I get my fair share of phishing and other scam emails. I’ve gotten messages from Nigerian princes, State Lottery Authorities in several US states, and I’ve been told that an unknown philanthropist in Australia has left me millions in his will. I get these emails mostly to my so called junk address, an email I have set up only to be used when I need an email address to access a site or service on which I do not want to use my real email addresses.
One thing that never ceases to amaze me is why do people fall for such obvious scams? I often use Windows 10 Sandbox to check them out, trying to analyze them and learn something new. Today, I received a sufficiently outrageous and obvious phishing email that I simply had to launch the Sandbox and document how difficult it would be to fall for it:
To start with, YouTube would never send an email using a private email address belonging to a Russian female, judging by the name and domain mail.ru. You can be absolutely sure that big players like Google, Amazon, Microsoft, Apple and so on do never ask you to “confirm” your credentials by clicking a link in an email or text message. The same is true for banks and credit card companies, PayPal, eBay, insurance companies, state or local authorities and such. Likewise, they will never ask you to click a link and enter your credentials, account numbers or any other personal information.
OK, already a first close look at that email reveals it does not come from YouTube. Next, it asks the receiver to click a link and add credentials. Never happens, as I mentioned. Let’s see what happens when you open that link in Windows Sandbox with default Edge and Defender settings:
Edge clearly tells us that the website is unsafe (#1), that the URL has nothing to do with YouTube (#2), and provides a stern user warning (#3). Yet, some users disregard this and continue (#4). Should they persist in face of all this scary information, they will be shown a fake Google sign-in page, with the same fake URL:
Of course, I entered a non-existant fake email address. Clicking Next again shows the red unsafe website warning. Here again, some some users still disregard it and continue. The next page asks for a password, and brings up the red unsafe website warning page for a third time. Disregarding it, users are shown a spinning Google logo. That’s it.
In this simple phishing scam example, all the tell-tales are there. In addition, Edge warned me three times, after each step, that the site was unsafe. Regardless of all these warnings, some users really do fall for these scams. Why this is so, I have never understood.
It is relatively easy to remain safe. I’m pretty sure Win10.Guru readers are too smart to fall for phishing scams. But we’ve all got friends, family and co-workers who may not be so Internet savvy. Keep them informed, tell about following guidelines: Always access your financial and other online services only by entering their known secure URL by yourself in your browser. Never click a link in an email asking you to enter your credentials or any other personal information like account or PIN numbers, or asking you to change your password. No honest company or service will ask you to do that. Do not open any email attachments from unknown senders. Easy to remember.
Scammers only succeed if we users give them a chance — or, as you’ve seen in the preceding examples — multiple chances to pull the wool over our eyes, and steal our identity information. Be smart. Don’t give them a chance. When the browser warns you off, surf somewhere safe instead.
Author: Kari Finn
A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.