Lyn Whitehead Lancashire.pnn.police.uk Email Phishing / Virus / Hacking Threat

I just had an email from [email protected], delivering an invoice for payment. It is a Word doc, but I have not yet opened it. It is obviously a scam of some sort – and one that has not be picked up by Google (I use Gmail and they catch a lot of spam and phishing messages).

The email reads:

Hello

Please find attached an invoice that is now due for payment.

Regards

Lyn

Lyn Whitehead (10688)

Business Support Department – Headquarters

If you get an email like this, don’t open the attachment, don’t reply. Just delete it. If you open the email you are not at risk – it is only if you open the attachment that there may be a problem. It depends on the nature of the doc – whether virus or phishing. There appears (judging from all the comments) that many people are being targeted with this today – so don’t worry, it is not just you!

Sane Security have also picked this up – read about it here. Apparently, the attached document will auto run on Windows, and therefore infect your PC with something pretty nasty.

What is unclear is, how is somebody sending spam mail from a UK Police email address? I cannot dig deeper right now (on my lunch break!) so if anybody knows, feel free to comment below – update: lots of useful comments already, please do not post “me too” comments though!

  54 comments for “Lyn Whitehead Lancashire.pnn.police.uk Email Phishing / Virus / Hacking Threat

  1. Andrea
    October 21, 2015 at 12:51 pm

    No, they haven’t actually hacked the account, they are spoofing the email address from an IP address linked to the Schoolnet nectec.or.th ISP in Thailand.

  2. ian collis
    October 21, 2015 at 1:13 pm

    Spam don’t open it.

    I’ve had the same today 21/10/2015. and so has thirty other friends who are on my email list.

    Just block the email… [email protected]

  3. Mandy
    October 21, 2015 at 1:23 pm

    I received exactly the same, I didn’t open it knowing it must be a phishing email etc. But I googled the email address to check it wasn’t an official email address of any sort, which it isn’t. Thank you for posting so that others are able to be informed.

  4. Jess aute
    October 21, 2015 at 1:23 pm

    Thank you for this, I’ve just had one too and it got me in a panic!!

  5. Mary Farmery
    October 21, 2015 at 2:06 pm

    Received same and deleted it at once of course, but I too need to know how email can be sent from a seemingly “correct” address, particularly the Police. Is it really possible to “clone” any email address and if so, why can nothing be done about this?

  6. adam
    October 21, 2015 at 2:14 pm

    I have just had this as well and keep getting similar emails

  7. Jill
    October 21, 2015 at 2:14 pm

    Exactly the same mail. Fortunately I didn’t open it, but sent it straight to junk.

  8. Faker
    October 21, 2015 at 2:16 pm

    Greetings,

    The email is clearly a phishing email. With the question how…very easy. Almost anyone can do it from any remote smtp server that can get his hands on. Most general servers that are used for mass mailing have the port 25 open with no authentication set up. Some more information how to telnet a message from a smtp server you can find here http://www.yuki-onna.co.uk/email/smtp.html. Using telnet can allow you to set up the source of the email without checking the validity of the source (the only check that is being made is any spf/dkim or r-dns from the receiving server). I am sorry if I did not explained it better, but from the link I provided, you can understand how it works and how anyone with basic linux or any kind of programming history can do it.

  9. Jenn
    October 21, 2015 at 2:26 pm

    I’ve also just received the same email to my business address. I haven’t opened the attachment although it looked quite convincing! Glad I checked it out first so thanks for the heads up. J

  10. Steve
    October 21, 2015 at 2:40 pm

    Just received the same email, so checked out google and found your report.
    Not opened it either.

  11. shahid
    October 21, 2015 at 2:41 pm

    Its a made up email address not from the police – look carefully at the email address since its missing the “CO” or “Gov”

  12. Fred
    October 21, 2015 at 2:43 pm

    Same email came to my mail box at 12.01pm. Look like a virus so didn’t open the attachment. Thanks for the post.

  13. Natalie
    October 21, 2015 at 2:53 pm

    I too have received this email today – no idea how it’s been sent from what is seemingly a genuine Police address. As I work for a company based in the South East, it’s unlikely we’d have any dealings with the Lancashire Police, so it smelled fishy to me straight away!

  14. Jill
    October 21, 2015 at 3:02 pm

    Just received the same mail again. Lancashire Police – you really need to get on top of this!

  15. wayne
    October 21, 2015 at 3:05 pm

    I opened it on an android phone I actually live in Lancashire so thought it waa from the police am I at risk what should I do reset my phone or something im eorrued as hell now

  16. matt
    October 21, 2015 at 3:06 pm

    Ive just had the same, thought it was odd as ive only ever been caught speeding in Somerset so I googled it.
    Thanks for the info

  17. Roger
    October 21, 2015 at 3:10 pm

    Received from 84.238.224.82 Bulgaria

    from hst-224-82.medicom.bg ([84.238.224.82]:25614 helo=Universal-PC)

  18. Tracy
    October 21, 2015 at 3:11 pm

    I received the same email this morning. With long headers enabled, it appears to be coming from [email protected], not .uk. Will be reporting it.

  19. Jamie
    October 21, 2015 at 3:13 pm

    I just got the same thing – twice in the last two days. Thanks for confirming what I suspected.

    But my extensive experince of PNNs is that they always come by post!

    J

  20. scott
    October 21, 2015 at 3:23 pm

    Thank you for this. Interestingly the company I worked for got this same email within the last 20 minutes.

    Thank again
    Scott

  21. Nigel
    October 21, 2015 at 3:24 pm

    I have also received this and it came straight through, with only a [SPAM] tag being added by AVG Internet Security (but at least it tagged it, which BT did not).

    Obviously, if you ever receive anything like this just delete it but on the point about it coming from a “Police” email address, it might not have as it is the easiest thing in the world to spoof and email address (just Google it to see what I mean).

  22. Jon
    October 21, 2015 at 3:27 pm

    Just got this now Deleted.

  23. Dave
    October 21, 2015 at 3:27 pm

    I’ve had one today too, exactly the same.
    I’ve deleted it.
    We have had no dealing with Lancashire Police.

  24. October 21, 2015 at 3:28 pm

    I too received it. To answer your question the ‘from’ field in email can be populated with anyone’s email address – provided you find an open relay email server willing to accept any email. Email unfortunately doesn’t check the veracity of email from headers including ‘from’.

  25. October 21, 2015 at 3:33 pm

    Email for me was sent via a Spanish ISP, timestamp shows timezone of CEST which supports that. The mailer looks to be outlook and via Sophos, though we know how easy it is to put that in an email.

    The file shouldn’t auto-open if you’ve office set to disable that, but maybe don’t risk it if unsure. The macros are the usual obfuscated windows targeted thing.

    The mail gets through because of a lack of SPF and other such stuff. Sending a fake email from a police account just looks too easy, certainly from Lanks police. I’ve reported it to them, suggest you do too.

  26. Andy James
    October 21, 2015 at 3:35 pm

    It’s not being sent from a PNN email address, it’s purely a spoofed sender so it appears like it has come from them. They have no connection with it and no control over someone sending it out.

    Almost certainly contains the Dridex malware/Trojan as many similar ones have over the last few weeks

  27. Bob London
    October 21, 2015 at 3:53 pm

    Just received 2 of these to 2 different accounts, knew it was a phishing attempt straight away, but thought I would check further, both mine came through a smtp gateway in Abu Dhabi checked through DNSstuff

  28. Wod
    October 21, 2015 at 3:54 pm

    Happened to me too today Im surfing through the document now in unicode to see if there’s owt I can pickup like another forwarding email address

  29. jack
    October 21, 2015 at 3:54 pm

    You can forward the scam email to [email protected] for follow up as cyber crime but they get thousands of these every day.

  30. Nathan
    October 21, 2015 at 4:05 pm

    Just received one to with a read request!

  31. Colin
    October 21, 2015 at 4:17 pm

    Pay no attention to the from email address. This is easily faked.

  32. Colin
    October 21, 2015 at 4:19 pm

    I get 2 or three of these a week now purporting to come from different places, usually in the form of an invoice, but I have also had “medical” ones with my urgent test results.

    It appears for most of them that the person actually exists and works for the company “spoofed”. I have had invoices for lifts, cardboard boxes and all sorts of things.

    You need to stay alert! One day they may get me with company that I might have had links with. Fortunately most of them have come to my personal address rather than my business one.

  33. wayne
    October 21, 2015 at 4:38 pm

    Please can someone reassure me I opened this email thinking it was from my local police force im on Android will it compromise my phone

  34. Webologist
    October 21, 2015 at 4:47 pm

    I Wayne, based on what I read on the Sane Security website (see link in post above) it is likely it is only a Windows virus, so hopefully, nothing evil would have happened. But, I am not a security expert. Maybe run an AV on the phone to be sure.

  35. Helen
    October 21, 2015 at 4:51 pm

    Just found mine!! It was sent to junk in my live account so they did pick up that it was spam

  36. Webologist
    October 21, 2015 at 4:54 pm

    That’s good to hear. Hopefully all email providers will soon be sending all of these to spam / junk. If everybody hits the spam button, the message will soon be heard!

  37. Phil
    October 21, 2015 at 5:25 pm

    I received it today Sophos Anti-Virus picked it up immediately straight into quarantine then deleted

  38. R.Almond
    October 21, 2015 at 5:31 pm

    V.Worried, it stated,”reply by E’mail” and delete. I did try opening and got a blank page. I deleted.
    R. Almond.

  39. Webologist
    October 21, 2015 at 5:31 pm

    Hi Phil, to clarify – was this was after you opened the attachment, or did Sophos scan the incoming mail attachment and quarantine?

  40. jack
    October 21, 2015 at 6:09 pm

    hi i opened this email as i was trying to delete it and it auto downloaded and opened, any help?

  41. Graham
    October 21, 2015 at 6:32 pm

    I’ve just received one in junk mail as well, will now delete.
    My wife has just received one also, deleted.

  42. Julie
    October 21, 2015 at 6:41 pm

    I have received this email today at 15:26. Luckily I did not click on the attachment. I checked the message source, this one originates from Turkey.

  43. Webologist
    October 21, 2015 at 6:47 pm

    Jack, run your AV. Ensure it is updated. By the sounds of it, Sophos already detects and destroys it.

  44. jack
    October 21, 2015 at 7:12 pm

    yeah i ran my antivirus and it came out clear, just wondering if anything could of happened due to the word document downloading and opening?

  45. Malcolm
    October 21, 2015 at 7:38 pm

    Just arrived with me. My conscience took me back to perhaps I had been speeding a little recently but realised it was a scam – not addressed to me personalty or my car reg number. Will delete.

  46. Natalie
    October 21, 2015 at 11:46 pm

    I received this exact email in my junk folder. I accidentally clicked on the attachment from my iPhone but it was just a blank page and I instantly came out of it.
    Do you think his had effected my iPhone?

    Thank you,

  47. Webologist
    October 21, 2015 at 11:48 pm

    Impossible to say Natalie. We do not know if it is the same file that is being sent out. Sane Security said it was only for Windows, so most likely that your iPhone is not affected.

  48. Bruce
    October 22, 2015 at 11:39 am

    I received this email, and made a formal complaint to Lancashire police, to get them to deal with it. They managed to avoid dealing with it by taking ten hours to log the complaint from 11am to 9pm, and then declaring it void because i did not confirm within 2 hours i.e by 11pm. The police must take responsibility for sorting such matters out because most law abiding people would feel obliged to open the attachment in case it was genuine.

  49. wizard
    October 22, 2015 at 2:33 pm

    i also got this today and tried to open it but my avast antivirus detected a problem so i checked out the email address and found that it was a malware scam, ignore it and delete it

  50. Tracey
    October 25, 2015 at 8:53 pm

    I received this e mail, it was in junk and I accidentally opened the attachment. The attachment was blank. Am very worried about this and should have paid more attention to the email address. I had been looking at my e mail on IPad. I have since deleted the email and reported it. What should I do next?

  51. Webologist
    October 25, 2015 at 9:05 pm

    Hi Tracey, the details linked above suggest it is PC threat only, so you should be OK.

  52. Webologist
    October 25, 2015 at 9:08 pm

    Hi Bruce, in fairness, I don’t think there is much Lancashire Police can do about it. There servers have not been used – the email is being faked. It could just as easily say it comes from any other organisation or business. ISPs, web hosts, Internet security firms, AV tools etc. are the main ways to prevent scams, hacking and phishing like this – we cannot blame the people who are being impersonated.

  53. martin
    October 27, 2015 at 12:07 am

    I recieved this email today 26-10-15 as I deal with police a lot I wasn’t suprised to recieve one from them but after reading these comments I’ve deleted it without opening thanks guys for the heads up

Leave a Reply

Your email address will not be published. Required fields are marked *