Phishing attacks are at an all time high. Just ask Facebook and Google. Fortune recently reported that Facebook and Google employees were duped out of a $100 million via a phishing scheme. That’s cra cra.
Over the years, I’ve gotten the following questions/comments from clients who have been hit with a virus or fell for a phishing scam (we’re going to assume you know what phishing is, but if you don’t, see Wikipedia):
- “Who makes this stuff?” Answer: Bad guys.
- “Are they bored? Can’t they get a real job?” Answer: No. They’re in the business of being bad guys.
- “Do IT companies make this stuff so they can stay in business?” I get this question a lot. LOL. Answer: No.
- “What can we do moving forward?” Answer: Investigate the situation and make security improvements. (ie email filtering, web filtering, firewall w/ threat protection, security testing and training with a company like KnowBe4, etc.).
- Can we report these people?” Answer: Yes, you can (and should) report phishing.
So how do you report a phishing scam that originated via email? The email, and specifically the header of the email, is the key to tracking down the source and reporting it to the email provider or the ISP (internet service provider). Obviously, if money has been stolen, it’s important to call the local authorities and file a police report immediately. It usually doesn’t come to this though. I always report phishing scams to 4 authorities:
- The email provider or the ISP where the email originated from
- The Federal Trade Commission (spam@uce.gov)
- The Anti-Phishing Working Group (reportphishing@antiphishing.org) – a group that includes ISPs, security vendors, financial institutions and law enforcement agencies
- The National Cybersecurity and Communications Integration Center (NCCICCustomerService@hq.dhs.gov)
To determine the email provider or ISP, we need to look at the header of the email. But to find the header of an email can sometimes be difficult task depending on your email provider or software. MxToolbox has a great article on finding email headers with various providers and software. The article is a little dated (ie Outlook 2010 is latest Outlook client), but you can use the info for Outlook 2010 for 2013 and 2016 so it get’s the job done. Below is an example of an email header from an attempted phishing attack:
In the header, we’re looking for the IP address where the email originated (x-originating-ip and x-source-ip), and we’re looking for the sending email address (x-sender) and the Reply-To address as highlighted above. Utilizing ICANN Domain Whois lookup, ARIN Whois IP lookup, and MxToolbox MX record lookup, we can deduce where the email originated. We’ll save this “Sherlock Holmes” deduction process for another article in the near future.
Once you’ve nailed down where the email came from, you’ll want send an email to the email provider and/or ISP and cc: the Federal Trade Commission, the Anti-Phishing Working Group, and the National Cybersecurity and Communications Integration Center. If you don’t want to mess with combing through the header and being all Sherlock Holmes-like, you can just email the latter three. But it’s more effective if you contact the email provider and/or ISP.
Here are a list of common emails addresses or web forms for various providers:
Amazon SES: email-abuse@amazon.com
AOL: aol_phish@abuse.aol.com
AT&T: scam@abuse-att.net
BlueHost: tos@BlueHost.com
Comcast: abuse@comcast.net
Facebook: phish@fb.com
Google/Gmail: https://support.google.com/mail/contact/abuse?hl=en
Godaddy: abuse@godaddy.com
Hostgator: abuse@hostgator.com
Hotmail: abuse@hotmail.com
Live: abuse@live.com
Network Solutions: https://abuse.web.com/
Office 365: phish@office365.microsoft.com
Outlook.com: abuse@outlook.com
Rackspace: abuse@rackspace.com
Spectrum: phishing@charter.net
Yahoo: https://help.yahoo.com/l/us/yahoo/mail/ymail/spam.html
And if it’s not in the list above, you can always go to Abuse.net and do a lookup to find the provider’s email address to report phishing.
Here is an example of an email I recently sent to Godaddy:
Godaddy Abuse,
There was a phishing attack that was sent from a Godaddy registered domain (jamcar.org) and hosted on a Godaddy email server. We have reported this to the Federal Trade Commission, the Anti-Phishing Working Group, and the National Cybersecurity and Communications Integration Center. The email and header info is attached. Please remediate immediately. Thank you.
I know what you’re thinking – this is a waste of time; these behemoth companies are just going to auto-reply and do nothing…blah, blah, blah. I can tell you that almost every time I have reported a phishing scam, I did get an auto-reply, but that was followed up by a real human saying the problem was addressed. They take this stuff seriously (in my experience). And I hope that you’ll take this stuff seriously and do you part of report and stop phishing attacks. I’m sure ARPANET would appreciate it.
Happy emailing.
