On foot of an email that purported to come from An Post, my bank details were compromised.

Mods, please move this to wherever you deem suitable, not quite sure where it belongs.

Got an email from “support@AnPost.com and checked that this was a valid An Post address before following instructions to pay “handling fees” for some item. Of course I checked the url of the An Post site I was being directed to and at least appeared to be legit, so I proceeded with bank details, being advised an SMS authorisation would be forthcoming shortly. No SMS, cycled through the whole thing again, still no SMS.

Bear in mind I’m on a very busy short trip to Crete, so on a different time zone etc for trying to make or take calls. I got very suspicious at the lack of SMS and checked my bank account to see modest unauthorised debits had been made.

I tried to phone BOI, couldn’t get through after over 50 minutes falling asleep. Then the bank phoned me, put me on hold, but seemed very helpful when speaking with them. Alas, I was right on top of a high mountain in a jeep during that call. The bank has returned the exact amount into my account, but is cancelling my card. The call got cut by virtue of no signal left.

My card details had been used in payment for of a bill in a specified Parisian restaurant. Strange stuff. Not that I was compromised but that An Post seems to have been used as an intermediary. No doubt I’ll learn much more about this over next days.

Anyone else with a similar experience?

Tell me how

You know this now.

But for anyone else. Never, ever, ever, ever, ever, ever, ever, ever, ever give payment/account details on foot of an enquiry from anyone who initiated asking for the payment unless they can demonstrate unquestionably they are legit.

If it is from a legit company, they will be able to tell you information that you know is correct. They can give a tracking number that you have, they can tell you the value in your account or the last transaction and you can verify this etc.

I suspect anpost weren't used at all but it was a clever manipulation of their email name to make it look legit. I get these emails frequently using Amazon as the bait to make it look legit.

My card was compromised before in a way I never found out exactly and the bank's fraud dept picked up on it and took care of things. In that case, frequent relatively small payments had been requested also. I just had to sign a statement for the bank telling them which activities were fraudulent.

Homelander

It's nothing to do with An Post, that email wasn't from An Post, nor was the website anything to do with An Post. This has been going on for the last decade and while some scams are very basic, and others are more convincing, they're all quite obviously scams.

People have been falling for these scams since the internet came around. Mostly it's older people falling for them as they're not tech-savvy and don't spot the warning signs.

L1011

From address can be faked. 'look genuine' domain names cost a few quid to set up.

An Post had nothing to do with this at all. Scammers figured out your email address was probably Irish and sent you a semi-plausible, but absolutely doesn't actually exist in reality, message/link going to a completely fake site. That isn't how An Post do business.

i actually know how to clone a website and make it look legit or change it a bit just for a bit of ‘mischief’ practice. It’s how I’m putting into practice some of the coding I’ve been learning, so I have some idea of what lies behind all this. As regards manipulating the email, it is the exact same email address as used by An Post…. That’s where I got sucked in. And it appeared like the exact same emails I’ve received from An Post before, though appearances can be easily manipulated with a finger click.

A little less of the patronising vibe I’m getting here, please. Maybe a little explanation of how I would know that this is not a fake An Post email?

I don’t think it’s obvious, myself.

An no, I don’t think that’s how An Post do their business, or scamming people. But they do send regular emails as the one I got inviting payment before parcel will be released. I have a folder full of those emails for comparison. I keep my files organised. I’m not quite as dense as it’s being implied in this thread.

On another note got one of many calls from unknown number and an automated voice answered. Made me duly suspicious, was left in a long holding queue to speak to an operator, but an SMS had arrived to tell me to expect a call. It was legit Bank of Ireland. I could easily have been of a mind to press the red button and end the call.

It is becoming Increasingly difficult to determine fake from legit, as scammers closely copy the business practices of the institutions they are faking and you don’t have to be overly stupid to get trapped.

I am interested though, to know how I could set up a fake email address with @anpost.com as I haven’t got to that part of my tech studies yet.

Glaceon

The From address is very easily spoofed. It’s just a command sent to the mail server. The basic format of SMTP commands is as follows:

EHLO (or HELO) spoofed.com
MAIL FROM:<sender@spoofed.com>
RCPT TO:<recipient@example.com>
DATA
enter message content here

It’s that simple. The second command specifies the sender address. There are safeguards in place to reduce the impact, such as SPF and DKIM, but they’re not perfect.

circular flexing

https://www.boards.ie/discussion/comment/118056093#Comment_118056093

It’s really easy to fake the from: field in an email, it’s not sophisticated at all. An Post say here that they never send links when looking for payment - https://www.anpost.com/Security

pleasant Co.

[deleted]

sham58107

Would have thought An Post would have had a ie. domain. not .com

Peregrinus

https://www.boards.ie/discussion/comment/118056093#Comment_118056093

It's getting increasingly difficult, I agree, to detect scams. Benefit of hindsight and all the rest of it, but a couple of red flags to watch out for:

The "support@ . . ." email address should raise your hackles. That looks like the address you might use to contact an organisation if you are having problems with their systems or services, or with a product they have supplied. It's not normally an address that an organisation uses to contact you to progress routine business.

This may not apply to your case, but when I google this issue I come across another incident in which the full email is quoted. It goes like this:

"Dear customer,

Please be informed that your parcel is ready for delivery, our support team was unable to confirm the express service charges, please confirm the payment 3,99 € on the link below.

Note: verification must be done within 24 hours to complete last step before delivery.

Confirm [In the email, this is a hyperlink]

Best regards,

anpost.com Support team,"

This looks unprofessional. The first paragraph is not written in idiomatic English ("Please confirm the payment 3,99 €"? Seriously?) and it consists of three separate sentences run together with commas. There's apparently random capitalisation in the signature. This hasn't been written, or proofed, or approved, by anyone competent and comfortable in the use of English. If English isn't your first language some of this might pass you by, but to a native speaker this doesn't read as you would expect.

Another red flag is that they are looking to you, the recipient of the package, to pay "express service charges". Carriage charges are paid by the consignor, not the person to whom the package is addressed. They might ask you to pay customs or VAT due on an imported parcel, and a handling charge associated with that, but if they're asking you to pay anything that looks like part of the carriage charges, be suspicious.

Also, there's no tracking number or other ID quoted. So, if you click through and make a payment, how are they going to associate your payment with any particular parcel? I would expect the email to contain a unique identifier.

When you click through, you should read the page you land on with an equally critical eye. Does it look professional? Is it written in good English? Does it have, or ask for, an identifier for your parcel?

Finally, if you click through and they ask you for your bank details, I would regard that as very suspicious. There's no reason why they would need your bank details; they just need you to make a payment, which you should be able to do without offering up your bank details.

Doolittle51

https://www.boards.ie/discussion/comment/118056128#Comment_118056128

When you go to anpost.ie, it redirects to anpost.com, but their email request for customs charges comes from noreply@anpost.ie. It doesn't instill much confidence to be honest.

I paid customs charges last week. There was no direct link in the email from anpost, so I went to the website myself and navigated to 'Pay Customs Charges'. All went through no problem, but now when I try to track my parcel, it says that they don't have it yet, even though I paid the charges 5 days ago. Also the transaction on my credit card bill has no mention of anpost. I'm sure this is all just incompetence from anpost, but I've no confidence in the whole thing. The amount on which I was asked to pay fees matches the amount I paid the online retailer, so I'm pretty sure it's not a scam. My credit card company will cover me for any theft/scams, so I'm not worried about it but the whole process with anpost is a bit of a sham. No surprises there.

ohnonotgmail

https://www.boards.ie/discussion/comment/118056341#Comment_118056341

There was no direct link in the email from anpost, so I went to the website myself and navigated to 'Pay Customs Charges'. 

even if there is a link in the email you should never click on it. always go to the website URL yourself and find what you need from there.

Alun

Whatever about the email address being spoofed, that's mind numbingly easy to do, and shouldn't be trusted at all, never, ever click on a link in an email without checking it first.

In Gmail on smartphones, all you have to do is long click on the link and it will bring up a pop up with details of where the link will take you. On a PC just hover over the link with the mouse.

I can guarantee 100% that the URL shown won't point to any legitimate An Post site.

Peregrinus

It's common for business with any kind of international profile to register multiple urls. Bbc.com, bbc.co.uk and bbc.eu will all take you to the BBC, for example. There's nothing unusual or suspicious in that.

seamus

It is getting increasingly difficult to detect scam emails. In the early internet they were relatively easy to pick up, they used really terrible language (which was intentional), came from random email addresses, etc.

People I think became acclimatised to expect that, and so find themselves looking for more obvious tells to detect a scam email. It also doesn't help that phones somewhat abstract some data away so that when you get an email on your iPhone it's quite difficult to see who it actually came from. The OP's case is a perfect example of this.

I manage our company email and I see them all.

Many people are not as sensitive to poor language as others. @Peregrinus points out some obvious grammatical errors in a mail, but many people wouldn't pick them up. As well, with internet trade being increasingly international, it's not that rare anymore to receive a genuine email that's poorly translated or uses a foreign money format (3,99 €) instead of (€3.99).

There are still some tells that should immediately make your spidey senses tingle:

• It's a request out of the blue without context. You're not expecting any foreign parcels. Granted you might have ten deliveries in flight to you at any one time, but customs or other charges will be otherwise flagged to you, not some random email from an post demanding payment for some unknown parcel.
• It's always urgent, unreasonable, or otherwise time-sensitive. "Do this today or your account will be closed". "We will return to sender if this is not paid in 24 hours". That's not how anyone does business. Companies don't send emails expecting 24 hours turnaround unless it's the 50th email they've sent.
• They avoid giving any alternate contact details, or will explicitly tell you why they shouldn't/can't be contacted.

The golden rule I tell our staff is to verify. Always, always verify. You get an email from An Post about a parcel, you go find out what parcel it is and check the track and trace. You get someone emailing you asking for anything urgent, you find their number and you ring them to verify. If it's a genuine email, nobody will be annoyed that you did it.

There is nothing, on all of this earth, that requires payment right now. So there's a bit of self-control we all need to learn to apply. You're in a jeep up a mountain on holiday in Greece and you get an email demanding payment? That can definitely wait at least until you're on the ground and have ten minutes to look into it.

There are plenty of technical tools now for defending against this stuff, but it's an arms race. Scams aren't getting more sophisticated, they're just getting cleaner. More believable, less obvious. Automated systems are now great at detecting emails that are technical scams. But the effort now to set up an email server that is technically legit (comes with all the encryption and anti-spam bells and whistles), is minimal. That too is automated. Within ten minutes I can have an email server set up sending mails from @somefairlylegitdomain.com that will not be flagged as spam or a scam by other email systems.

So the difficulty is getting automated system to detect - through the language alone - whether an email is a scam or not. It's getting better all the time, but so are the scams.

https://www.boards.ie/discussion/comment/118056109#Comment_118056109

Great, thanks, this adds to my learning bank. I will try and spoof my friends (harmlessly) and in that show them how easy it is to be scammed. There’s not half enough public education on this stuff. I’m generally nobody’s fool, think how easy it is for such stuff to succeed.

https://www.boards.ie/discussion/comment/118056496#Comment_118056496

I was in the jeep on a mountain when Bank of Ireland phoned using their automated system. The bank wanted me to deal with it “right now” and it was actually BOI.

And I was expecting a specific parcel…. The sender had informed me day before it had been dispatched, so timing was “perfect”.

One big problem these days is there are less humans employed to answer calls, so to phone anyone to verify anything could easily mean 40minutes to an hour out of your life to connect. I had tried to phone BOI before going to sleep and I literally fell asleep in the middle of waiting g for them to answer… had been on over 30 minutes. Somebody thoughtful nearby even asked could they be of any assistance as I seemed to be having difficulties. Picking up the phone to contact institutions these days can be a very protracted business. After the prologue of “you matter to us, this call is recorded, we are having unusually busy lines (they always are unusually busy all the time everywhere), do you know you can find out everything you need by visiting our website, probably no need to phone us at all…” then you go through various cycles of pressing 1 or 2 or 3 or 4 and onto another prologue of how busy they are before somebody may or may not answer your d then tell you it is another line you need to phone and it’s not operational during these hours.

The only urgency was by BOI. An Post, mar dhea, stated no urgency on their email to me, making it that bit more believable. The hacking/fake email was difficult to differentiate in my circumstances at the time I got it from the a genuine one. I’m no idiot, am a tiny bit tech savvy, and I’m no doddery old fool taken in by everything that comes my way. I live on the edge of suspicion a lot of the time, as is often pointed out to me. Others more relaxed, more trusting, more unfamiliar are going to be taken in every day of the week the way things are going.

Am I getting the message from those here more in the know that iPhones have some dreadful vulnerabilities that android don’t? I’m getting to believe there’s a problem, and one thing I have observed in this here site is that iPhone users have at times had certain issues that aren’t experienced by Android users, which is off topic in one way, but may point to certain “security” issues common to their use in general.

https://www.boards.ie/discussion/comment/118056393#Comment_118056393

It’s really important that institutions cease to send such links. Most don’t, but there are a few who do. Instead a very simple clear instruction should be given.

mightyreds

I don't think android or iphone would matter in this case as you entered your details voluntarily, I would have android more vulnerable though to iphone apple pretty much lock down their iphones as far as I am aware.

https://www.boards.ie/discussion/comment/118057050#Comment_118057050

Believing it was entirely legit email. The advice used to be given out constantly to verify the sender’s email. I had what I wrongly thought was than evidence in @anpost.com

From now I will trust absolutely nothing and nobody online, will fast-track learning about this cr@p and pass on what I learn to others.

https://www.boards.ie/discussion/comment/118056129#Comment_118056129

When I said Bank Details here what I mean is card number etc, the usual required for payment, followed by a message to put in my sms verification code. I became somewhat suspicious when the verification code never arrived. I have found An Lost to be a bit inconsistent the way they have done business, have had to pay various legit charges in the past that were sometimes described as Customs Charge and other times Handling Charge. It’s their apparent inconsistency that has me addled. I have an email folder with them for comparison

A bit off topic (except maybe insofar as good practice might be concerned) but when I have a phone attendance with my GP I can never offer to pay immediately following the consultation. The doctor always says the receptionists are too busy to take payment and they will phone me another time to do so. Then maybe 4 days later I get a fairly unprofessional sounding call out of the blue “you need to pay doctor €65, give me your card details”. No other way of paying, although I usually end up calling to the door and insisting on paying in person to get it done with, which defeats the purpose a bit as in theory I might be infectious. Likes of the GP has no online payment system but there again I had a mobile phone way ahead of the GP so no surprises really. Afaics an awful lot of such transactions are @rseways atm.

At least my card is stopped now. I confirmed that without doubt by trying to pay a small transaction of €0.79 for water in a shop here in Crete, and the shop assistant pointed out that my card had been reported stolen. Naturally she looked at me very suspiciously. In a village where people leave car keys in the ignition, dishonesty doesn’t go down well. All this has been happening on a very busy little trip where I’ve snatched moments to get through practicalities of emails etc. I’m now killing time before awaiting a pick-up later to the airport, so can catch up a bit.

So what I gather here is if I learn all about SMTP I can then, say, pretend to be ros@gov.ie and ask for tax payments from the unwary into my personal account.

”A reminder that you omitted to pay €79.80 from tax year 2020. Failure to do so before 1st December 2021 will result in penalties. Please click here to complete payment without further delay.

Collector General

Revenue.ie”

I’ll get around to that when I’ve completed my course in JavaScript, Python, SQL, PHP etc. etc. 🤔 it seems to me you have to get smarter than the fraudsters just as you almost have to learn enough medicine to provide your own working medical diagnoses at times of health service delays. An awful lot of very unpleasant “savvy” people out there. Pretty screwed-up world at times.

Jim_Hodge

https://www.boards.ie/discussion/comment/118058271#Comment_118058271

You don't need to be smarter than the scammers or know how the coding works. You just have to know you don't click on links in unsolicited emails, you access the sites directly, and you pay heed to all the publicity from companies like An Post who say they don't email links.

Rulmeq

It can happen to anyone: https://www.youtube.com/watch?v=YIWV5fSaUB8

https://www.boards.ie/discussion/comment/118058584#Comment_118058584

Interesting. Like to learn this kind of stuff myself, but many don’t. I’m an aviation nerd, most aren’t and I wouldn’t expect anyone flying to Tenerife on a Ryanair 737-800 to have a ready understanding of all the parameters required to calculate the take-off roll or landing roll-out, which is much less than the level of knowledge that almost seems to be requisite now to avoid being scammed - as in the pilot’s world the variables are are all fixed into the FMS and pilot just inputs the data fed to her/him basically from the metars and loadsheet.

https://www.boards.ie/discussion/comment/118058439#Comment_118058439

The definition of an unsolicited email is getting tricker, though. Especially if a reply email comes from a very similar looking fake institution very shortly after you’ve dealt with the legit one. I’ve been sent umpteen emails from legit organisations with links. From my phone I can’t see that my travel agent is real or fake and I’m just about to fly. In a moment I could be sent a scam about my flight being changed … “click to confirm you agree to change”.

ohnonotgmail

https://www.boards.ie/discussion/comment/118058734#Comment_118058734

the knowledge required to avoid email scams is not that difficult. Never click on a link in an email. that cuts out 99% right there.

joe40

I bought a kindle book from Amazon recently. Got an email with a link to say there was a problem.

I didn't follow the link but went direct to the website and the email was genuine. Card was out of date.

I was surprised that amazon had a link in their email. I just assumed the email was false.

Advice is still sound don't follow links.

Jim_Hodge

https://www.boards.ie/discussion/comment/118058734#Comment_118058734

You're way overthinking this. Scams are nothing new. This type of scam is nothing new. You don't need superior knowledge or expert knowhow to avoid them. Your analogies are way over the top, to be honest.

https://www.boards.ie/discussion/comment/118058761#Comment_118058761

Well then it should be standard business practice to never ever to send emails with links. It isn’t. I have folders full of emails with clickable links from legit reputable senders.

https://www.boards.ie/discussion/comment/118059002#Comment_118059002

Not really. I was a tired traveller, having clicked on lots of links sent to me by my agent, Ryanair etc etc etc. There needs to be major pressure on all businesses never to send any links in emails.

A good motto to put out there might be

”Think before you Click on a clickable link”

OR more wryly

”Yer a thick if you click”

Here’s one I received just now. Coincidence would have it that I have an hour or two ago checked in for a Ryanair flight. Of course I didn’t click this one. I am at home, I rushed, and focussed. As well as that it is so not-Ryanair and reference matches none of my upcoming bookings. Interesting nonetheless in the timing of these phishing scams. I guess the fact that people are making more bookings now, they are likely to strike gold. But I’m wondering about it all the same.

Jim_Hodge

https://www.boards.ie/discussion/comment/118068123#Comment_118068123

We get these whether we've upcoming or ongoing dealings with the companies supposedly involved

https://www.boards.ie/discussion/comment/118068187#Comment_118068187

As on the Liveline thread we’d welt say in Joe Duffy’s lingo “I know dat! I know dat I know dat!”

L1011

What email service are you using? Most of these emails should be eaten by any DKIM/SPF checking. Not all, which is why you need to continue to be aware.

Jim_Hodge

https://www.boards.ie/discussion/comment/118069084#Comment_118069084

Then why throw in "Interesting nonetheless in the timing of these phishing scams."?

You're way over thinking it.

https://www.boards.ie/discussion/comment/118069307#Comment_118069307

Hotmail… yeah quite unstable from a filtering point of view. It’s a legacy email account from decades ago when I established my profile on various sites and have used as a sign-in by default ever since. I do have gmail a/c too which I sometimes use.