Scamy Looking E-Mail

What does it take to look like a job scam email?

There are a number of things to notice about this. In no particular order, and each by itself doesn’t necessarily say scam, but added up, if you proceed, it should be with caution.

  1. The “From” doesn’t match the name at the bottom of the Email.
  2. The “From” doesn’t match the person referenced in email, and there is no explanation about the individual sending the email being a recruiter, or setting up a meeting for someone else.
  3. The “To” isn’t addressed to me, or even someone I know.
  4. The person wants to communicate via Google Hangout instead of official email or phone call from the company they supposedly represent (in this case, Tricostar).
  5. None of the email addresses listed (From, Reply-To, etc) are Tricostar.
  6. How often does the Board of Directors of a successful company do the hiring of receptionists, data entry personel, or administrative assistants? The board is busy dealing with guiding the executive suite.
  7. The grammer is pretty bad, even by today’s (lack of) standards.
  8. The email is sent from a free email service.

What does it look like?

Here is the email, complete with headers so you can see all the details.

 1Return-Path: <kissspager@dcemail.com>
 2Delivered-To: <louisk @cryptomonkeys.org>
 3Received: from mail.example.com
 4	by mail.example.com (Dovecot) with LMTP id S3n7MLfIk1ZWfQEAKZf1vA
 5	for <louisk @cryptomonkeys.org>; Mon, 11 Jan 2016 07:22:31 -0800
 6Received: from localhost (localhost [127.0.0.1])
 7	by mail.example.com (Postfix) with ESMTP id AA7BC1A68FC9
 8	for <louisk @cryptomonkeys.org>; Mon, 11 Jan 2016 07:22:31 -0800 (PST)
 9Received: from mail.example.com ([127.0.0.1])
10 by localhost (mail.example.com [127.0.0.1]) (maiad, port 10024) with ESMTP
11 id 97510-03 for <louisk @cryptomonkeys.org>;
12 Mon, 11 Jan 2016 07:22:30 -0800 (PST)
13X-Greylist:
14Received: from imta-37.everyone.net (sitemail3.everyone.net [216.200.145.37])
15	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
16	(No client certificate requested)
17	by mail.example.com (Postfix) with ESMTPS id 737151A688DF
18	for <louisk @cryptomonkeys.org>; Mon, 11 Jan 2016 07:22:30 -0800 (PST)
19Received: from pps.filterd (localhost.localdomain [127.0.0.1])
20	by imta-38.everyone.net (8.14.5/8.14.5) with SMTP id u0BDo3GD020198;
21	Mon, 11 Jan 2016 05:55:02 -0800
22X-Eon-Originating-Account: nMUOZ7QILgmbCAvPvvqErMRRSK8WB2rGhuVfP-QodLIEegaulTHVGdmWkQlcly6x
23X-Eon-Dm: m0087469.ppops.net
24Received: by m0087795.mta.everyone.net (EON-PICKUP)
25	id m0087795.5672ed2e.24779; Mon, 11 Jan 2016 05:55:01 -0800
26MIME-Version: 1.0
27Content-Type: text/html; charset="UTF-8"
28Message-Id: <20160111055501.B0E8061C@m0087795.ppops.net>
29date = Mon, 11 Jan 2016 05:55:01 -0800
30From: "Kelly Edmonds" <Kissspager@dcemail.com>
31Reply-To: <Kissspager@dcemail.com>
32To: <kelseyarthur54@gmail.com>
33Subject: JOB OPENING WITH TRICOSTAR COMPANY LIMITED
34Content-Transfer-Encoding: base64
35X-Eon-Sig: AQPb9hpWk7Q1dIgDEQEAAAAL,c1531544ed17720840bc14816af1a5e7
36X-Originating-Ip: 108.59.10.153
37X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21,1.0.33,0.0.0000
38 definitions=2016-01-11_08:2016-01-11,2016-01-11,1970-01-01 signatures=0
39X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=10
40 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx
41 scancount=1 engine=7.0.1-1511060000 definitions=main-1601110247
42X-Virus-Scanned: Maia Mailguard 1.0.3
43X-Spam-Status: Yes, hits=14.684 tagged_above=1 required=5 tests=BAYES_50=3,
44 FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1, HTML_MESSAGE=0.001,
45 HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=3, RCVD_IN_DNSWL_LOW=-0.7,
46 SPOOFED_FREEM_REPTO=1.999, SUBJ_ALL_CAPS=1.506, X_MONKEY_FORMMAIL=1,
47 X_MONKEY_PROXY=3.5
48X-Spam-Level: **************
49X-Spam-Flag: YES
50
51GREETINGS,
52
53After we have critically perused your  resume and the details therein on 
54WASHINGTON WORKSOURCE , the board of directors have come to a memorandum of 
55understanding and have taken a concise decision,we feel you may be the best 
56candidate for the vacant position within our company and  hereby invite you for 
57an on-line interview right away with Mrs. Kelsey Arthur, who is of  the human 
58resource department. You are hereby advised to read carefully about this job 
59position.
60
61Job +++
62title = "  Administrative Executive,Administrative Assistant,Data Entry,Receptionist,Customer Care Representative.
63
64Organization: Tricostar Company Limited
65
66Key Responsibility: Provides  services by implementing administrative
67systems, procedures, and policies, and monitoring administrative
68projects.
69
70Requirements: High school Diploma/College Degree
71
72Basic Skills: Reporting Skills, Administrative Writing Skills, Microsoft
73Office Skills, Managing Processes, Organization, Analyzing Information ,
74Professionalism, Problem Solving, Supply Management, Inventory Control,and
75Verbal Communication as well.
76
77
78If you meet the desired qualifications and would like to be considered
79for the position, it is expedient you followed the instructions provided below :
80
81Make sure you have gmail account on your PC or tablet, if you don't
82have, you can do that on-line at www.gmail.com. Then create a gmail log-in with 
83which you would use to gain access to google hangout.Once you have access, add
84Mrs. Kelsey as a contact, her screen name with google hangout is: Kelseyarthur54
85
86If the stipulated time conflicts with your schedule, it is expected of you to email Mrs. Kelsey at this email address: 
87kelseyarthur54@gmail.com
88She will be standing by to abreast you with the rudiments of this job position 
89via  google hangout. It is expedient to get on-line ASAP. I Wish you  best of 
90Luck in the interview.
91 
92Sincerely,
93Booker Haris
94
95 
96Washington DC's Largest FREE Email service. ---> http://www.DCemail.com ---> A Washington Online Community Member --->
97http://www.DCpages.com

The first task in my training

Because I was curious how this would work, I went through their interview process (on google hangout). At the end, the “Board of Directors” approved of my qualifications and I was given an offer letter. I had to go through 2 weeks of “training” before I would be ready for my new job. The first task they had me do was to look up various bits of financial information in the public SEC database, edgar. They also imposed a time limit of 3hrs on this (it took about 20min). I submitted the answers, and also let them know that for tax purposes, I would need Tricostar’s Federal Tax ID. I haven’t heard back on what task 2 is supposed to be yet.

There are more clues here. The letter is addressed to “Dear Employee” (they still don’t know my name after hiring me? Awkward). They still don’t use any official @tricostar.com email.

Further, the training appears to be considered busy work even by “my supervisor” who doesn’t explain why any of this is relevent to my job, or even how knowing this kind of information will help the company.

  1Return-Path: <kelseyarthur54@gmail.com>
  2Delivered-To: <louisk @cryptomonkeys.org>
  3Received: from mail.example.com
  4	by mail.example.com (Dovecot) with LMTP id f2RiK8MwnVb6CQEAKZf1vA
  5	for <louisk @cryptomonkeys.org>; Mon, 18 Jan 2016 10:36:51 -0800
  6Received: from localhost (localhost [127.0.0.1])
  7	by mail.example.com (Postfix) with ESMTP id 94D5A1A68C99
  8	for <louisk @cryptomonkeys.org>; Mon, 18 Jan 2016 10:36:51 -0800 (PST)
  9Received: from mail.example.com ([127.0.0.1])
 10 by localhost (mail.example.com [127.0.0.1]) (maiad, port 10024) with ESMTP
 11 id 66939-09 for <louisk @cryptomonkeys.org>;
 12 Mon, 18 Jan 2016 10:36:51 -0800 (PST)
 13Received: from mail-ig0-f174.google.com (mail-ig0-f174.google.com [209.85.213.174])
 14	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 15	(No client certificate requested)
 16	by mail.example.com (Postfix) with ESMTPS id 24F881A68C84
 17	for <louisk @cryptomonkeys.org>; Mon, 18 Jan 2016 10:36:51 -0800 (PST)
 18Received: by mail-ig0-f174.google.com with SMTP id t15so61253926igr.0
 19        for <louisk @cryptomonkeys.org>; Mon, 18 Jan 2016 10:35:48 -0800 (PST)
 20DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 21        d=gmail.com; s=20120113;
 22        h=mime-version:date:message-id:subject:from:to:content-type;
 23        bh=3UX6XJgBs3UMxMP5/AvDM09eCxQD6MgaRIJGOHEO9w0=;
 24        b=I+XBf5xI93iFBqlmxFr4grvzuAqX67WsDPlPhkgAWxmh612ylb9U3EnvmgYOrknnTZ
 25         egl3PjTU1nqh7aysvV741Wkqqvyv4lRW6mTiorNS/NAz2bTNzPaW0RtiNq+GH5UKF1K2
 26         C06OukYVM4nVVYB+OVQmrdE5HK/3IJ4jwxwMfIwOPyvW35VhvY0eh38NSvVC2XYEPwJp
 27         TgBW79/X0NDYlylExypDcMEMK2FscJaV68GLCWvugMTpSsdJgB/gsHfJVVqPlhoYVvLQ
 28         g2LgDHy7XOplEGts8/8Avt4zsaip7+184D7nRvnWB4hdiyN8ngmSpLqjO/mg6c1LgKvA
 29         cqpA==
 30X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 31        d=1e100.net; s=20130820;
 32        h=x-gm-message-state:mime-version:date:message-id:subject:from:to
 33         :content-type;
 34        bh=3UX6XJgBs3UMxMP5/AvDM09eCxQD6MgaRIJGOHEO9w0=;
 35        b=YVlB1qjSrf7ugSVlwVeGabfX4lh7hQt4O6YcblJZIxE4bnxpm84eVNNmiCQNjshlVq
 36         6TSXJOcGGVsoSSuH373tqSOK0ZMsktHbSqHfv0bK6LZ9ZAT2bFuQMo9roIqk+4PrmvTN
 37         zpY+Fio/OHTKQH4z0s5CXOclbyEMbnnOLvM29hXkRMyfaMQYGwUtT2fk6lUL9xjpRC56
 38         /VEih0MrF4YTnOpsORC7eUa7sGAVLmfrU1+Rw83u8Cu6t4QhJYEhLVi1vUyXiaGeeKPX
 39         khNG3hocBMi5NhQ6TU6ZNrGekVuqOHXiZMSc1vtN8dj4Pltzs7eRDF4LNXkQtIoqQ/Uo
 40         FqEQ==
 41X-Gm-Message-State: AG10YOSS7Rg6KCsisGmqYhrtT/+pBU0dvkpnd4SJQRaO97rFpkmpzpzK61/aZkZBMZbR9LpcmjlfSkOYfdLTcg==
 42MIME-Version: 1.0
 43X-Received: by 10.50.155.106 with SMTP id vv10mr10716469igb.41.1453142147476;
 44 Mon, 18 Jan 2016 10:35:47 -0800 (PST)
 45Received: by 10.50.2.162 with HTTP; Mon, 18 Jan 2016 10:35:47 -0800 (PST)
 46date = Mon, 18 Jan 2016 10:35:47 -0800
 47Message-ID: <CAHdipFtq-0DBOVMMEaoQrnmpDRijoEzZ00y5q6d56KbjS0E1nQ@mail.gmail.com>
 48Subject: TRAINING TASK 1
 49From: Kelsey Arthur <kelseyarthur54@gmail.com>
 50To: Louis Kowolowski <louisk @cryptomonkeys.org>
 51Content-Type: multipart/alternative; boundary=001a11346b4882359f0529a00537
 52X-Virus-Scanned: Maia Mailguard 1.0.3
 53
 54
 55--001a11346b4882359f0529a00537
 56Content-Transfer-Encoding: 7bit
 57Content-Type: text/plain;
 58	charset=UTF-8
 59
 60Dear Employee,
 61Complete this task
 62(A)
 63This is to introduce you to EDGAR, the SEC's database of financial
 64information about publicly owned companies. The SEC maintains EDGAR to
 65give the public free access to information about publicly owned
 66companies.
 67Instructions
 68Access EDGAR at the following Internet address:
 69http://www.sec.gov/cgi-bin/srch-edgar
 70Then type STARBUCKS CORP into the search box and press the return key.
 71Select Starbuck's most recent Form 10Q (a required quarterly filing
 72that includes quarterly financial statements).
 73What is the street address of Starbuck's corporate headquarters?
 74Scroll down to the balance sheet. Have the company's total assets
 75increased or decreased since the last report? How much have they
 76increased or decreased?
 77(B)
 78Each year, Fortune magazine ranks the leading 500 American-based
 79corporations in terms of total revenue earned.
 80Instructions
 81Visit the Fortune home page at: http://www.fortune.com
 82Identify the three global most admired Fortune 500 companies.
 83Select one of the listed companies, locate this company in the EDGAR
 84database: http://www.sec.gov/cgi-bin/srch-edgar Select the company's
 85"Form 10K" and locate comparative income statements for the past three
 86years. Comment on the pattern of changes in total revenue and net
 87income over the past three years.
 88Obtain financial information about McDonalds Corp sales or earnings.
 89Go to http://www.mcdonalds.com/
 90Click on Corporate McDonald's - McDonald's Quarterly Global Results
 91Press Release
 92What are the "Key highlights - Consolidated"
 93Dollars in millions, except per common share data
 94
 95Time Limit : 3 hours
 96
 97--001a11346b4882359f0529a00537
 98Content-Transfer-Encoding: quoted-printable
 99Content-Type: text/html;
100	charset=UTF-8
101
102<div dir=3D"ltr"><div>Dear Employee,</div><div>Complete this task</div><div=
103>(A)</div><div>This is to introduce you to EDGAR, the SEC&#39;s database of=
104 financial</div><div>information about publicly owned companies. The SEC ma=
105intains EDGAR to</div><div>give the public free access to information about=
106 publicly owned</div><div>companies.</div><div>Instructions</div><div>Acces=
107s EDGAR at the following Internet address:</div><div><a href=3D"http://www.=
108sec.gov/cgi-bin/srch-edgar">http://www.sec.gov/cgi-bin/srch-edgar</a></div>=
109<div>Then type STARBUCKS CORP into the search box and press the return key.=
110</div><div>Select Starbuck&#39;s most recent Form 10Q (a required quarterly=
111 filing</div><div>that includes quarterly financial statements).</div><div>=
112What is the street address of Starbuck&#39;s corporate headquarters?</div><=
113div>Scroll down to the balance sheet. Have the company&#39;s total assets</=
114div><div>increased or decreased since the last report? How much have they</=
115div><div>increased or decreased?</div><div>(B)</div><div>Each year, Fortune=
116 magazine ranks the leading 500 American-based</div><div>corporations in te=
117rms of total revenue earned.</div><div>Instructions</div><div>Visit the For=
118tune home page at: <a href=3D"http://www.fortune.com">http://www.fortune.co=
119m</a></div><div>Identify the three global most admired Fortune 500 companie=
120s.</div><div>Select one of the listed companies, locate this company in the=
121 EDGAR</div><div>database: <a href=3D"http://www.sec.gov/cgi-bin/srch-edgar=
122">http://www.sec.gov/cgi-bin/srch-edgar</a> Select the company&#39;s</div><=
123div>&quot;Form 10K&quot; and locate comparative income statements for the p=
124ast three</div><div>years. Comment on the pattern of changes in total reven=
125ue and net</div><div>income over the past three years.</div><div>Obtain fin=
126ancial information about McDonalds Corp sales or earnings.</div><div>Go to =
127<a href=3D"http://www.mcdonalds.com/">http://www.mcdonalds.com/</a></div><d=
128iv>Click on Corporate McDonald&#39;s - McDonald&#39;s Quarterly Global Resu=
129lts</div><div>Press Release</div><div>What are the &quot;Key highlights - C=
130onsolidated&quot;</div><div>Dollars in millions, except per common share da=
131ta</div><div><br></div><div>Time Limit : 3 hours</div><div><br></div></div>
132
133--001a11346b4882359f0529a00537--

Copyright

Comments