Error-laden phishing attempts

« previous post | next post »

Phishers trawling for email account names are generally smart enough to pull all sorts of programming tricks, forging headers and obtaining lists of spammable addresses and setting up arrangements to capture login names and passwords obediently typed in by the gullible; but then they give themselves away with errors of grammar and punctuation that are just too gross to be perpetrated by the authorized guys at the communications and technology services unit.

I received a phishing spam today that had no To-line at all (none of that "undisclosed recipients" stuff, and no mention of my email address in it anywhere). It looked sort of convincing in its announcement that webmail account holders would have to take certain steps to ensure the preservation of their address books after being "upgraded to a new enhanced Outlook interface". (My own university has, tragically, been induced to do an upgrade of this kind to its employee email services.) But the linguistic errors in the message begin with the 13th character in the From line (that second comma is wrong). I reproduce below the raw text of what I received, stripping out only the locally generated receipt and spam-checking headers (and by the way, this message—spam though it is—succeeded in getting a spam score of 0).

Received: from ([fe80::d0d9:448b:fb6a:44e3]) by ([::1]) with mapi id 14.03.0224.002; Mon, 26 Jan
   2015 07:33:00 -0500
Return-Path: <>
From: "Ellis, Lorne, W" <>
Subject: FW: ITS Help Desk Support Center
Thread-Topic: ITS Help Desk Support Center
Thread-Index: AdA5YF4JysxFjiT/RPaMxudT2XNboAAA8Oxi
Date: Mon, 26 Jan 2015 12:32:58 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

From: Ellis, Lorne, W
Sent: Monday, January 26, 2015 7:05 AM
To: Ellis, Lorne, W
Subject: ITS Help Desk Support Center

This message is from ITS Services to all Web-mail account owners. We are removing access to all our mail clients. Your email account will be upgraded to a new enhanced Outlook interface provided by ITS Services Desk. Effective from the moment this email has been received and response received from you, ITS Services Account will discontinue the use of our mail Lite interfaces. To ensure your e-mail address book is saved in our database.Please clickhere<> and enter your Web-mail logins on the admin data based form. then submit

ITS Help Desk Support Center.

This email has been checked for viruses by Avast antivirus software.


The information contained in this email may be confidential and/or legally privileged. It has been sent for the sole use of the intended recipient(s). If the reader of this message is not an intended recipient, you are hereby notified that any unauthorized review, use, disclosure, dissemination, distribution, or copying of this communication, or any of its content, is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. Thank you.

(To Lorne Ellis: if this little project isn't yours, then you need to try to find out who has been falsely assuming your email identity.)

Most of the errors are in punctuation: the second comma in the From line; the period after the "To ensure" clause (a reason or purpose adjunct that should have been followed by a comma); the missing space in "clickhere"; the missing capitalization and period of "then submit"; and so on. This looks like the work of a native speaker who is not very used to writing documents addressed to the public. But there are other kinds of error too.

"ITS Help Desk Support Center" is a subtle syntactic or semantic mistake. A help desk doesn't need a support center, and a help desk that was in a support center would be called the Support Center Help Desk, not the Help Desk Support Center.

And notice "faculty and staffs" in the URL that you are supposed to download the form from.

The message came from (or showed evidence of having come from) an account at the Anne Arundel Community College in Arnold, Maryland. But it's not from the Technical Call Center that deals with IT services to faculty and staff. As one can immediately see from this page, they would have URLs of the form "…", and not "…".

The link to fetch the form doesn't even work (I risked trying it). exists (it's a provider of web support tools), but the URL doesn't. Lorne Ellis's phishing attempt (if it is indeed him) must be at an early stage of development. But I thought I'd warn you anyway. Don't click on the links in a message stuffed with punctuation errors. It's a jungle out there.

[P.S.: Numerous readers have been sending me a link to this fairly well known paper from Microsoft Research, which suggests that Nigerian fraudsters may actually be deliberately using hopeless English and other kinds of give-away error in their spam emails, in order to reduce their workload by ensuring that only the most careless and gullible people will respond. I am well aware of this paper, though I didn't think it was relevant to the present case. Since so many people think I didn't know about it, I thought I should add a note here to say that I thank them all, but I've read the paper. I've also had mail from people who think get there first has the same structure as get home dry, where the last word is an adjective, not an adverb. I don't think so. The adverb-like positioning of first in a sentence like We first have to get there strongly supports the adverb analysis, and so do various other arguments.]

Comments are closed.