Beware holiday season scams

Dec. 14, 2013

I received the following email the other day which I almost fell for…except my Spidey sense was tickled since it mentions orders in the future tense.

As it happens, like many people, I’ve made several Amazon orders over the past few weeks including books for myself and others. However, I knew that all the purchases had been delivered in good order. Nevertheless, I wondered for a moment whether there might have been one that was still pending.

As I looked more closely, the tell tale signs of a scam emerged: a funky From address and return path…

Return-Path: <>

…and the fact that the order number in the Subject line didn’t match the order in the Details section. I also noticed that the order number format doesn’t match Amazon’s system…

…and the fact that the attachment was a ZIP file.

I have to confess that I was not 100% convinced until I took a closer look at the To line where I found that the email address indicated was one character short of my actual address. Clearly this could not have been delivered to me except by a mass scam email.


Subject: Your order RP4016454
From: =Amazon Store

Good afternoon,

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on

Order Details

Order WN7327823  Placed on December 10, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon.

I’ve written about this kind of scam before since it follows a sad but recognizable theme that I like to call “The Shotgun.”

This approach involves the scammer sending out a message that a high percentage of the population will immediately recognize as something they’ve recently done: sent a package, made a bank transaction or made an online purchase for example.

It’s hard to resist clicking on the attached file because we know we just had some sort of business with, say, Chase Bank, UPS or the Happy Joytime Massage & Wine Bar.

(I subsequently learned from my Amazon customer service rep that “Amazon does not send order confirmations or other unsolicited requests that require you to open attachments.” So if you see an attachment, it’s probably bogus. And note that Amazon — a very fine company — had nothing to do with this.)

The final piece of the puzzle was confirmed when I scanned the full headers (available on most email systems) and found the following old school scam device: hidden terms designed to spoof certain email system filters. I’m not entirely sure how it works nowadays, but in the past, spammers would insert invisible words, hidden simply by using “white type” which a computer would recognize but a human wouldn’t unless you highlight the white space. I’ll pause a moment while you go ahead and highlight the area below this line to see the letters magically appear (bearing in mind the background on this page isn’t white)…

/humanities/epicenter/Salk/Ekman/punt/zimmerman/ghoulish/Salo/thankyou/bala nces/edited/livable/Zig/Yanks/icici/Selma/makr/sexually/poderia/abap-world/r ewriting/logging/researcher/ticked/deployments/ticketek/ac3-distribution/cow orkers/fend/Egan/Luisa/Quran/compens/ultra-gauge/tss-rostov/thermasdeolimpia /referendum/japannetbank/armada/myalaskaair/ac3/Grafton/panna/kidkraft/mpl/e xtremt/masterbase/paddle/Lynda/rostov-don/starken/gor/otterbox/Navigators/cl imatique/Barstow/logging/lockwood/Hsu/warrants/kookai/pvda/journeys/quidsi/m

So there you have it.

Like a cheap Uri Geller stunt, Tarot reading or pet psychic performance…


…once you know how the scam works, you almost feel stupid for not seeing it right away.


One comment on “Beware holiday season scams

  1. charleycrews says:

    Moot point. In the TRUE spirit of Christmas we are not exchanging gifts. Rather, something closer to the reason.

    Merry Christmas!

    Don aka Daddoo


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s