Scam Reporting

I do a lot of Scamwatch reports, and want to make my reporting more effective.

What’s the best way to copy an email for them? I hit the “i” which gives me the header information and copy that, but it does not do much more than give the spam filter eg Client Atmail 7.2.0.14467 and reveal the Reply email (which is usually some random email address - they want you to click the link). I remember doing some “forwarding” that gave more information for my ISP.

I hover over the link and write where it goes, so I can put that into the Website box. I can’t find a way to just copy it.

There are days I wish I had an “account” with the boxes all filled in, so I could just fly through, as sometimes the reporting takes longer than the scam.

For Scamwatch and other needs I often use a screen capture. On IOS it defaults to a picture which will appear briefly requesting you save or edit. You can always open from pics to edit later and move it save to a different file/folder. I’ve an App to resize (reduce the resolution) if required to produce a more compact pic to attach and send.

For a PC I simply open Paint or Word and paste the image directly. Most often paint as it’s easy to edit (Crop and resize to a lesser resolution).

Hence any detail I can reveal on the screen can be saved without too great a difficulty. It still leaves one to manually type in some of the responses to Scamwatch.

People investigating email scams want the “raw” email in its entirety, which retains all the information they need to investigate the scam. How you get that depends entirely on the mail client you are using; look for an “export” or “save message” option.

In Gmail the option is “Download message”, which saves the message as a file in “.eml” format, which you can then upload to Scamwatch with your report. In ProtonMail the option is “Export”, which also saves the file in “.eml” format. Other message file formats investigators might be able to use are “.msg” and “.html”.

If exporting the message in its entirety isn’t an option, people investigating email scams will generally find the “message headers” useful as well; this is information usually invisible to you (the message recipient), but it is information which is tacked onto the message by each server the message passes through on its trip from the sender to you. It provides information on where the message came from, how it made its way to you, and other information such as the validation checks that were applied in transit.

Again, how you get the message headers depends entirely on the mail client you are using; in Gmail the option is “Show original”, and in ProtonMail it is “View headers”. These options display text which you can copy-and-paste into your Scamwatch report.

Note that the message headers really aren’t human-readable (unless supporting email systems is your job!), but they are very helpful to an investigator.

Note also that, if you forward an existing email, all the message headers on the email are lost and the recipient will only see the message headers generated on the forwarded email’s trip from you to them. That’s one of the reasons why an investigator really wants to obtain the “raw” email in its entirety, and receive it from you as a “.eml” or other file.

Welcome to the community @Fred26
Are there any risks to a personal device in taking the suggested steps? One might expect ScamWatch would offer similar examples and advice to those reporting. But then again ScamWatch is a Govt service.

Are there any risks to a personal device in taking the suggested steps?

If by “personal device” you mean a mobile phone or tablet, the email apps on most such devices have fewer features than the equivalent email client application on a desktop or laptop computer, so the steps I listed may not be possible on a personal device, and you would need to either save the file or extract the message headers using the email client on your desktop or laptop.

As to the “risk”, the only risk to you is that of information exposure; if you take a genuine confidential email message, save it in its entirety it and then provide it to a third party, you are providing them with the confidential information. If is it a government body like ScamWatch, you can reasonably assume they will treat it appropriately, but there is of course no guarantee. If it’s a scam message, it is very unlikely to contain confidential information, so this isn’t a risk.

Providing just the message headers supplies much less information, but the information may still be confidential from your perspective if it is a genuine email message eg details about the sender such as their email address, IP address and email client. Again, if it is a scam message, this is unlikely to be an issue unless you consider your own email address and IP address to be confidential, because these are also included in the message headers.

In summary, taking the steps I described previously will generally not be possible on a mobile phone or tablet, but if done on a desktop or laptop, carries no risk to yourself or your devices if you are doing so to provide scam email messages to ScamWatch.

One might expect ScamWatch would offer similar examples and advice to those reporting

Each mail client has its own method of saving raw messages and extracting message headers, so ScamWatch can only provide general guidance, just as I have done.

However, if ScamWatch can see that you are the first reporter of what appears to be a major new attack (not just the hundredth person today to report a Nigerian Prince email), they will probably want to investigate promptly and in detail, and may reach out to you personally and have you assist them, which may well involve them giving you specific instructions related to your email client for you to provide them with further information.

To be fair to ScamWatch, any criminal with the time, inclination and some computer skills can attempt to scam thousands or millions of people around the world and there is little if anything ScamWatch can do to prevent this. Their role is more around educating businesses and the general public, monitoring trends and liaising with other organisations (Microsoft/Apple/Google as operating system suppliers, web site hosting services, mobile carriers, ISPs etc) to have them fix security bugs, block illegitimate traffic, evict illegitimate users of their services and so on.

Forwarding the email also saves the sending data as it encapsulates the previous message in a new header without removing the old information… Most scam reporting portals advise the user to forward the email to the scam reporting address as the email is then treated as dangerous and handled appropriately.

Forwarding the email also saves the sending data as it encapsulates the previous message in a new header without removing the old information

Ummm…no.

I suspect you are confusing the “From:”, “To:”, “Subject:” and “Date:” information (which you can see at the top of a message you have received and are plainly readable) with Internet mail message headers (which you cannot normally see and which are fairly cryptic).

This blog article describes the differences between them: What are email headers? | Proton

Yes, the “From:”, “To:”, “Subject:” and “Date:” which you (as the recipient of the original message) can see at the top of the message are going to be visible to the person you forward the message to (quoted in the body of the forwarded message), but most of this information can (and often is) forged by the scammer sending the message, so it is of limited use to ScamWatch.

But no, message headers, which are actually useful to ScamWatch in tracking the source of the original message, are discarded when you forward the message to them.

You don’t need to take my word for it; look at the message headers of a message that a friend or family member has sent you, then forward the message back to them, ask them to forward it back to you again, and look at the message headers of the resulting message; they will be different.

Most scam reporting portals advise the user to forward the email to the scam reporting address as the email is then treated as dangerous and handled appropriately.

Yes, but that’s usually because it is far easier for you to forward a suspect email to their scam reporting mailbox than it is for you to go to their scam reporting web page, fill in your contact details, extract the contents of the suspect email and then upload it.

The fact that this thread started with someone asking how they can submit ScamWatch reports with less effort demonstrates that the more difficult they make it to submit a report, the less inclined people are to do so.

As noted in my previous post, if you submit a suspect email and ScamWatch are really keen to investigate further, they will reach out to you and guide you through how to provide all the information they need.

Then just create a new message and include the scam message as an attachment to preserve everything. No need to go to the extent usually of saving the suspect email as another offline email format such as .eml.

Proton may do it differently but most instructions are usually when people want to see the headers themselves, such as with Google the way to read the headers is to follow these steps (courtesy of Google)

Analyze an email header

1. On your computer, open Gmail.
2. Open the email that you want to analyze.
3. Next to Reply , click More Show original.

• In a new window, the full header shows.

4. Click Copy to clipboard.
5. Open Google Admin Toolbox Messageheader.
6. In the box, paste your header.
7. Click Analyze the header above.

Then just create a new message and include the scam message as an attachment to preserve everything. No need to go to the extent usually of saving the suspect email as another offline email format such as .eml.

If your mail client has that capability, great, you’ve saved yourself a step and avoided having to delete the file afterwards.

Unfortunately, not all mail clients provide that capability, and I was attempting to make my instructions as generic as possible.

Scam msgs, emails & Calls - Am l, How & Who do l report or send copy of please to report

Hi, l am fairly new & l love this platform, Choiice community, Volunteers, Moderators & the support you get from the replies & that the advice is clear, concise & correct & easy to follow, so thanks for that. My enquiry, is in regards to receiving Scam msgs, emails & calls (spoofed numbers, so generally only used once)
My personal information got breached from 2 x companies & although l report it through my VPN Security (l sincerely, don’t think, this does much or really goes anywhere) So, l’m seeking advice, as to who & how l can report it & hopefully have an impact. Although, l don’t have time to do it 9-5pm🤣 Does anyone have any advice, please? Much appreciated. Also most of my info that was breached, (personal details) l obviously cannot change, as Name, D.O.B. etc. I really don’t want to change my mobile no, as had for so long, same as email &!it’s a massive undertaking to change & inform everyone. However, l’m aware a lot of damage can be caused by Scammers having this info & know it’s really in my best interest to do so. Apologies l have mixed 2 x topics, but any info, be appreciated. Thankyou😁

Sadly that is a list of zero length. You can report until you are blue in the face and nobody will do anything useful.

Back in the days of the wild west you had to look to your own defence. That is where we are now, authorities are looking at this new connected world and wondering what to do but not doing much.

They claim to have stopped millions of scam calls but there is no appreciable reduction in the number getting through. New breaches exposing personal data are revealed daily. Perhaps when every organisation bigger than the corner shop has been pwned the numbers will drop off. By then we will all know each other’s business. What fun.

The advice about Cybercrime (which includes use of online fraud/scams) is to report to:
Police (ask for a reference number of your report)
ACCC ( they share reports with banks, law enforcement etc.)
Scamwatch.gov.au (the report will be assessed as to whether it’ll be referred to law enforcement agencies for investigation)

At the moment the usefulness of reporting is mostly to alert authorities of the activities.
Also it’s good to have reference numbers of the reports in case of a breakthrough.
At the moment it’s more to be of help to others but …it may come a time…

Hi @niccib

I have moved your topic into this existing one on the Government organisation Scamwatch About us | Scamwatch who are tasked with “dealing” with and reporting on and of scams in Australia.

If you have been a victim of the Optus leaks, there are avenues to help you get a new licence among other steps to help reduce scam attacks.

A lot of spam calls that come from various numbers that are not legitimate numbers use software to generate numbers to call. There is currently no best and totally effective way to stop these calls. Only your own vigilance, caution, and self education seem to build the best outcomes. This process also works for scam/spam emails, don’t respond to emails or click links and don’t try to unsubscribe from them. Report them to Scamwatch if a scam and/or ACMA if spam as well Dealing with spam | ACMA and then delete them. To stop some emails getting through you can also use filters with some email programs, and there are third party services that pre-filter emails but these are mostly for enterprise size businesses that use Microsoft and similar Exchange software.

This might be helpful?

This thread provides information on reporting scam text messages:

An article about a man scammed and his experience reporting it, as well as the how to report it and what to expect.

I’m probably misunderstanding the question because I only use a desktop PC. If I want to copy a block of text (or a few words, or a complete message) I highlight the relevant section, copy it (CNTRLC), move to where I want to insert the text and hit CNTRLV.

The question is complex because scams have other data than just their text, sometimes displayed and sometimes not. And to where?

Furthermore copying and pasting often breaks the formatting to make the ‘message’ difficult to decipher.

For emails as an example there are complex headers (that can be manipulated) showing message ID, origins, and so on. Displaying ‘message source’ can be cut and pasted but can become overwhelming, especially if HTML encoding is included such as would occur by a ctrl-A, ctrl-C, ctrl-V or the equivalent on other devices.

In summary it is usually more than just a copy and paste regardless of device.