This is an email that might LOOK like it is from your credit card company. Except it is NOT from your card company. Here is how you tell.

• First, if you did not expect to get the email, there is a VERY good chance it is BOGUS. Always be suspicious of surprise emails from your bank, credit card company or anyone in the government. For example, the IRS NEVER USES EMAIL FOR OFFICIAL BUSINESS.
• Spamming is high volume and fast-paced. Often the spammers make mistakes or do not have full information to make the best forgery. Notice the account number is missing from the example below.
• Hover or roll (do NOT click!) your mouse over the links that you would normally click on and look in the lower left part of your email window to see where the link will actually take you. IGNORE the link text in the email itself. Go ahead, try it with the email below. The most important part of the link is the text immediately to the left of the first single /. A link like "http://americanexpress.asgdk.ru/" is NOT safe. The ".ru/" is the key. A legitimate link will have something more like "americanexpress.com/" We changed the example below to point to antespam.com/. Bottom line, if you do not recognize the text to the left of the first single '/', do NOT click on it. If you are not sure but think the email could be important, take the time to make a good old fashioned phone call to customer service.

 

	Confirmation
	Verify Your Request
	Your Account Number Ending:

Dear Customer, Did you recently verify your User ID or reset the password that you use to manage your American Expressâ Card account online? If so, you can disregard this email. To help protect your identity online, we wanted to be sure that you had made this request. If not, please click here, or log on to https://www.americanexpress.com/ so we can protect your account from potential fraud. Thank you for your Cardmembership.

Sincerely, American Express Customer Service

P.S. To learn how to protect yourself on the internet and for information about Identity Theft, Phishing and Internet Security, please visit our Fraud Protection Center at http://www.americanexpress.com/fraudprotection.

www.americanexpress.ca/privacy View Our Privacy Statement Add Us to Your Address Book This customer service email was sent to you by American Express. You may receive customer service emails even if you have requested not to receive marketing emails from American Express. Copyright 2012 American Express Company. All rights reserved.

AGNEUMYC0001001

Do you belong to LinkedIn? I do. LinkedIn is a popular site for professionals to network with other professionals....and scammers try to take advantage of that. Below is a convincing example.

• First, this example is complete on the surface. No way to tell if it is a scam just by looking at and reading it, except that it is from someone you probably do not know. That should make you suspicious.
• Your mouse is your friend again. Watch the lower left corner of your web browser (or email program) when you hover your mouse over the name "Julian Murphy", the number of messages, the "Go to InBox now", or the unsubscribe link at the bottom. You can see that the links do NOT take you to linkedin.com. Again we have changed the links to point to AnteSpam.com instead of the original malicious web site.

WOW! Microsoft accidentally sent me someone's remit file! It even has a Confidentiality Notice! All I have to do is open the attached .zip file and read it.

• First off, NO! No one is going to "ACCIDENTALLY" send you a confidential remit file, and definitely not as a .zipped excel file.
• A great rule to always follow is: IF YOU DO NOT EXPECT IT, BE SUSPICIOUS! If you know the sender, call to confirm they sent it. If you do not know them and cannot call them, toss the email in your trash.

OMG! My bill payment failed! I have to investigate and fix this right away! But, WAIT! and think and look closer...

• First, your bank or a real payment processor will NEVER send you a .zip file...NEVER! The government won't even do official business over email.
• Next, this email LOOKS good. But there is one way you can ALWAYS tell if the email is for real. AND THIS CAN NOT BE FAKED.

  Use your email program to look at the email header or the email "source". Once you have the header, look carefully starting at the TOP going down for the 3 lines that start with "X-AnteSpam-" (see the example below). Once you find those 3 lines, look at the next line down. THAT line and no other tells you the name of the mail system that REALLY sent this email. We KNOW that line can be trusted because AnteSpam wrote it.

  As you can see below, in the case of the Bill Payment failed scam, the line is "Received: from fiserv.com (unknown [38.86.160.180])" AnteSpam writes that the sending mail system claims it's name is "fiserv.com" and it's IP address is "38.86.160.180"... AnteSpam then checks the Internet DNS for the host name at the IP address, 38.86.160.180, and reports it next to the IP address inside the "( )". As you can see AnteSpam found NO NAME for the computer at 38.86.160.180 and wrote "unknown". This is how you know that computer is probably trying to pretend it is someone it is not.

  X-AnteSpam-Report: http://antespam.com/missed/d2f5c444d50ed2e5572f3670638c2e7bc703951d1adda3 X-AnteSpam-From: auto-notification@fiserv.com X-AnteSpam-Score: 0.902 Received: from fiserv.com (unknown [38.86.160.180]) by incoming.antespam.com (Postfix) with ESMTP id BA6E7206FEE for myaddress@mydomain.com; Tue, 9 Apr 2013 08:41:38 -0500 (CDT)
  
• And finally, if you are still not sure, call your bank or payment processor and confirm they are not crazy enough to be sending zip files to you over email.

You have a new e-Message from Bank of America This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill. Please check attached file for more detailed information on this transaction. Pay To Account Number: **********6440 Due Date: 05/01/2013 Amount Due: $ 563.45 Statement Balance: $ 2,915.05 IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account. If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees. We apologize for any inconvenience this may cause. . Please do not reply to this message. If you have any questions about the information in this e-Bill , please contact your Bill Pay customer support . For all other questions, call us at 800-887-5749.

Bank of America, N.A. Member FDIC. Equal Housing Lender ©2013 Bank of America Corporation. All rights reserved.

========================================
Please do not delete this section.
Email_ID:#732262168580316675814_
========================================
--------------01030100401090304020703 Content-Type: application/zip; name="04092013.zip" Content-Transfer-Encoding: base64 Content-ID: <33b39f7643df$a3f22cd9$0a33a1dd$ATONYND> Content-Disposition: inline; filename="04092013.zip"

FedEx could not deliver your package!

• First, the message, "To receive your parcel, please, print this receipt and go to the nearest office.", is a little "terse" and of course not correct. But you don't always know that.
• Most importantly, roll your mouse or hover (do NOT click!) over the Print Receipt link and watch the lower left corner of your browser or email program. If this was from FedEx the link would point to fedex.com/somewhere.

  Do not just look for the correct domain name, fedex.com, anywhere in the link URL. To be safe, the correct domain MUST always be followed by the FIRST single "/" (like FedEx.com/, or DHL.com/, or UPS.com/).

  A URL like "http://fedex.com.givemeyourpassword.in/gotcha/.krbsvx.php?receipt=854_2201783" is NOT safe.

AARP Wants You!

• This one is pretty easy to spot. Just look at where those http: links will take you...NOT to an AARP web page, that's for sure.

REMEMBER, do not just look for the correct domain name, aarp.com, anywhere in the link URL. The correct domain MUST always be followed by the FIRST single "/" (like AARP.com/).

A URL like "http://www.aarp.com.antespam.com/gotcha/.krbsvx.php?receipt=854_2201783" would take you to an antespam.com page if that page existed.

This looks scary. It also looks pretty official with a case number and no suspicious http links. The dangerous part is the attached zip file which will infect your PC (and possibly your entire business network of PCs) faster than you can sneeze.

How do you know it is a scam? Two big things give it away.

• The IRS and Dept of Treasury DO NOT send official notices through email! NEVER! If the Federal or State government wants to communicate with you, they will send postal mail first.
• No one in the Federal or State government is going to send you a zip file out of the blue. They might if you have communicated with them and requested scanned copies of documents or something similar to be sent via email. But that will only happen if you have requested it. So if you did not ask for a zip file to be sent to you, IT IS PROBABLY DANGEROUS! Throw that email in the trash!

I got an alert from BreakingNews@mail.CNN.com? Not really!

If you made the mistake of clicking on the links in the original scam email, your computer could have been infected with a "drive-by" virus that could capture passwords to your online accounts or worse. Here is how you know the email is a fake and possibly dangerous.

• First and again, your mouse can show you something is wrong. Just move your mouse over (do NOT click!) the different links and watch the lower left of your email program or browser. There you will see the link is NOT going to a cnn.com web site. We have manually modified the links to harmlessly point to antespam.com, but the original was definitely NOT CNN.
• If the forged links are not enough, you can look at the email headers in the source. Once you have the header, look carefully starting at the TOP going down for the 3 lines that start with "X-AnteSpam-" (see the example below). Once you find those 3 lines, look at the next line down. THAT line and no other tells you the name of the mail system that REALLY sent this email. We KNOW that line can be trusted because AnteSpam wrote it.

  As you can see below, in the case of the BreakingNews scam, the line is "Received: from hawk217.t-bird.edu (hawk217.t-bird.edu [192.160.35.217])" AnteSpam writes that the sending mail system SAYS it's name is "hawk217.t-bird.edu" and it's IP address is "192.160.35.217"... AnteSpam then checks and confirms that. The problem here is the ".edu" in the sending server name means this came from a school computer, NOT CNN.

  X-AnteSpam-Report: http://antespam.com/missed/c42098b9feb45037a578a0eb7fa9d1fecb68f96920eaf02c60eba33473753b51 X-AnteSpam-From: pantomimingpw50@emalsrv.cnn.com X-AnteSpam-Score: 1.311 Received: from hawk217.t-bird.edu (hawk217.t-bird.edu [192.160.35.217]) by incoming.antespam.com (Postfix) with ESMTP id E715B2070DD; Wed, 17 Apr 2013 11:37:11 -0500 (CDT)

Powered by * Please note, the sender's email address has not been verified. You have received the following link from BreakingNews@mail.cnn.com: Click the following to access the sent link: Opinion: Boston Marathon Explosions - Romney Benefits? - CNN.com* Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information. *This article can also be accessed if you copy and paste the entire address below into your web browser. by clicking here

Your American Airlines (or any airline) Ticket? No.

If you made the mistake of clicking on the "Download It" link in the original scam email, your computer could have been infected with a "drive-by" virus that could capture passwords to your online accounts or worse. Here is how you know the email is a fake and possibly dangerous.

• First, if you are not expecting a confirmation email for an upcoming flight, it is very likely dangerous, so DELETE IT.
• Again, your mouse can show you something is wrong. Just move your mouse over (do NOT click!) the Download link and watch the lower left of your email program or browser. There you will see the link is NOT going to an American Airlines web site. We have modified the link in this example to harmlessly point to antespam.com, but the original was definitely NOT American Airlines.
• If the forged Download link is not enough, you can look at the email header in the source. Once you have the header, you will see lines that start with "Received:" followed by one or two indented lines. These "Received: paragraphs" will look something like the example below and there could be a LOT of them, anywhere from one to thirty. This example shows two "Received: paragraphs": Received: from d307.dinaserver.com (d307.dinaserver.com [82.98.148.182]) by incoming.antespam.com (Postfix) with ESMTP id 17C9B2B08696 for ; Thu, 18 Apr 2013 07:37:48 -0500 (CDT) Received: by d307.dinaserver.com (Postfix, from userid 30265) id 4B77F1889FEE; Thu, 18 Apr 2013 14:37:45 +0200 (CEST)

  Look carefully near the top of the header for the "Received:" paragraph with a second line starting with "by incoming.antespam.com". THAT paragraph was written by AnteSpam and can be trusted. This paragraph will also usually follow an "X-AnteSpam-Score:" line.

  As you can see in the example above, in the case of the AA Ticket scam, the AnteSpam "Received: paragraph" shows the email was "Received: from d307.dinaserver.com (d307.dinaserver.com [82.98.148.182])". American Airlines email is NOT going to be sent from "dinaserver.com".

This looks official with a company logo and shipment number. However, the clickable links will take you somewhere you do NOT want to go!

You know it is a scam two ways.

• You have not shipped a package through DHL and are not expecting one.
• Even if you do use DHL, let your mouse check it out. Just move your mouse over (do NOT click!) the Get Shipment Info and Tracking Page links and watch the lower left of your email program or browser. There you will see the link is NOT going to a DHL web site. We have modified the link in this example to harmlessly point to antespam.com, but the original was definitely NOT DHL.