bounces.amazon.co.uk>
Received: from btprdrgi023.btinternet.com ([10.248.67.160])
by btprdfep059.mx.internal with ESMTP
id <20240823113810.FFOU10764.btprdfep059.mx.internal@btprdrgi023.btinternet.com>
for <n_graham@btinternet.com>; Fri, 23 Aug 2024 12:38:10 +0100
Authentication-Results: btinternet.com;
dmarc=pass header.from=amazon.co.uk;
dkim=pass;
dkim=pass;
spf=none smtp.helo=a1-126.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=bounces.amazon.co.uk;
arc=none smtp.client-ip=54.240.1.126;
bimi=skipped
X-OWM-SPF-MAILFROM: Pass
X-OWM-SPF: 0
Received-SPF: none (btprdrgi023.btinternet.com: domain
a1-126.smtp-out.eu-west-1.amazonses.com does not designate permitted sender
hosts) identity=helo; receiver=btprdrgi023.btinternet.com;

After that it is even more computerese.

This is the equivalent for the fake BT message (it is still in my Deleted folder).

Return-Path: <010201917955a23a-03c259c6-0513-4690-bdbc-7bf9531cee93-000000@eu-west-1.amazonses.com>
Received: from btprdrgi039.btinternet.com ([10.248.67.31])
by btprdfep009.mx.internal with ESMTP
id <20240822090541.RATC1724510.btprdfep009.mx.internal@btprdrgi039.btinternet.com>
for <n_graham@btinternet.com>; Thu, 22 Aug 2024 10:05:41 +0100
Authentication-Results: btinternet.com;
dmarc=pass header.from=message.bt.com;
dkim=pass;
dkim=pass;
spf=none smtp.helo=e239-18.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=eu-west-1.amazonses.com;
arc=none smtp.client-ip=23.251.239.18;
bimi=skipped
X-OWM-SPF-MAILFROM: Pass
X-OWM-SPF: 0
Received-SPF: none (btprdrgi039.btinternet.com: domain
e239-18.smtp-out.eu-west-1.amazonses.com does not designate permitted sender
hosts) identity=helo; receiver=btprdrgi039.btinternet.com;
client-ip=23.251.239.18; helo=e239-18.smtp-out.eu-west-1.amazonses.com;
Received-SPF: pass (btprdrgi039.btinternet.com: domain eu-west-1.amazonses.com

……

Hoax BT:

spf=none smtp.helo=a1-126.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=bounces.amazon.co.uk;

HOAX??? Amazon:

spf=none smtp.helo=e239-18.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=eu-west-1.amazonses.com;

 

I am going to report the “Amazon” message as a phishing attempt…… Luckily its message simply asked me for the e-address used by Amazon for the account it thinks I have, so its senders have learnt nothing new.

 

[Author]

Posts