Pfishing emails – what to look for and do with them

Well while I have a fresh one here I thought I would show you what a Pfishing email looks like – what to do when you get one and what to do with them when you get them.

Payza: Important Notice Account Holder

This is an automated email, please do not reply 

Dear Member

Accepting our terms of service during the account registration is considered as your digital signature and is a legally binding agreement between you and Payza. You need validate before you can use full access your Payza account.

Please click on the following link to validate your account:

Click here to validate your account.  (this was clickable and I broke the link for this blog post example)

If you not validate, your account will temporary frozen with unknown period.

Follow Us on our Blog on Facebook on Twitter

Thanks for choosing Payza (formerly AlertPay),
The Payza Team

Need Assistance?
We’re happy to help by phone Monday to Friday 8:00am to 7:00 pm EST, or by email
Copyright 2013 Payza (formerly AlertPay). All rights reserved.

Ok this is an example that I got today and get lot of these and never, never, never click on the links in these emails as someone is using this email for fish for your info.  The biggest clue here for me is when it says Dear Member – Paypal, Payza, Ebay all these companies use your first name and never will start off their emails with Dear Member.

What do you do when you get one – well here is what I do as I click on actions and click on show header and I copy all that info and forward this email and the header info to phishing@payza.com and if you don’t remember the address to send it to – then just type in Google and search where to send phishing emails to Paypal, Payza, Ebay, etc.  where ever you got the email from.  Don’t know what a header looks like – here is what the header looked like to this one.

From Payza Wed Apr 17 12:32:46 2013
X-Apparently-To: wisgrandma@yahoo.com via 72.30.237.10; Wed, 17 Apr 2013 12:38:00 -0700
Return-Path: <anonymous@maiil.manukinvest.net>
Received-SPF: none (domain of maiil.manukinvest.net does not designate permitted sender hosts)
b3QgcmVwbHnCoCBEZWFyIE1lbWJlciBBY2NlcHRpbmcgb3VyIHRlcm1zIG9m
IHNlcnZpY2UgZHVyaW5nIHRoZSBhY2NvdW50IHJlZ2lzdHJhdGlvbiBpcyBj
b25zaWRlcmVkIGFzIHlvdXIgZGlnaXRhbCBzaWduYXR1cmUgYW5kIGlzIGEg
bGVnYWxseSBiaW5kaW5nIGFncmVlbWVudCBiZXR3ZWVuIHlvdSBhbmQgUGF5
emEuIFlvdSBuZWVkIHZhbGlkYXRlIGJlZm9yZSB5b3UgY2FuIAEwAQEBAQ–
X-YMailISG: 5YLxIfoWLDtpzvUE8CqAtOMOit_ptKSWUXZK73Z_zcBxus7N
r0TMv6rpym2tHLWn1zzZUb0hcDZdx8A6j3OH57TOwKCbhU74s9VHxi_0APFz
oYo6qAE9zsPZD.YIVDVuF2_O7UZWx0ehD0Fa8q_QtJnQf90KP55amW7wDgCW
d.EFvulIVoP2i_Mo72YqzIxl3lwsdMv9yGK7pv9jpESlE.6pmnGdiyeOD27R
7jHARS0APESguc8MNjNxipZUm.eLsX0UwrXnGw.NdRZo_uhE9Imr5CkTs_Qi
rdZdAZggu4Up7GL54uAAPu2JZ0dL37y3KH1UYlv.hIosImpZZlI8XdrvANgV
O2k3nUpuKMUV8AXYG4.eI9HZNbDxgXTZUBF.MtP6ck6o9Acqdv6d.B7KXNcC
EEdov0JVMMJ0YuCv3EJ2P_4f3CXrkC0T_DCeBtZ4MDliDHLRaw_lzaekQJdf
h7UX4Sq4EamAeN8VUU_7G_Etf4xIvjmPYtj2qzy0nrEqLuQvriAyAQsgK0TO
yDPeJw2boQEv2P5yePCSHWFUpPBKse_hg3NEBUnhWRgg_tGOAlJCYmIvDZ5n
ipm9TtfUeBCE2cO89ySa1gUh.2myz7v74sbRVAIOIcVfpBC0Oipjl8f.DRdY
bitYslMVu0yx29Ps2LqNo98vExcoyXh7iGyzTNn7KOZafdGYV7wHIL.J9eEy
bJ0LVaMwd0dj1wnukmOBXfkVrO0LQ7nR.KnL5zppkSyOnQZJvjId947mxy9E
TBnjX1Yoa_QdfsUHsfS9VQk2EljDlpCTgC50FKcB8ax2XSoQlhAfQUm6KMpI
&nbs p;Coy.42ZLkc072pOaGHxHG_jkVgZb1qda.e_ezdm43CR5RzLBMSlUNttB_XS1
FhEJ61xRS.CcYUYehk04xBvqZWrHhm9xPq0So8m7Bo8t2jFJCfTqDXESQF2d
9W2uOQutVYmFPVbrxdKzismia85wZlFTs.frBmMQxDR4LdxB5QymEiEFOASY
F2kMUPK6jmlhS6.XtgEW1V0K5LUoStYJbUfL83xXjhWtiVL9Y5083cgkU4bd
kcTtZEjNx.QRdvd6.dPwbv1jER5zre.zn0tWZC7MqmKfLU87RtXcU.beaKeR
HMFOFJ3MvpXSJFWiQVc9GC29Z7HaYYcBtOsZIZXJMGAVSwIUCP4oczpSnA1o
3rX6yiJ.C0UZXEdT0sERL4FjHZ9bZyJCqwp0UqwT0S1DsqCD1BdOY6O1mWVh
ispfwblqthyR4b_gc0y7vlyy2.qYJRcRNnzX16g3Eo2bkS6ohH56KkZPL_Oa
xBSPpnJBG6w.yYS5P4gh63Jirg.23u4EXkvDGvhwOHHQGsCVLlgMBeh_hnlK
QXju_Tqs.yJCY3jWaX1349zdqC3H9rD0HwJMFcMpXTV2DWAbLHdLfxJp85US
QQcG9YCQpih_UbJCqKF88K.8RIWCT4c-
X-Originating-IP: [199.19.116.218]
Authentication-Results: mta1253.mail.sk1.yahoo.com  from=payza.com; domainkeys=neutral (no sig);  from=payza.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO maiil.manukinvest.net) (199.19.116.218)
by mta1253.mail.sk1.yahoo.com with SMTP; Wed, 17 Apr 2013 12:38:00 -0700
Received: (qmail 25999 invoked by uid 48); 17 Apr 2013 19:32:46 -0000
Date: 17 Apr 2013 19:32:46 -0000
Message-ID: <20130417193246.25996.qmail@maiil.manukinvest.net>
To: wisgrandma@yahoo.com
Subject:  Payza: Important Notice Account Holder
X-PHP-Script: daguruinside.com/dag.php for 180.214.233.35
From: Payza <noreply@payza.com>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Content-Length: 3697

This info is important to these departments as it helps them track down these people faster. Most of the time you will get an automated letter back from that department that they got your email and will answer it soon.  You will get  an answer back from who you sent the email to that will look like this.

Dear Nancy Radlinger,

Thank you for contacting Payza.

We would like to thank you for forwarding this information to us.

As you know, Payza is not associated in any way with the email you have received. Please be aware that some individuals send emails using Payza ‘s branding and logo to defraud members and/or gain access to sensitive personal information.

If you receive an email that claims to be from Payza but was sent from a different domain or an email asking you to provide your password, transaction PIN, or to verify your account information, this email was not sent from Payza.

You can visit our Security Center if you would like more information. https://www.payza.com/security. We place these warnings on our site for the protection of our Payza members.

Sincerely,

The Account Security Team
Payza.com

Ticket Details
———————————
Ticket ID: CUY-459-48773
Department: Phishing Reports
Type: Issue
Status: Closed
Priority: High

Support Center: https://helpdesk.payza.com/index.php?

So please be aware of all this as they can come from many different companies and as I’m writing  up this email – I got another one from Payza – be on the alert and report so that these people can be caught.  Thanks

4 thoughts on “Pfishing emails – what to look for and do with them

  1. Second message says in the header: Received: from 127.0.0.1 (EHLO maiil.manukinvest.net) (199.19.116.218) I take the domain name and check the ip for that domain. manukinvest.net then I open this website ( http://whois.arin.net ) and enter the ip address at the top and hit enter: Then click Related organization’s POC records. Then click abuse point of contact, then forward that email to that abuse email and ask them to stop this scammer spammer and post the full header and message under that and send. They usually stop them. Some emails cannot be found out doing this but most can.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.