Don’t Be Fooled By This New “Helpful” Email Scam

Christian Cawley 04-04-2017

It’s becoming easier to spot a scam email How to Spot a Phishing Email Catching a phishing email is tough! Scammers pose as PayPal or Amazon, trying to steal your password and credit card information, are their deception is almost perfect. We show you how to spot the fraud. Read More claiming to be from your bank, or Amazon, or even a friend. And scams from strangers are simple to spot.


Or are they?

A new email scam currently sweeping the UK (and looking set to spread to the USA, Canada, and beyond) is deceptive in its simplicity. In short, it doesn’t pretend to come from a business or institution which you’re connected to. It isn’t masquerading as a message from a friend or relative.

In fact, it’s pretty explicit in its admission that the sender has information about you. The trick here is in the presentation, and the attachment.

The Scam That Knows Where You Live

A few days ago, into my inbox popped an unusual email. It wasn’t stopped by my email-scanning tool, or highlighted as spam, and it appeared to originate from a kind-hearted individual who was trying to help me out…

Hello Christian!

I am bothering you for a very serious reason. Though you don’t know me, but I have a large ammount [sic] of data concerning you. The matter is that, most likely mistakenly, the data of your account has been sent to me.

For example, your address is:


I am a lawful citizen, so I decided to personal information may have been hacked. I pinned the file – that I received, that you could learn what info has become accessible for scammers.

Document password is – 6096

Bets wishes

Norene Liano

It’s a fascinating read, isn’t it? Here we have, at first glance, a helpful email from Norene Liano (which may be a fake name, or the name of a botnet-controlled email account), sending you some of your own personal data. They don’t want scammers to affect you.


How kind!

But if we look closely, we can see something else going on; something that identifies this as a clever scam.

Of Course, It’s a Scam!

Now, when I first received this email, I was out and about, so it was picked up by the Gmail app on my Android device. It’s clearly a scam (the whole concept of someone “sending” me my data was enough of a giveaway) — yet the fact that the email featured my actual living address was somewhat concerning.

Don't Be Fooled By This New "Helpful" Email Scam muo new email scam msg


However, research proves that there are many places in which you can find my address. The concerning part is the matching of my email address with my postal address. This suggests that an online store, bank, utility, or other business I have a consumer relationship with has been hacked.

With so many hacks occurring over the years, it’s tricky to narrow down which one, but at this stage I’m going to suggest eBay. It’s one of the few online accounts that has my address, and has been the target of some major hacks in recent years The eBay Data Breach: What You Need To Know Read More . The security was such a mess that we once recommended abandoning the online auction store altogether 7 Security Reasons Why You Should Avoid eBay In the last few years, eBay has been hit with seemingly endless hacks, data breaches, and security flaws, which they've struggled to deal with. Are eBay trustworthy, or should you avoid shopping with them? Read More .

Have You Been Pwned?

The origin of the address data continues to pique my interest. Some have suggested the UK electoral roll, or a charity. However, the lack of recent hacking reports around these institutions means I continue to suspect eBay.

And this means that the scam won’t be centered on the UK. Sooner or later, it’s going to hit Canada, the USA, Europe, Australia… and then everywhere else in the world.


Don't Be Fooled By This New "Helpful" Email Scam New Email Scan HIBP Blur


Whether the data has come from an eBay hack or not, you should check the website Have I Been Pwned? Use the form to input your email address and check what breaches involved your data Are Hacked Email Account Checking Tools Genuine Or A Scam? Some of the email checking tools following the alleged breach of Google servers weren't as legitimate as the websites linking to them might have hoped. Read More .

If you find anything, make sure you change your passwords.


The Attachment

Now, the presence of my postal address is really a dangling carrot with which to draw me in. If you received this message from a stranger, bearing your postal address, you’d want to check what other information was leaked, wouldn’t you?

Don't Be Fooled By This New "Helpful" Email Scam muo new email scam attachment

The attachment that ships with these messages is in the DOT format, used for Microsoft Word template documents. This is a useful file type that you can use to create a standard document template — perhaps a letter — that can be reused over and over Save Word Documents as Templates for Easier Editing Saving an Office file as a template means that you can quickly make multiple versions from one master without accidentally overwriting it. Here's how. Read More . It’s also capable of running macros How to Protect Yourself From Microsoft Word Malware Did you know that your computer can be infected by malicious Microsoft Office documents, or that you could be duped into enabling the settings they need to infect your computer? Read More .

Macro scripts have been the cause of many security issues in the past, so much so that they’re disabled by default. Some security researchers recommend avoiding Microsoft Office entirely, due to the threat from macros.

If you opened the attachment and had Word installed on your PC, you would see a prompt to input the password stated in the email (in my case, 6096). This would then display a standard This Document is protected! screen, which demands that you enable macros. To do this, you would click the Enable Content button.

Do not do this!

This is the point at which the trap is sprung. Enabling the macro will result in you being infected with the Troj/Agent-AURH zombie malware. This is botware; the malware will communicate with its command-and-control network to await instructions. Perhaps it will coerce your computer to take part in a DDOS How Can You Protect Yourself Against a DDoS Attack? DDoS attacks – a method used to overburden Internet bandwidth – seem to be on the rise. We show you how you can protect yourself from a distributed denial of service attack. Read More . Or, the malware could download other malicious software to your PC — anything from worms to a data-encrypting ransomware infection Beat Scammers With These Ransomware Decryption Tools If you've been infected by ransomware, these free decrypting tools will help you unlock and recover your lost files. Don't wait another minute! Read More is likely.

Never Open Odd Email Attachments!

By now, email scanning tools should be updated with the profile data of this scan. If not, you know what to look out for. We’d suggest that you remain vigilant with online and computer security 5 Vital Computer Security Tips You Need To Learn Today It isn't enough to just want to be secure; you have to actively ensure your digital security, day in, day out. These five tips will help. Read More , and avoid opening unsolicited email attachments.

In fact, avoid all email attachments with unusual file extensions. In this age of cloud storage, there is no real reason why anyone should send a document when they can share it from the cloud.

Should you receive an email that you’re confused about, the best thing to do is leave it until you can find someone you know and trust to give you their opinion. If that person is more technologically savvy than you, even better. Don’t ask the sender for advice. They’re likely to tell you to open the attachment!

If in doubt, delete. No one is sending you money via email, so you won’t miss out on anything by ignoring it.

Have you received an email of this type? Did you open, or delete? Tell us about it in the comments.

Image Credit: wk1003mike via

Related topics: Malware, Phishing, Scams.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. dragonmouth
    August 31, 2017 at 8:34 pm

    "there is no real reason why anyone should send a document when they can share it from the cloud."
    Excuse a dumb question but can't malware and/or macros be embedded in a cloud document?

  2. jeffrey Faul
    April 16, 2017 at 6:45 am

    There is often a dead give away that your email has been constructed in a country where english is not the first language. Note the line "that you could learn what info" ? also
    "so I decided to personal information" ? also "what information has been accessible
    for scammers" ? The whole thing is a is an inane grammatical joke that in Canada would be deleted immediately by anyone in grade 9 or above. This is not a carrot ,
    it's a turd. However may I brighten your day by telling you that you are the winner of a week in Vegas and I just need your Amex information for a small $25 administration fee. Please don't delay as I have the king of Burundi on the other line.

    • Christian Cawley
      April 17, 2017 at 6:52 pm

      Why don't you restrict your comments to being helpful and not assuming everyone with an internet connection is as "smart" as you?

  3. Mike
    April 12, 2017 at 6:01 am

    Curiosity is the "bait" in this case. Don't take the bait, if it comes out of the blue, from some strange "person" flush it immediately.
    The real hard ones are the ones that come from friends. There is email malware that compromises an unwary friend and sends itself to all the addresses in that person's address book, if you are one of the friends you will get bitten unless you are very sharp and vigilant.
    If you get bitten call them and let them know they should call everyone in their email address book and warn them. IMMEDIATELY

  4. Mike
    April 11, 2017 at 9:36 pm

    I think this is one more reason to run your email program and browser sandboxed. I am sure it has saved my bacon in the past. If they can't access your hard-drive,they can't install malware on your computer.

  5. Matt Hawkins
    April 11, 2017 at 9:09 am

    It's eBay leaking the data. I had an email using my wife's name, our address but sent to one of my email addresses. The only place where this information is linked is eBay.

    I suspect one of the numerous Chinese sellers I've used has either sold the info or been hacked.

    • Christian Cawley
      April 11, 2017 at 9:21 am

      Thanks for your comment, Matt, this is very useful.

  6. Phil
    April 4, 2017 at 11:40 pm

    I got one of these last week. The email address I used was only used with linkedin.

    • Christian Cawley
      April 7, 2017 at 7:51 pm

      Did you give your postal address to LinkedIn?

      • Phil
        April 7, 2017 at 8:18 pm

        Yes, it's the only account I have that uses that email address and has my home address.

        • Christian Cawley
          April 11, 2017 at 9:22 am

          Interesting, I have no recollection of giving my postal address to LinkedIn, and I've also checked my account and can find no reference to it.

          Do you have a LinkedIn Pro account?

  7. 96XJ
    April 4, 2017 at 8:21 pm

    I also got this email last week. Had my correct information too. Interesting thought on eBay. The email used hasn't been owned "yet" but I suspect there's a breach not known...

  8. ReadandShare
    April 4, 2017 at 7:04 pm

    I think I am protected on this one. My free WPS Office CANNOT run macros.

    • Christian Cawley
      April 4, 2017 at 7:36 pm

      A worthy tip!

  9. Al
    April 4, 2017 at 4:31 pm

    Got one of these last week. Was addressed to the name I used for my eBay account (included some extra info) so I've changed my eBay and PayPal addresses just to be safe.

    P.S. I've only ever used that name on eBay hence I'm pretty sure that's where they got my details.

    • Christian Cawley
      April 4, 2017 at 7:35 pm

      Hi Al, thanks for sharing that. EBay seems increasingly likely.