I wanted to set up another email account with a gmail address. So I set it up and google transfered my google log in details from my existing hotmail account to the new one. I still can access my current hotmail account so all good
today I receive an email from ‘email management team’ (to my hotmail account) saying ‘we received your request to deactivate your account, if this was made incorrectly then click this link’. Now I don’t want to lose my existing account, and given only yesterday I created the new email I assumed legit and clicked on the link. It then presents with a page asking me to put in my log in details with the address us21.list-manage.com, which is Microsoft branded but looks dodgy af. So I check the email address the original mail is from and it’s from a doctorkanna@hotmail.com!
im 99% sure this is a con, but how on earth did they realise I’d just set up a new gmail account, which is the reason I thought it may be genuine?
or am I being overly paranoid here? My one concern is I don’t want my Hotmail account to be closed down on the slight off chance it is genuine
My one concern is
... exactly why these scams work.
If it was legit, you'd get a request for confirmation rather than a request to stop them.
how on earth did they realise I’d just set up a new gmail account
Coincidence? /shrug
I get them all the time talking about the imminent suspension of my Tinder profile, my Lloyds bank account or my Apple ID, often packaged as something like [color=red]URGENT ACTION REQUIRED!![/color] Which would all be slightly more convincing if I actually had accounts on any of those things.
It's not genuine.
They scatter gun a bazillion people, and one of them happens to be closing an email down.
Of course thinking your email is being closed is a strong motivator to react.
Mark as junkmail and move on.
Fair point.. how on earth did they know I’d just set up the other account however, coincidence ?
do I need to do some kind of virus sweep given I clicked the original link? I’m using an I phone
ta
Probably not. Thought you've confirmed that your email is a valid address (and likely to click on links) so expect a sharp uptake in spam for a few weeks.
If on the other hand you've entered any credentials, you really need to change your password as a matter of some urgency. And at the risk of sounding like a scratched record, you really should have MFA on your email account if you haven't already.
Never rule out the possibility of an insider selling on your data.
My FiL has recently had dementia assessment and various medical interactions.
All of a sudden he's getting cold called and signed up to various insurances and payments that appear to be legit companies selling services and not outright scams, but it's all stuff he definitely doesn't want, need, or understand.
It *could* be a concidence, but he wasn't getting these calls last year, and we aren't getting them now.
OTOH targeted advertising and browser tracking etc can be pretty effective too. As is the straightforward scatter-gun when it happens to hit the target.
really should have MFA
What’s that?
Multiple factor authentication
So they text you to say " did you really want to send £9000 to the Nigerian prince ?"
What’s that?
Multi factor authentication. Normally a text message or an app on your phone which pops up a one time code/click yes to approve the login request if it isnt on preapproved computer.
Ignore. It's just a scattergun attack relying on a tiny percentage of recipients having reason to consider the request valid... be it timing, forgetfulness, fear... whatever.
Cool thanks
stipid hotmail won’t allow me to change my password for 30 days as the number I have on the account which it wants to send a code to is out of date. Despite me having the existing password! Luckily I didn’t enter the password in the scam email!
I’ve run a scan on phone using something called ‘avast’ and it’s found nothing untoward
ironically it’s the avast app itself (and anything else that claims to offer ‘protection’ for an iPhone) which is the scam!I’ve run a scan on phone using something called ‘avast’ and it’s found nothing untoward
Get that phone number and password updated.
Get two factor authentication set up - I use the Microsoft app as we also have it for work, but Android also has one.
Also, get faster at choosing to mark things as spam. Both Gmail and Outlook you can do it with a right click or long press on a phone, or from top menu. Just be brutal on this. Any company looking to contact you can phone or write. Any account changes will NOT require you to click here and login there - and will be good at telling you this in their emails.
Get two factor authentication set up – I use the Microsoft app as we also have it for work, but Android also has one.
If you're using a password manager many of them have the ability to set-up MFA inside the vault. That way if you've left your phone home it's there in the vault ready to go and will autofill while the vault is open at the login you've just used. You are using a password manager for long and random passwords?
Fair point.. how on earth did they know I’d just set up the other account however, coincidence ?
They didn't know. i got the same mail yesterday (or a very similar one). I haven't set up a new account in 3 or 4 years.
Probably means that a site we both use has "lost" some email addresses and they are just scattergunning a list they've bought.
And the lists they buy are huge. Hundreds of thousands of addresses, or more.
Fair point.. how on earth did they know I’d just set up the other account however, coincidence ?
Yes. Coincidence. As @kelvin described. They send out lots of emails, many people receive one, many of those won't see it as their spam/junk filters are working well, some will see it and bin it, some like you will associate it with a recent event, and some will act on it.
Phone AV. Oh. Dear.
And the lists they buy are huge. Hundreds of thousands of addresses, or more.
My largest password list is 11GB. Back of an envelope calculation, I estimate that (conservatively) at about a billion passwords.
really should have MFA
What’s that?
I've been blogging about passwords, hopefully in an accessible manner. This thread prompted me to write the latest post which is here and covers off a brief overview of MFA: https://blueteamhackers.com/old-mcdonald-had-a-password-m-f-m-f-a/
The series itself starts here: https://blueteamhackers.com/why-your-password-is-important/
I check the email address the original mail is from and it’s from a doctorkanna@hotmail.com!
I think you mean the sender had specified the 'from' address as doctorkanna@hotmail.com - it's very easy to send an email with any 'from'address you choose. If you look in the email headers you can see the IP address it was sent from and, in most cases, whether that server was authorised to send emails from hotmail.com
Looking at the full message headers and routing information as @greybeard implies is informative for regular spam and phishing. So much of it fails any authenticity quickly.
@cougar great blog! Where is part 5?
I still have fun with the Gibson research haystack https://www.grc.com/haystack.htm
it’s very easy to send an email with any ‘from’address you choose.
It is, but that in itself is evidence that it's dodgy.
@cougar great blog! Where is part 5?
Thank you. Give me a chance, I've only sat on #4 for like a year.
I still have fun with the Gibson research haystack
It's my professional opinion that Steve Gibson is a nob.
It’s very easy to send an email with any ‘from’ address you choose.
<br />It is, but that in itself is evidence that it’s dodgy.
To somebody who knows to read the headers and see that the 'from' address is inconsistent with them, it's a dead giveaway, but 98% of email users won't do that, and 95% still think that 'from' address shows who sent it. (You may know the real % but the point stands).
I deem myself savvy enough to double check if I'm suspicious but I never knew you could change the 'from address'.
Is this the case of those working under the hood of IT assuming their common knowledge is common to those of us driving out computers?
I'll read Cougar's blog though. Everyday's a school day
I deem myself savvy enough to double check if I’m suspicious but I never knew you could change the ‘from address’.
It's slightly more quirky than that, but the short version is that you cannot trust "from" as presented.
I’ll read Cougar’s blog though. Everyday’s a school day
For the avoidance of doubt: I'm co-author on that blog, I cannot take credit for most of it. My contribution has been the articles I've linked above, my mate Glenn is the primary owner. He's pitching at cybersecurity professionals, I'm pitching at regular people. I would deeply appreciate any feedback, if I've made someone go "... oh!" then I'd consider that mission accomplished.
On a related note we have a new IT support/supplier at work who have implemented a new spam filter. It shows us twice daily any suspect emails. It has been enlightening how many emails these systems catch daily in a work setting - before the system quietly blocked what it did not like and you would not know.
My work email alone catches 2-5 phishing emails a day, on top of another 5-10 spammy/cold calling/I am not on a mailing list emails.
As a (small charitable) organisation of 40 people we have had three very targeted digital phishing/hacking efforts in the last three years. Criminals getting hold of our email footers, names and job roles in the organisation and fabricating emails 'from' the CEO and similar.
We all need better systems and better awareness of these things.
I do worry that our staff team, wonderful as they are, are a real weak point.
We all need better systems and better awareness of these things.
I do worry that our staff team, wonderful as they are, are a real weak point.
This is another "this is a hill I will choose to die on" argument.
You are 100% correct that the weakest link in this chain is people, and staff training is critical.
However. Precisely because of that, we should be making every effort to ensure that they are never put in the position where they have to make a decision along the lines of "is this a scam / phishing / otherwise bogus?" If, in a corporate environment, a user is presented with an email laden with credential harvesting or cryptolocking malware then the system has already failed and we're into Thoughts And Prayers territory. Running fire evacuation drills doesn't mean we can get rid of all the fire extinguishers.
Also,
If you "do worry" then do something about it. Back to the blog, Glenn and I differ here slightly in opinion but an awareness campaign is no bad thing because people use computers and devices at home too. My hot take is that there are many ways in which a suspicious email has 'tells' but it is a mistake to have a user interact with it. Rather my golden rule is get them to consider, "was I expecting this?"
Hostile emails are designed to fluster recipients, to make them panic and react rather than pause and think. We can wax lyrical all day about how to spot malformed domains or forged sender addresses, but the bottom line is that if you receive something which makes you go "huh?" then just STOP.
I've blogged about passwords and MFA, but I was once asked "what's the one thing we can do today to best improve our security posture?" and I replied "amputate everyone's right index finger." 😁
