Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

On foot of an email that purported to come from An Post, my bank details were compromised.

  • 21-10-2021 6:38pm
    #1
    Registered Users Posts: 24,208 ✭✭✭✭


    Mods, please move this to wherever you deem suitable, not quite sure where it belongs.

    Got an email from “support@AnPost.com and checked that this was a valid An Post address before following instructions to pay “handling fees” for some item. Of course I checked the url of the An Post site I was being directed to and at least appeared to be legit, so I proceeded with bank details, being advised an SMS authorisation would be forthcoming shortly. No SMS, cycled through the whole thing again, still no SMS.

    Bear in mind I’m on a very busy short trip to Crete, so on a different time zone etc for trying to make or take calls. I got very suspicious at the lack of SMS and checked my bank account to see modest unauthorised debits had been made.

    I tried to phone BOI, couldn’t get through after over 50 minutes falling asleep. Then the bank phoned me, put me on hold, but seemed very helpful when speaking with them. Alas, I was right on top of a high mountain in a jeep during that call. The bank has returned the exact amount into my account, but is cancelling my card. The call got cut by virtue of no signal left.

    My card details had been used in payment for of a bill in a specified Parisian restaurant. Strange stuff. Not that I was compromised but that An Post seems to have been used as an intermediary. No doubt I’ll learn much more about this over next days.

    Anyone else with a similar experience?

    Can I get away with anything if I pay the piper, so to speak?



«1

Comments

  • Registered Users Posts: 21,517 ✭✭✭✭Tell me how


    You know this now.

    But for anyone else. Never, ever, ever, ever, ever, ever, ever, ever, ever give payment/account details on foot of an enquiry from anyone who initiated asking for the payment unless they can demonstrate unquestionably they are legit.

    If it is from a legit company, they will be able to tell you information that you know is correct. They can give a tracking number that you have, they can tell you the value in your account or the last transaction and you can verify this etc.

    I suspect anpost weren't used at all but it was a clever manipulation of their email name to make it look legit. I get these emails frequently using Amazon as the bait to make it look legit.

    My card was compromised before in a way I never found out exactly and the bank's fraud dept picked up on it and took care of things. In that case, frequent relatively small payments had been requested also. I just had to sign a statement for the bank telling them which activities were fraudulent.



  • Registered Users Posts: 4,332 ✭✭✭Homelander


    It's nothing to do with An Post, that email wasn't from An Post, nor was the website anything to do with An Post. This has been going on for the last decade and while some scams are very basic, and others are more convincing, they're all quite obviously scams.

    People have been falling for these scams since the internet came around. Mostly it's older people falling for them as they're not tech-savvy and don't spot the warning signs.



  • Moderators, Business & Finance Moderators, Motoring & Transport Moderators, Society & Culture Moderators Posts: 67,448 Mod ✭✭✭✭L1011


    From address can be faked. 'look genuine' domain names cost a few quid to set up.

    An Post had nothing to do with this at all. Scammers figured out your email address was probably Irish and sent you a semi-plausible, but absolutely doesn't actually exist in reality, message/link going to a completely fake site. That isn't how An Post do business.



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    i actually know how to clone a website and make it look legit or change it a bit just for a bit of ‘mischief’ practice. It’s how I’m putting into practice some of the coding I’ve been learning, so I have some idea of what lies behind all this. As regards manipulating the email, it is the exact same email address as used by An Post…. That’s where I got sucked in. And it appeared like the exact same emails I’ve received from An Post before, though appearances can be easily manipulated with a finger click.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    A little less of the patronising vibe I’m getting here, please. Maybe a little explanation of how I would know that this is not a fake An Post email?

    I don’t think it’s obvious, myself.

    An no, I don’t think that’s how An Post do their business, or scamming people. But they do send regular emails as the one I got inviting payment before parcel will be released. I have a folder full of those emails for comparison. I keep my files organised. I’m not quite as dense as it’s being implied in this thread.

    On another note got one of many calls from unknown number and an automated voice answered. Made me duly suspicious, was left in a long holding queue to speak to an operator, but an SMS had arrived to tell me to expect a call. It was legit Bank of Ireland. I could easily have been of a mind to press the red button and end the call.

    It is becoming Increasingly difficult to determine fake from legit, as scammers closely copy the business practices of the institutions they are faking and you don’t have to be overly stupid to get trapped.

    I am interested though, to know how I could set up a fake email address with @anpost.com as I haven’t got to that part of my tech studies yet.

    Can I get away with anything if I pay the piper, so to speak?



  • Advertisement
  • Registered Users Posts: 1,981 ✭✭✭Glaceon


    The From address is very easily spoofed. It’s just a command sent to the mail server. The basic format of SMTP commands is as follows:

    EHLO (or HELO) spoofed.com
    MAIL FROM:<sender@spoofed.com>
    RCPT TO:<recipient@example.com>
    DATA
    enter message content here
    

    It’s that simple. The second command specifies the sender address. There are safeguards in place to reduce the impact, such as SPF and DKIM, but they’re not perfect.



  • Registered Users Posts: 2,580 ✭✭✭circular flexing



    It’s really easy to fake the from: field in an email, it’s not sophisticated at all. An Post say here that they never send links when looking for payment - https://www.anpost.com/Security



  • Moderators, Technology & Internet Moderators Posts: 7,374 Mod ✭✭✭✭pleasant Co.


    [deleted]

    Post edited by pleasant Co. on


  • Registered Users Posts: 213 ✭✭sham58107


    Would have thought An Post would have had a ie. domain. not .com



  • Registered Users Posts: 25,972 ✭✭✭✭Peregrinus


    It's getting increasingly difficult, I agree, to detect scams. Benefit of hindsight and all the rest of it, but a couple of red flags to watch out for:

    The "support@ . . ." email address should raise your hackles. That looks like the address you might use to contact an organisation if you are having problems with their systems or services, or with a product they have supplied. It's not normally an address that an organisation uses to contact you to progress routine business.

    This may not apply to your case, but when I google this issue I come across another incident in which the full email is quoted. It goes like this:

    "Dear customer,

    Please be informed that your parcel is ready for delivery, our support team was unable to confirm the express service charges, please confirm the payment 3,99 € on the link below.

    Note: verification must be done within 24 hours to complete last step before delivery.

    Confirm [In the email, this is a hyperlink]

    Best regards,

    anpost.com Support team,"

    This looks unprofessional. The first paragraph is not written in idiomatic English ("Please confirm the payment 3,99 €"? Seriously?) and it consists of three separate sentences run together with commas. There's apparently random capitalisation in the signature. This hasn't been written, or proofed, or approved, by anyone competent and comfortable in the use of English. If English isn't your first language some of this might pass you by, but to a native speaker this doesn't read as you would expect.

    Another red flag is that they are looking to you, the recipient of the package, to pay "express service charges". Carriage charges are paid by the consignor, not the person to whom the package is addressed. They might ask you to pay customs or VAT due on an imported parcel, and a handling charge associated with that, but if they're asking you to pay anything that looks like part of the carriage charges, be suspicious.

    Also, there's no tracking number or other ID quoted. So, if you click through and make a payment, how are they going to associate your payment with any particular parcel? I would expect the email to contain a unique identifier.

    When you click through, you should read the page you land on with an equally critical eye. Does it look professional? Is it written in good English? Does it have, or ask for, an identifier for your parcel?

    Finally, if you click through and they ask you for your bank details, I would regard that as very suspicious. There's no reason why they would need your bank details; they just need you to make a payment, which you should be able to do without offering up your bank details.



  • Advertisement
  • Registered Users Posts: 372 ✭✭Doolittle51


    When you go to anpost.ie, it redirects to anpost.com, but their email request for customs charges comes from noreply@anpost.ie. It doesn't instill much confidence to be honest.

    I paid customs charges last week. There was no direct link in the email from anpost, so I went to the website myself and navigated to 'Pay Customs Charges'. All went through no problem, but now when I try to track my parcel, it says that they don't have it yet, even though I paid the charges 5 days ago. Also the transaction on my credit card bill has no mention of anpost. I'm sure this is all just incompetence from anpost, but I've no confidence in the whole thing. The amount on which I was asked to pay fees matches the amount I paid the online retailer, so I'm pretty sure it's not a scam. My credit card company will cover me for any theft/scams, so I'm not worried about it but the whole process with anpost is a bit of a sham. No surprises there.



  • Registered Users Posts: 40,079 ✭✭✭✭ohnonotgmail


    There was no direct link in the email from anpost, so I went to the website myself and navigated to 'Pay Customs Charges'. 

    even if there is a link in the email you should never click on it. always go to the website URL yourself and find what you need from there.



  • Registered Users Posts: 21,412 ✭✭✭✭Alun


    Whatever about the email address being spoofed, that's mind numbingly easy to do, and shouldn't be trusted at all, never, ever click on a link in an email without checking it first.

    In Gmail on smartphones, all you have to do is long click on the link and it will bring up a pop up with details of where the link will take you. On a PC just hover over the link with the mouse.

    I can guarantee 100% that the URL shown won't point to any legitimate An Post site.



  • Registered Users Posts: 25,972 ✭✭✭✭Peregrinus


    It's common for business with any kind of international profile to register multiple urls. Bbc.com, bbc.co.uk and bbc.eu will all take you to the BBC, for example. There's nothing unusual or suspicious in that.



  • Registered Users Posts: 68,317 ✭✭✭✭seamus


    It is getting increasingly difficult to detect scam emails. In the early internet they were relatively easy to pick up, they used really terrible language (which was intentional), came from random email addresses, etc.

    People I think became acclimatised to expect that, and so find themselves looking for more obvious tells to detect a scam email. It also doesn't help that phones somewhat abstract some data away so that when you get an email on your iPhone it's quite difficult to see who it actually came from. The OP's case is a perfect example of this.

    I manage our company email and I see them all.

    Many people are not as sensitive to poor language as others. @Peregrinus points out some obvious grammatical errors in a mail, but many people wouldn't pick them up. As well, with internet trade being increasingly international, it's not that rare anymore to receive a genuine email that's poorly translated or uses a foreign money format (3,99 €) instead of (€3.99).

    There are still some tells that should immediately make your spidey senses tingle:

    • It's a request out of the blue without context. You're not expecting any foreign parcels. Granted you might have ten deliveries in flight to you at any one time, but customs or other charges will be otherwise flagged to you, not some random email from an post demanding payment for some unknown parcel.
    • It's always urgent, unreasonable, or otherwise time-sensitive. "Do this today or your account will be closed". "We will return to sender if this is not paid in 24 hours". That's not how anyone does business. Companies don't send emails expecting 24 hours turnaround unless it's the 50th email they've sent.
    • They avoid giving any alternate contact details, or will explicitly tell you why they shouldn't/can't be contacted.

    The golden rule I tell our staff is to verify. Always, always verify. You get an email from An Post about a parcel, you go find out what parcel it is and check the track and trace. You get someone emailing you asking for anything urgent, you find their number and you ring them to verify. If it's a genuine email, nobody will be annoyed that you did it.

    There is nothing, on all of this earth, that requires payment right now. So there's a bit of self-control we all need to learn to apply. You're in a jeep up a mountain on holiday in Greece and you get an email demanding payment? That can definitely wait at least until you're on the ground and have ten minutes to look into it.

    There are plenty of technical tools now for defending against this stuff, but it's an arms race. Scams aren't getting more sophisticated, they're just getting cleaner. More believable, less obvious. Automated systems are now great at detecting emails that are technical scams. But the effort now to set up an email server that is technically legit (comes with all the encryption and anti-spam bells and whistles), is minimal. That too is automated. Within ten minutes I can have an email server set up sending mails from @somefairlylegitdomain.com that will not be flagged as spam or a scam by other email systems.

    So the difficulty is getting automated system to detect - through the language alone - whether an email is a scam or not. It's getting better all the time, but so are the scams.



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    Great, thanks, this adds to my learning bank. I will try and spoof my friends (harmlessly) and in that show them how easy it is to be scammed. There’s not half enough public education on this stuff. I’m generally nobody’s fool, think how easy it is for such stuff to succeed.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    I was in the jeep on a mountain when Bank of Ireland phoned using their automated system. The bank wanted me to deal with it “right now” and it was actually BOI.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    And I was expecting a specific parcel…. The sender had informed me day before it had been dispatched, so timing was “perfect”.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    One big problem these days is there are less humans employed to answer calls, so to phone anyone to verify anything could easily mean 40minutes to an hour out of your life to connect. I had tried to phone BOI before going to sleep and I literally fell asleep in the middle of waiting g for them to answer… had been on over 30 minutes. Somebody thoughtful nearby even asked could they be of any assistance as I seemed to be having difficulties. Picking up the phone to contact institutions these days can be a very protracted business. After the prologue of “you matter to us, this call is recorded, we are having unusually busy lines (they always are unusually busy all the time everywhere), do you know you can find out everything you need by visiting our website, probably no need to phone us at all…” then you go through various cycles of pressing 1 or 2 or 3 or 4 and onto another prologue of how busy they are before somebody may or may not answer your d then tell you it is another line you need to phone and it’s not operational during these hours.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    The only urgency was by BOI. An Post, mar dhea, stated no urgency on their email to me, making it that bit more believable. The hacking/fake email was difficult to differentiate in my circumstances at the time I got it from the a genuine one. I’m no idiot, am a tiny bit tech savvy, and I’m no doddery old fool taken in by everything that comes my way. I live on the edge of suspicion a lot of the time, as is often pointed out to me. Others more relaxed, more trusting, more unfamiliar are going to be taken in every day of the week the way things are going.

    Can I get away with anything if I pay the piper, so to speak?



  • Advertisement
  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    Am I getting the message from those here more in the know that iPhones have some dreadful vulnerabilities that android don’t? I’m getting to believe there’s a problem, and one thing I have observed in this here site is that iPhone users have at times had certain issues that aren’t experienced by Android users, which is off topic in one way, but may point to certain “security” issues common to their use in general.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    It’s really important that institutions cease to send such links. Most don’t, but there are a few who do. Instead a very simple clear instruction should be given.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 2,782 ✭✭✭mightyreds


    I don't think android or iphone would matter in this case as you entered your details voluntarily, I would have android more vulnerable though to iphone apple pretty much lock down their iphones as far as I am aware.



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    Believing it was entirely legit email. The advice used to be given out constantly to verify the sender’s email. I had what I wrongly thought was than evidence in @anpost.com

    From now I will trust absolutely nothing and nobody online, will fast-track learning about this cr@p and pass on what I learn to others.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    When I said Bank Details here what I mean is card number etc, the usual required for payment, followed by a message to put in my sms verification code. I became somewhat suspicious when the verification code never arrived. I have found An Lost to be a bit inconsistent the way they have done business, have had to pay various legit charges in the past that were sometimes described as Customs Charge and other times Handling Charge. It’s their apparent inconsistency that has me addled. I have an email folder with them for comparison

    A bit off topic (except maybe insofar as good practice might be concerned) but when I have a phone attendance with my GP I can never offer to pay immediately following the consultation. The doctor always says the receptionists are too busy to take payment and they will phone me another time to do so. Then maybe 4 days later I get a fairly unprofessional sounding call out of the blue “you need to pay doctor €65, give me your card details”. No other way of paying, although I usually end up calling to the door and insisting on paying in person to get it done with, which defeats the purpose a bit as in theory I might be infectious. Likes of the GP has no online payment system but there again I had a mobile phone way ahead of the GP so no surprises really. Afaics an awful lot of such transactions are @rseways atm.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    At least my card is stopped now. I confirmed that without doubt by trying to pay a small transaction of €0.79 for water in a shop here in Crete, and the shop assistant pointed out that my card had been reported stolen. Naturally she looked at me very suspiciously. In a village where people leave car keys in the ignition, dishonesty doesn’t go down well. All this has been happening on a very busy little trip where I’ve snatched moments to get through practicalities of emails etc. I’m now killing time before awaiting a pick-up later to the airport, so can catch up a bit.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    So what I gather here is if I learn all about SMTP I can then, say, pretend to be ros@gov.ie and ask for tax payments from the unwary into my personal account.

    ”A reminder that you omitted to pay €79.80 from tax year 2020. Failure to do so before 1st December 2021 will result in penalties. Please click here to complete payment without further delay.

    Collector General

    Revenue.ie”

    I’ll get around to that when I’ve completed my course in JavaScript, Python, SQL, PHP etc. etc. 🤔 it seems to me you have to get smarter than the fraudsters just as you almost have to learn enough medicine to provide your own working medical diagnoses at times of health service delays. An awful lot of very unpleasant “savvy” people out there. Pretty screwed-up world at times.

    Can I get away with anything if I pay the piper, so to speak?



  • Registered Users Posts: 10,367 ✭✭✭✭Jim_Hodge


    You don't need to be smarter than the scammers or know how the coding works. You just have to know you don't click on links in unsolicited emails, you access the sites directly, and you pay heed to all the publicity from companies like An Post who say they don't email links.



  • Registered Users Posts: 1,054 ✭✭✭Rulmeq




  • Advertisement
  • Registered Users Posts: 24,208 ✭✭✭✭recode the site


    Interesting. Like to learn this kind of stuff myself, but many don’t. I’m an aviation nerd, most aren’t and I wouldn’t expect anyone flying to Tenerife on a Ryanair 737-800 to have a ready understanding of all the parameters required to calculate the take-off roll or landing roll-out, which is much less than the level of knowledge that almost seems to be requisite now to avoid being scammed - as in the pilot’s world the variables are are all fixed into the FMS and pilot just inputs the data fed to her/him basically from the metars and loadsheet.

    Can I get away with anything if I pay the piper, so to speak?



Advertisement