Computer Support The sircles IT support & solutions blog | Online Fraud

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

You have received efax Message: Spam warning

2. October 2018 13:05 by sirclesadmin in Internet Security, Online Fraud
You have received efax Message: Spam warning   This email is impersonating eFax by using links

You have received efax Message: Spam warning


This email is impersonating eFax by using links back to the eFax images and website, but it is a very low-fi spam attempt. 'You have received fax message' sounds like someone did not quite know how to translate the sentence, when you would've thought that they would just use the text from a real eFax message.

The email in this case has arrived from which is obviously a giveaway :





From:                                         eFax j2 Global <>

Sent:                                           Monday, October 1, 2018 4:42 PM

To:                                               Recipient

Subject:                                     You have received efax Message







Fax Message Caller-ID: 8046 545 7372,

You've received a 3 page fax at 10-01-2018 03:24:57 GMT.

*Your reference # for this fax is dk7_dtd24-48654058334483-5433851-55.

Visit if you have any questions regarding this notification.


eFax Crew


j2 footer
2002-2018 j2 Global, Inc. and affiliates. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
61526 Hollywood St, Los Angeles, CA 97426

*** This is an automatically generated message, please do not reply directly to this email address *** Privacy Policy.

 The 'get fax' link (rather an unfortunate phrase) actually points to: which is actually not working currently, probably because the spam is already a day old.



Package(3VKN_270) confirmed: 8 items sent Spam Email

4. September 2018 14:25 by sirclesadmin in Online Fraud, SPAM
Package(3VKN_270) confirmed: 8 items sent Spam Email &amp;nbsp; Watch out for this email: &amp;nbsp; v\:*

Package(3VKN_270) confirmed: 8 items sent Spam Email


Watch out for this email:


From:                                                       Bessie Daulton <>

Sent:                                                         Tuesday, September 4, 2018 12:39 PM

To:                                                            Recipient

Subject:                                                   your name, Package(3VKN_270) confirmed: 8 items sent



Dear your name

We are now processsing your order 3VKN_270, please find your order details below:


Shipment Details

Name and Postcode



Your order details here


This confirmation acts as your guarantee, which begins from the day your product is delivered to you.


Consumer Contracts Regulations 2013 offers the following cancellation rights

Please note that you are entitled to cancel this contract if you so wish, provided that you exercise your right no longer than 14 days after the day on which you receive the goods or services.

Please note that your right to return products does not apply to goods made to your specification, that have been clearly personalised or which by reason of their nature cannot be returned or are liable to deteriorate or expire rapidly.

If you wish to exercise your right of cancellation, you are obliged to retain possession of the goods and take reasonable care of them.


If you decide to cancel, you should return the goods to us at your cost within 14 days of such cancellation and we will reimburse to you (by the method used to pay for the original transaction) the amount in relation to goods to which cancellation rights apply. This includes the cost of delivery (except for the supplementary costs arising if you choose a type of delivery other than our standard and least expensive method of delivery). We may make a deduction from the reimbursement for loss in value of any goods supplied, if the loss is the result of unnecessary handling by you. We will make the reimbursement no later than 14 days after the day we receive back from you any goods supplied.


Returning items

We want you to be happy with your purchase. If you're not, just return the item with proof of purchase and we'll exchange or refund it.

Further information can be found in the customer service section of our website and the dispatch note included with your order. Our usual refund policy does not apply to cut or made to order products or perishable goods, which cannot be returned or exchanged unless faulty.

This does not affect your statutory rights.

Returns can be made using the following options:


Via our shops: please take this email with you. It shows the prices you paid at the time of your order, and so helps us process your return more quickly and accurately.


Further information on our Terms and Conditions can be found in the Customer Services section of our website, and on the delivery note included with your order.


Do you wish to track your order or require a receipt?

To track the status of your order or print a VAT receipt, if applicable, please click here. You may receive an email from us that will tell you how to track your order as soon as it has been collected for delivery.



We will never ask you to send any personal details via email. If we require such details, for security reasons we will ask you to contact us by phone. Should you receive an email claiming to be from requesting this kind of information, please do not respond to it but do let us know.


Thank you for shopping with us.

Customer Services


Prices are subject to change without prior notification. Products subject to availability, while stocks last. Images are representative only. Errors and omissions excluded.


Update your details


Change your preferences

The actual 'Your order details here' link points to: which sounds like rather an odd website.
The link will download a command to upload or corrupt your personal data so do not run the command.
The windows shell command will be run on your own documents or downloads folder and may involve blackmail or identity theft.
Be sure to report the originators of this email as well as the website.

Upgrade to a more secure banking - Natwest Spam Warning !!

4. September 2018 07:18 by sirclesadmin in Online Fraud, SPAM
Upgrade to a more secure banking - Natwest Spam Warning &amp;nbsp; This email is a typical example of ph

Upgrade to a more secure banking - Natwest Spam Warning


This email is a typical example of phishing for banking details:



Upgrade to a more secure banking



From:                                                       NatWest <>

Sent:                                                         Saturday, September 1, 2018 12:34 PM

To:                                                            Recipient

Subject:                                                   Upgrade to a more secure banking


Final hours: Get 50% OFF Yearly Premium Plans with our Surprise Sale. Hurry & upgrade your website now!

Can't see this email? Click here.



Upgrade to a more secure banking



Don’t miss out - last chance to upgrade your account and get £100 instant bonus!



We are regularly changing our online banking system, we will always contact you immediately we notice any issue on your account.

To receive the £100 bonus you are required to update your online information for your security. Please continue below.



Stay up to date with our latest news & features


Please do not reply to this email
If you wish to unsubscribe click here

View our privacy policy




 The email is quite well presented - the 'Can't see this email?' question at the top is a good example of how spammers use regulations to sidestep any susupicions we may have about the authenticity of an email.

If you click on the 'can't see this email?' link you are taken to: 

It is important to note in the above link the fact that the site is not secure (it begins http and not https) which is an instant and certain indicator that this is not a real banking site.

The site is already labelled by Google as deceptive:


And Microsoft Edge:


The site itself looks similar to Natwest:


But is obviously unsecured and way too slow for a real bank.

Report the originating email and the website as fraudulent and stay vigilant.


Spam Warning: Payment Message From MoneyGram Systems, Inc

23. August 2018 16:51 by sirclesadmin in Online Fraud, SPAM
Spam Warning: Payment Message From MoneyGram Systems, Inc &amp;nbsp; &amp;nbsp;

Spam Warning: Payment Message From MoneyGram Systems, Inc


This email has been spotted:


From:                                                       MoneyGram Payment Systems, Inc <>

Sent:                                                         Thursday, August 23, 2018 4:51 PM

To:                                                            Recipient

Subject:                                                   Payment Message From MoneyGram Systems, Inc








Welcome to MoneyGram!


Here is your new transaction from MoneyGram.



In case you don't have with MoneyGram, click on the link provided below to easily open an account with us and cash out to your banking account .



We look forward to helping to make your future money transfer simple and enjoyable send now!


View your transaction details








Download our App:




App store logo






Don't respond to this e mail. In case you have further questions, please call us.


Customer Protection




Privacy Policy



MoneyGram Payment Systems, Inc.




2493 Utica Road E, Stu 100




Minneapolis, MN 53712


This message may consist of confidential info. Don't give any information concerning this financial transaction to a third party. If you are not the intended receiver, inform us promptly and erase this e mail from your system.


2018 MoneyGram Payment Systems. All rights reserved.


Facebook  Twitter  Youtube





The link actually points to: with no certificate or security.

The link simply downloads a harmful .DOC file named invoice.doc to your computer - DO NOT OPEN THIS FILE.

Make sure your report the email address as dangerous, the website seems to have been deactivated already.

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

9. August 2018 07:19 by sirclesadmin in Internet Security, Online Fraud, SPAM
Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent &amp;nbsp; &amp;nbsp;

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent


This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.


From:                                                       Direct <>

Sent:                                                         Thursday, August 9, 2018 6:35 AM

To:                                                            Receipent

Subject:                                                   Your Name, Pack(50RM_84248) confirmed: 7 items sent



Order Acknowledgment

Dear Your name,

Your order is now confirmed. Thanks for shopping with us!


Billing Address:
Your Name 
Your Telephone Number Postcode 

Your Order Reference: 50RM_84248
Order Date: 8/9/2018

Delivery Address:
Your Name
Your Telephone Number Postcode

Your Order 50RM_84248 available here

Your right to cancel:

In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.

To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.

We recommend that you use a recorded delivery service.

Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.

As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed.

The hyperlink 'Your Order 50RM_84248 available here' actually links to: which is presumably a genuine website as it has a certificate but it simply forwards you to: which is presumably not an association that Microsoft enjoy. 
The actual link downloads a zip file:
The contents of the zip file are as follows:
And when extracted, reveal:
The image just being a Google Pay image:
And the shortcut linking to:
As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of - fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.
Either way, it is attempting to find the string fildunare  with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.
Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.
The originating email domain - - does not seem to be a website either so block that domain from your email server.

Spam Warning: You received notification from DocuSign Signature Service

7. August 2018 06:48 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Spam Warning: You received notification from DocuSign Signature Service&amp;nbsp; &amp;nbsp;

Spam Warning: You received notification from DocuSign Signature Service 


You may see the following email, purportedly from DocuSign. We have seen it being captured by most spam guards but also getting through many on other occasions.





From:                                                       DocuSign Signature  Service <>

Sent:                                                        Monday, August 6, 2018 5:21 PM

To:                                                           Recipient

Subject:                                                   You received notification from DocuSign Signature Service








Review and sign this document.


Dear Receiver,

Please review this invoice
It is an automatically generated invoice.


This email contains a secure information. Do not share this code with other people.

Additional Signing Way
Please visit, click on 'Access Documents', and enter the security code: F80B75BEF7

About Our Service
Sign invoice electronically in just minutes. It's risk-free. Whether you're at work, home or even across the globe -- Our service gives a professional solution for Digital Transaction Management.

Have questions about an Invoice?
In case you need to modify the document or have questions about the details in the document, reach out to the sender directly.

If you are having trouble signing the document, please see the Help with Signing page on our Webpage .

Review Invoice

This message was sent to you by DocuSign Electronic Signature Service.



 The 'view invoice' link actually points at: which is an unsecured site which appears to have been compromised.
The folder appears to have already been removed.
We have also seen: S being used by the same email.
The 'review invoice' link at the bottom points to: which also appears to have been shut down.
Report any senders of this email, the domain does not seem to function either.

Internal Revenue Service - Spam Warning !

1. August 2018 13:29 by sirclesadmin in Internet Security, Online Fraud, SPAM
Internal Revenue Service - Spam Warning ! Watch out for more free money! This email has been receive

Internal Revenue Service - Spam Warning !

Watch out for more free money!

This email has been received this week:



From:                                                       Internal Revenue Service <>

Sent:                                                         Tuesday, July 31, 2018 6:16 PM

To:                                                            Recipient

Subject:                                                   Internal Revenue Service Banner

Internal Revenue Service

IRS services     Account Balance communication TP95


Final reminder: Notice of Intent to seize (levy) your current income tax refund.


promptly: $449.20

Our files indicate that you have unpaid sum for the tax year closing December 31,2017 (Application form ). If you don't call us straight away, we may levy (seize) your house or legal rights to own property which includes any kind of tax refund and also apply it for the amount of money you must pay back.

Download your payment Invoice 

You're witnessing this particular notification due to the fact you're subscribed to our alerts via Internal revenue service.

 If you no more want to get warnings, please log in to your Internal revenue service account  to temporarily disable or completely delete these types of signals.

The following alert is sent to you automatically from the IRS services. Make sure you do not Write back.

Take care of your account, change your security password or e-mail, or discontinue messages at any time on your Personal preferences Web page.

If you have inquiries or problems with the service, be sure to contact

This service is delivered to you free of charge by the Internal Revenue Service. The following communication is provided through: IRS 1364 Constitution St. N Washington DC 21263.

Powered by GovDelivery


As this email has been received from a car (auto if you're German/American) repair (body shop) in Indianapolis, we can safely say that it is a spam email.
The link 'Download yoru Payment Invoice' points to:
Which has already been taken down - well done for spotting that whoever the owner is...
Anyway report this email as spam and stay vigilant!

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.

1. August 2018 12:35 by sirclesadmin in Internet Security, Fraud, Online Fraud, SPAM
Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes. &amp;nbsp; This email has been rec

Ooh, a tax refund!! SPAM - (1) New message from GB Revenue and Taxes.


This email has been received this week at sircles spam catcher:

From:                                                       TaxesGreat-Britain <>

Sent:                                                         Wednesday, August 1, 2018 9:26 AM

To:                                                            Support

Subject:                                                   (1) New message from GB Revenue and Taxes.




Taxes&Revenue have detected that you have paid too much tax in the past


* Therefore we applied P800WForm to issue a reimbursment.

--we tried to send it to you automatically.

--we don't have your card details on file.

--have your credit/debit card ready

Reimbursement Information

* We applied P800WForm to issue a reimbursment.

* Receipt date : 01 August 2018.

* Amount: 670.25 GB P.


Card Type:


Credit Card:




Transaction Date:


Transaction #:





670.25   GB P



As you can see the originating address is actually from Japan and so probably isn't that likely to give me a tax refund after all :(
The GBP is a bit of a giveaway too, as even in London, most people still use the British Pound without being prompted.
The 'Claim Funds' link points to: which is actually already registered as deceptive by Chrome and has been registered as unsafe by Microsoft Edge.
The actual site:
Once you choose your wishes they take you to:
HMRC do not know your banking details, and will never ask you to confirm your identity with your card details or account number. This site is not secure and should therefore not be accepting card details anyway.
Never enter card details without checking the padlock in the address bar is showing in green or as OK. Always check the domain in the address bar, all the way up until the first / and make sure it is just the expected domain like with nothing following it unless after a /
Report this email and report the website.
Be safe!!!

Spam Warning: Important Docs Secured ShareFile Attachment

Spam Warning: Important Docs Secured ShareFile Attachment &amp;nbsp; Watch out for this email doing the

Spam Warning: Important Docs Secured ShareFile Attachment


Watch out for this email doing the rounds this week:


From:                                                       Tracy Turner <>

Sent:                                                         Thursday, July 19, 2018 5:07 PM

Subject:                                                   Important Docs



Secured ShareFile Attachment

Expires July 20, 2018


568.9 KB

Review Documents

I used WeTransfer to send documents to you securely. Learn More.



If you need any further assistance, then do not hesitate to contact me.


Tracy Turner
Breal Zeta CF Ltd
t: 07803 178446


The 'Review Documents' link actually points at*%5E%25%26*(*%5E%24%25%5E%26%25%5E%24%25%23%23%24%25%5E%26 


So be careful here - this is a fully secured SSL site with an SSL certificate:



The domain appears to be running on a CPanel server with a certificate from:



Comodo for CPanel. 


From the look of the site: 



They seem to impersonating WeTransfer and ShareFile at the same time, so this is obviously quite a big scam.

The website has been thoughtfully put together to steal important credentials and a person who knows a tracy turner could easily input all three of their Google, Office365 and GoDaddy details.


The GoDaddy one is crafty but obviously there are no documents storage houses in the world that would ask for your internet domain credentials.


If you click the 'others' option, then you are taken through to a WeTransfer impersonation site:*%5e%25&*(*%5e$%25%5e&%25%5e$%25%23%23$%25%5e&/email_signin/index.html




Which is again a convincing looking site using the same certificate.


The IP address gives this data:

% Information related to ' -'

% Abuse contact for ' -' is ''

inetnum: -
geoloc: 50.10 8.70
netname: CLOUD-DE
descr: Cloud Services DC05
country: DE
admin-c: SS936-RIPE
tech-c: AN3450-RIPE
mnt-by: ARUBA-MNT
mnt-lower: ARUBA-MNT
mnt-routes: XANDMAIL-MNT
created: 2016-01-11T14:37:36Z
last-modified: 2016-01-11T14:37:36Z
source: RIPE

address: Aruba S.p.A.
address: via S.Clemente 53
address: 24036 Ponte San Pietro (BG)
address: Italy
admin-c: SS936-RIPE
tech-c: SC279-RIPE
nic-hdl: AN3450-RIPE
mnt-by: ARUBA-MNT
created: 2008-11-19T19:02:34Z
last-modified: 2017-11-15T08:13:57Z
source: RIPE # Filtered

person: Susanna Santini
address: Aruba S.p.A.
address: Via S.Clemente, 53
address: 24036 Ponte San Pietro (BG)
phone: +39 0575 0505
fax-no: +39 0575 862000
nic-hdl: SS936-RIPE
mnt-by: ARUBA-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2017-11-15T08:14:40Z
source: RIPE # Filtered

% Information related to ''

descr: Aruba GmbH Cloud Network DC05
origin: AS200185
mnt-by: ARUBA-MNT
created: 2015-12-09T12:07:07Z
last-modified: 2015-12-09T12:07:25Z
source: RIPE


We will email the abuse address to report these sites...

Amazon Spam Warning - Authorization of Account Details

27. June 2018 13:59 by sirclesadmin in Internet Security, Online Fraud
Amazon Spam Warning - Authorization of Account Details &amp;nbsp; We have seen this email passing&amp;nbsp;t

Amazon Spam Warning - Authorization of Account Details


We have seen this email passing through htomail and outlook defences:


From:                                                       Αmаzоn.соm <>

Sent:                                                         Saturday, June 23, 2018 1:58 AM

To:                                                            recipient email address

Subject:                                                   Authorization of Account Details




Authorization of Account Details




Validation of billing details in your account

June 22, 2018

Dear recipient

We need to validate your billing information you entered, which may not match with your Credit card's issuing bank. Please get these to us before June 29, 2018 to ensure that the services related to your account will not be suspended. We may contact you for additional information as part of the verification process.


You can start your verification process by clicking on Here


We hope to see you again soon.



<![if !vml]>Image result for Amazon Logo Icon<![endif]>


 Privacy Policy


Copyright © 2018
All rights reserved


This email sent to recipient email address

Email ID: 122744Px690808054Fw90f4v6nJK9o408488ef019626

The link points to a site which has already been dismantled and Google Chrome already listed the site as fraudulent so we will not post it here..
Do mark this email as spam though as it is breaking through email defenses...