Just like phone number scams, from email addresses can also be spoofed to make a false presentation of the sender/caller.

I thought that the "Martin Lewis" was the spoof and hovering over it revealed the true address? Are you saying that the jack.glossop ... bis.gov.uk is a spoof as well?

It seems that when I forward one unopened spam to phishing, the spam opens and goes as if I'd written the spam. But if I forward two spams together they go as attachments. I have understood that opening a spam is not dangerous, you just must not click on any links. Is that right?

Any email user can fake the senders email address to be anything at all - even official email addresses of companies you would expect email addresses to be.

You don't need to own a domain to fake the displayed sending email address.

Best ignore anything from Martin Lewis. 🙂

---

@Bert4545wrote:

I've had a spam/scam from jack.glossop at bis.gov.uk. How does anybody get a domain name that includes .gov.uk? Surely that should be impossible? I've forwarded it to phishing.

It appeared to come from Martin Lewis, so I knew it was spam.

---

If what you say is true (and I'm not doubting you), why don't the spammers copy a genuine email address from Martin  Lewis ( 'at' email.moneysavingexpert.com) or a genuine UPS  or McAfee email address? (I've had spam from what appears to be them too.

The funny thing is, if you do open one of these emails, the sender's email address appears at the top, so, even if this is not genuine, it does not contain the expected terms -- moneysavingexpert, ups or mcafee. I suppose not many people look at that and just dive straight into the script.

Most of the spammers are based overseas and have little knowledge of which companies would use particular email address - and they often have little knowledge of the English language.

How do they hope to make any money? Surely their 'hit' rate would be better if they used an email address containing the spoof word? If they are clever enough to make an email that looks genuine, surely a bit of basic research would give them an email address that looks vaguely genuine.

Perhaps I should just be glad that they are not so clever.

---

@Bert4545wrote:

How do they hope to make any money? Surely their 'hit' rate would be better if they used an email address containing the spoof word? If they are clever enough to make an email that looks genuine, surely a bit of basic research would give them an email address that looks vaguely genuine.

Perhaps I should just be glad that they are not so clever.

---

They will have multiple 'campaigns' if that is the right description, they'll be quickly trying to adapt to ever changing circumstances, recently Martin has been on TV regarding the energy crisis, I've already had them trying to take advantage of the Ukraine war, then all the 'Payment pending' or 'Amazon/Paypal/bank account blocked' etc

They'll have a list of email addresses taken from compromised sites or sold in bulk, some lists have names and other information which allows for 'spear phising'

It just takes you to click one link and your PC is infected.

You can check if it's a genuine email from the bis.gov.uk email servers by checking the email headers. With SPF, DKIM and DMARC policies it's harder to spoof email address these days as it will fail the checks and email providers use these checks to see either following the DMARC policy or reject/mark it as spam if it fails these.

Ok so one of our btinternet.com address received the same email too with subject "Subject: Buy crypto now and you could double your money within a couple of months"

I've just checked the headers and it's actually sent from domain: https://who.is/whois/pyke-leads.website

It failed the SPF, DKIM checks and was quarantined following .gov.uk's DMARC policy.

spf=fail (sender IP is 95.216.222.179)
smtp.mailfrom=charitycommission.gov.uk; dkim=none (message not signed)
header.d=none;dmarc=fail action=quarantine header.from=bis.gov.uk;
Received-SPF: Fail (protection.outlook.com: domain of charitycommission.gov.uk
does not designate 95.216.222.179 as permitted sender)
receiver=protection.outlook.com; client-ip=95.216.222.179;
helo=pyke-leads.website;
Received: from pyke-leads.website (95.216.222.179)