There are a lot of bad things on the Internet, and few are worse than phishing scams. But there is a certain class of phishing scam that has earned a special level of disdain and disgust, at least from me. I’m talking about the phishing scams that target Hotmail customers using my name, my picture, and even my signature. Grrrr.
Let me clear something up right off the bat: I will never ask for your password. No one from Hotmail or Microsoft will ever ask for your password. In fact, no legitimate service will ever ask for your password. If you ever get an email asking for any password to any service, you can be sure, without a shadow of a doubt, that the email is a phishing scam. Just junk it. (Or, in Hotmail, mark it as a phishing scam using the “Mark As” menu.)
Spammers want to send spam. That’s what they do. As I said in my last post, we’ve made it hard for them to send spam with new accounts due to the effectiveness of our account reputation work. So, spammers have turned to hijacking customer accounts in order to send more spam.
Phishing scams are one of the simplest ways that spammers use to gain control of your account. The spammer sends an email that asks for your password, usually with a threat that your account is about to be closed. You reply, providing your password, and, Voila! Your account (and reputation) is hacked.
Spammers do this on all networks and all services – Hotmail, Gmail, Yahoo!, Facebook, AOL – spammers do not discriminate, and no service is immune.
Hotmail sends email to our customers fairly regularly to update people on various things, such as the availability of new software or features, or even to remind people about security measures, like creating a strong password or adding your mobile phone number to your account.
About a year ago, we decided that we would make these messages more personal by including my name, my picture, and my signature.
That decision has really come back to haunt me.
Almost immediately, the spammers copied that email, including my picture, name and signature, and modified the content so that it said something like “Your account is about to be shut down unless you reply to this email with your account name and password.”
This is a classic example of a phishing scam, and one of the most common ways that accounts get compromised. Here’s an example:
The bottom of that same email looks like this:
Yep. That’s me, all right. But that email is definitely not from me.
Phishing messages can look very real and convincing, so even smart, tech-savvy people fall for them. I get asked about this quite a bit.
Here’s a conversation that took place on my public Facebook page. The first person asks, “I got this message, is it really you?” In response, our Development Manager, Eliot, displayed both his penchant for pithiness and his mastery of high school French:
Phishing scammers know that they’ll get better response rates by using my pictures and my signature to produce email messages that look legitimate. They even translate their scams into multiple languages to broaden their reach.
As I’ve said, any email that asks for your password is a phishing scam and shouldn’t be trusted. You don’t need to look any further to know the message is a fake. Nonetheless, it’s interesting to see how “creative” the scammers can get. Here are some tactics scammers use to get people to provide their account info:
They copy Hotmail’s marketing images. These phishing messages usually contain the latest image from Hotmail’s own marketing campaigns, like this one:
They provide a bogus reason for needing your password. The messages usually contain an introduction that offers a false explanation about why they need your password. Some of my favorites include:
Rest assured: NONE of these will EVER be a legitimate reason to ask for your password.
They design a subject line to scare you. The subject lines call for your immediate attention and are often intended to be scary. Here are a few common examples:
(Scammers really like to use exclamation points!!!! A lot!!!)
They send the email from a bad “From” address. The “From” address in the email is often a dead giveaway. At a glance, it might look like you’ve gotten mail from the Hotmail Team. But if you look at the actual email address, it’s almost always something fishy (phishy?). Typically, scammers just use the name of a Hotmail customer account.
In a perfect world, no one would ever give out their password, and the phishing scams would be ineffective, and would just stop. You’ve already taken a step to helping us get there by reading this post, and now you can help pay it forward by educating others.
Any email that asks for your password is a phishing scam. If anyone ever asks you, “Hey, is this email legit?” just say, “If it asks you for your password, then it is absolutely, definitely, without question a scam! Report it as junk!”
As a final note, some of you might be wondering, Why can’t Hotmail detect these scams? We can detect these scams and do detect many of them. But it’s just a numbers game, and spammers are capable of producing a huge volume of phishing scams, with enough variation in the text and images to fool our filters a small percentage of the time. In addition, it’s important for us to keep the false positives low – meaning that we don’t want to mistakenly identify a legitimate email sent from a good user as spam.
So, until we get to that perfect world without spammers, we’ll be here building better and better systems to battle the bad guys. Thanks for reading, and thanks for using Hotmail.
Dick Craddock, Group Program Manager, Hotmail
It is a pleasure to use hotmail.
I have been reading this blog since last week, and I am amazed about how much I am learning about the hotmail and the windows live team
@Dick Craddock (if you are not the right person, could you please forward):
I would like to suggest for Outlook for Windows a consolidated / unified inbox (as in Outlook 2011 for mac and Windows Live Mail), so that all messages from separate accounts appear in one inbox. At the moment Search Folders don’t work with Hotmail accounts.
Another suggestion is to use several consolidated folders: All mail, all unread mail, all unread mail from contacts, unread RSS feeds etc. (as in Windows Live Mail).
Tighter integration with Windows Live Messenger: when Live Messenger shows a new mail alert and one clicks on it, Outlook should open (instead of Live Mail / or browser with Hotmail) and the message should then already have been downloaded by Outlook (as Live Mail does).
I thank you in advance,
I hate phishers. Thanks for the heads-up.
Why don't you try to immitate fishers and try to see if you can get users to fall for phishing immitatings but instead of the link going to a place asking for your password it should say something like "Warning: If this were a real attempt your account would have been hacked!", and then you can directly present a link to a permanent website on guidelines of how to protect oneself from these attempts. This "oh $%^#, that could have been me" effect may be an effective way to get users to care. To stop annoying users just add an option to unsuscribe to these emails.
@cvdonato - Hotmail supports SSL. You can just type https://www.hotmail.com in the brwoser's address bar, or go to options->advanced privacy settings->use https for extra security
The webmail hotmail Messenger also has its traffic encrypted by SSL? This protocol is really secure how it will implement the Live Hotmail team? For there are sites that report that hackers can get the username and password through this protocol as well.
Why don't you add the option in the Outlook Connector to (A) mark an e-mail as phishing and (B) report that my friend has been hacked? Why are some very important security options like these only available on the Web interface?
Secondly, why are the above options even on the Web interface only available under the Mark As menu but not at the top of the e-mail message when viewed in the preview pane or in full view? I might never click the Mark As menu. I might only use the links at the top of the message itself. There, I can't find anything that talks about phishing or reporting that my friend has been hacked.
And what is this bad way of phrasing things? Report that your friend is ... Perhaps he/she is not my friend. It is just a contact. Same goes for the Sweep menu, the ...s make no sense language-wise. Delete all from ...? Why don't you say simply "Delete all from sender"?
What I don't understand, I report these diligently and they keep coming back. Why don't you add some security intelligence to the security heading where if it has "Account Alert" and multiple exclamations in the subject matter it is immediately deleted? Also, why not add a gold emblem just for promotional material in the header in the inbox when its from the Hotmail team legitimately? So, if comes from one of the fake Windows Live account and it doesn't show that special only from Hotmail Team emblem, it goes straight to spam folder? Why not delete any message that discusses Hotmail at all? I am sure the few persons who do discuss 'Hey Julie, check out the new Hotmail, its totally kool, Toodles" are in the minority? Another, option, create a banner in Hotmail or a floating message that the user can click when you want them to check out promotional material? So, there is just no reason for any message discussing Hotmail to show up in my inbox?
@GoodThings2Life - I think many people are taken in by the scare-tactics. It's scary to think about losing your account. Also, I've heard directly from customers that the fact that MY picture and MY name are used give the email message more credibility (despite it being "obvious" that anyone could have sent it). I like your logic, though!
@Fed44 - great suggestion. We've sent emails like this in the past, but I agree - it's time to send another one. (Without my pic attached this time...)
@langware - I wish it were that easy. Detecting these messages accurately turns out to be a hard problem. The volume of any given campaign is low enough that they won't always trigger our filters. The content changes often enough that the filters can't get 'trained.' However, we DO, in fact, use our 'time travelling filter' to go back and remove some of them once they're detected (you can read more by searching for "time travelling filter" in this blog.
@RMC2276 - Thanks! Since you asked, my password is HotmailRulz... WAIT A MINUTE!!!!
What I find amusing is that they'd send these to Hotmail users and claim to be Hotmail... the fact that I got your message means that MY records weren't lost, and my account isn't deleted/shutdown/etc. Or how about this one... sending it to a non-Hotmail user that doesn't even have a Hotmail account. Either way, everything is fine, and I can safely disregard, because it obviously doesn't affect me. Amazing what a little bit of simple logic can accomplish.
It's just a shame that people so rarely take time to think things through.
Great article, but...
Who reads this blog?
why is this not in my email account? Someone who reads their spam will probably read this too.
Why not either remove such phishing messages before they are delivered to the end user , or (if that is not allowable), then why not insert a huge red banner at the top of such phishing messages warning the end user that the message is very suspicious and Microsoft will never ask for private information via email?.
Not all end users read The Windows Blog .... why not go right to the source (i.e., the phishing messages themselves) and either delete them or mark them with bold warnings?
Great article Dick! It must be incredibly frustrating to constantly try and stay ahead of spammers. I will forward this to some people who could definitely use an email refresher. By the way, what’s your Hotmail password?