Shop Online? Watch out for Fake Email Order Scam

Brandon Dimmel's picture

A new report suggests that hackers are using fake email orders with malicious links to fool victims into installing malware onto their machines. Security experts are therefore warning all Internet shoppers to take extra care when opening their emails this holiday season.

According to Brian Krebs, a former Washington Post writer who covers cyber crime, the problem is becoming more and more prevalent. "If you receive an email this holiday season asking you to 'confirm' an online e-commerce order or package shipment, please resist the urge to click the included link or attachment," Krebs notes on his blog. "Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities." (Source:

Asprox Spam Botnet Harvests Personal Information

Security experts at Malcovery, a firm that monitors email-based malware threats, say that many hackers are currently using this tactic to spread the Asprox spam botnet. Once a system is infected, personal information is harvested from the victim's PC (including passwords, and possibly credit card data); the PC then becomes part of the spamming botnet to propagate itself onto other machines.

Malcovery says people should look out for subject lines that read the following: "Acknowledgment of Order," "Order Confirmation," "Order Status," "Thank you for buying from [insert merchant name here]", and a "Thank you for your order."

Scammers Getting Better at Designing Fake Emails

The tactic is essentially 'phishing,' or the use of legitimate-looking emails designed to convince victims to click on malicious links. Craig Young, a security researcher at Tripwire, says past phishing campaigns were easy to spot because the scams looked so incredibly fake and often contained obvious spelling errors. But that's changing, Young insists.

"Scammers have become incredibly good at making fraudulent emails look legitimate to the untrained eye," Young said. "Attackers will commonly flood the web with spam mail claiming you have a package waiting to be picked up, an order awaiting confirmation, and a plethora of other emails designed to get users to click links." (Source:

Busy People Easy Targets during Holiday Season

The holiday shopping season is particularly lucrative for phishing scammers who know that people are expecting lots of emails confirming their purchases through online retailers, such as Amazon. That makes it far easier to trick people into clicking on a fishy email link. Ken Westin, who also works in security at Tripwire, says hackers "are able to take advantage of people's impulsive nature more easily during this time of year."

What's Your Opinion?

Have you ever been affected by a holiday season phishing scam, or a courier email scam purporting to have tracking ID on a package shipment? Do you use any particular strategy for spotting and filtering out spam emails? Do you agree that phishing scams are getting harder to recognize?

Rate this article: 
Average: 4.9 (11 votes)


mummsy's picture

Yes, scammers are getting better at looking like the real thing, but they still make mistakes. Read everything VERY carefully; you will probably find misspellings and wording that isn't quite right. Also, if you haven't ordered from ABC company, don't open the bloody e-mail!!! I have received several e-mails from "Fed-EX". Funny thing is, I hadn't ordered anything, and no family member was sending me anything. Those went immediately to the real Fed-Ex abuse email.