Follow up on a phishing email?
February 14, 2022 9:17 PM   Subscribe

I got a phishing email purporting to be from my wife's aunt. Is there anything that I should do besides delete the email?

I got an email with this exact text in the body: "Hi, how are you doing sorry for bothering you with this email do you shop with amazon ? thanks". Totally phishy, and furthermore my yahoo email flagged it with a "we think this is a scam, but we're letting you see it because sender is in your contact list" message. I also Googled the text of the message, and found this page about a near-match scam message.

So why I ask about this: the "from" field in the email is "", which is the real email (except that I replaced "name" for anonymity). The reply field has "", in which an extra vowel has cleverly been inserted into the name. Should I contact the aunt about this, and maybe tell her to turn on 2FA or something? Maybe alert her other contacts? Is there some way I should report "" to make sure it gets shut down?

If there's no point in alerting this aunt about the incident, then I would prefer not to. I don't think she's very tech-savvy and she is grieving a very recently deceased husband. I don't want to give her something new that might worry, confuse, or frustrate her.
posted by polecat to Computers & Internet (12 answers total) 1 user marked this as a favorite
Something to consider, if your aunt's email has been hacked, it's highly likely that all her contacts might have received a similar email and they might contact her asking what's up, which might be confusing to all involved.
Maybe you can contact your aunt and explain in a neutral, unscary way what might have happened?
Find out who does her tech support, or share a link to a straightforward "what to do if your email is hacked" article.
I don't know if you are willing to help her yourself, but you can let her know, in a matter of fact way, that something might be wrong and what she can do about it.
posted by Zumbador at 11:12 PM on February 14, 2022 [1 favorite]

Yes, my husband's auntie had this happen recently (down to the same message) and it had been sent to all her contacts. Her daughter sent an email an hour or two later alerting us that her mom's email was hacked and to please not engage with any emails sent from the account.

Your aunt should change her password at least, and turn on 2FA if you think she could handle it.
posted by potrzebie at 11:25 PM on February 14, 2022 [1 favorite]

I agree with the two posters above. It seems very unlikely that they would know how to impersonate the aunt's account and what your email was unless your aunt's account had been hacked. At the very least I would confirm that your aunt knows she was probably hacked.
posted by aaabbbccc at 11:52 PM on February 14, 2022 [2 favorites]

Response by poster: Bummer. I was hoping y'all would reassure me that it was probably a 3rd party who had been compromised, and they had connected our emails through some email harvested from the 3rd party. However, it does seem like there's a chance that the aunt's Comcast email has actually been compromised. I expect I'll be giving the aunt a call about this in the morning.

I had done a Google search for how to report a scam email address. The results looked like a lot of instructions to push the "spam" button in Outlook, which I already know to do and isn't applicable since it isn't Outlook that received this email. I've since decided to dive a little deeper in the search results, and I found this:

Report a spam email originating from a Hotmail, MSN or Live account. If you are a non-Windows Live member and you are receiving spam originating from a Windows Live account, send an email to either, or depending upon the originating mail domain (i.e., Hotmail, MSN or Live). Attach a copy of the spam email to the message.

Soooo...the address I want to report is ""--none of the 3 that they cite. I decided I would try "". A couple minutes later, I got an automated acknowledgement that it had been received. I hope that's all legit and maybe useful.
posted by polecat at 12:35 AM on February 15, 2022 [2 favorites]

It didn’t necessarily have anything to do with your aunt’s account, though - the connection between your aunt’s account and your own is likely evident from evidence in any number of other accounts. Like, I don’t know about you but my family is always sending around holiday planning emails with 15-40 people cc’d. Anyone who receives that email knows that your email and your aunt’s are connected somehow. Anyone who gets access to a forward that has both your email and your aunt’s email in the same cc can see a possible connection.
posted by mskyle at 3:50 AM on February 15, 2022 [1 favorite]

I'm no expert on phishing, but I wonder if your aunt's account was actually hacked. If the cybercriminals really hacked into her account, then they would probably change the password (so she couldn't get in) and then send messages directly from the account. In that case, what would be the point of using a different email address in the "Reply to:" field? They'd just use the same email address, because they would be the ones who would receive the replies.
posted by JD Sockinger at 4:29 AM on February 15, 2022 [1 favorite]

yes, your wife's aunt's email has absolutely been hacked and at the minimum she needs to:
- change her password
- report the spam email address to its service provider

the reply-to change is actually the most insidious part- they think they're replying to your aunt and the spammer can reply.

this most likely happened because of reusing her email password elsewhere on the internet (say ShopMart) and that site got hacked. phishers got the ShopMart list and were like "let's see if this is her email password too!"

when this happened to my mother's ancient AOL email address this fall she posted a message about it on facebook to let her friends know. several replied about seeing it and being uncertain.

further steps i'd suggest would be to setup two-factor authentication (if possible), stop re-using passwords, and setup a password manager program to facilitate the not-reusing passwords.
posted by noloveforned at 6:03 AM on February 15, 2022 [3 favorites]

It is trivially easy to fake the "from" field in an email: mail headers are just plain text after all. But it's also relatively easy for mail servers to spot that this has been done and reject the email. And on the other other hand, it's possible that Yahoo did spot exactly that but let it through anyway because it matches someone in her contact list. (Seems like a pretty easy loophole for spammers, if so, but then again it's Yahoo.)

If lots of her contacts are getting the same spam from her, that could mean the spammers have her contact list, or it could mean they acquired it from Facebook, legally or not, who the hell knows.

I don't think it's possible to say with any certainty whether she's been hacked or not. But either way, yeah, she should at the very least change her passwords just in case. So should you. So should I.
posted by ook at 6:19 AM on February 15, 2022

It's trivial to fake a from address, and it's probably sent from that reply to to evade some spam filters.

Now, on to how they got good contact info? It's everywhere now. Every other app is like "do you want BassPictureApp to find your contacts to easily share fish pics?" People add them to Christmas card sites. Any one of those could have leaked data, or even been born malicious, with functionality added to get to what they really wanted, data.

In the past, scammers would never send it from the email they stole it from, just to make it harder to find out who needed to fix their account, but now that they are stealing contacts in such varied ways, I'm not even sure they do that anymore.

In any case, if you want to rest easily, you can change your password to your email and revoke any access to your contacts in any apps on your phone.
posted by advicepig at 6:31 AM on February 15, 2022 [1 favorite]

look at the header to the email you received- a deep dive will make it pretty clear whether it's actually faked or not.

in my case it was an aol email with a gmail reply-to so it was pretty clear that it did in fact come from the aol/yahoo world.

if it's on the same domain, it's a little more difficult but gmail/outlook will always include the valid outlook/gmail address used when you're using a different 'from' address. they'll usually require you to validate that address.

if you're seeing a mail server that has nothing to do with the sender/receiver domains than it's very clearly faked.
posted by noloveforned at 6:46 AM on February 15, 2022 [2 favorites]

Response by poster: I just contacted my wife's cousin, and she's already aware of this. They can see the spam message in the sent box! She said it's been very upsetting because the email was set up by the recently deceased dad/uncle, and it's been some trouble for my wife's aunt to get in. I wonder if this is a common thing, that scammers swoop in when somebody dies?
posted by polecat at 8:17 AM on February 15, 2022

Response by poster: Well, I guess I get to feel like a hero for a few hours. I just finished some screen sharing with the aunt over Zoom, and I think we've got her fixed up. The scammers left 2 messages in the sent box. I found that they entered the bogus address into the auto-forwarding box, but left the checkbox to enable forwarding turned off. That was confusing, but then I found they had set up two filter rules to forward messages to the same bogus address. We also turned off POP access. We'll send a "reply-all" to the recipients of the scam message to warn them about what happened. Interesting how clever the phishing seemed, yet I'd think it would have been easy to do a much better job of covering their tracks.

She's now set up with a new password and 2FA, and I advised her that we can talk later about setting up a password manager. Whew! Thanks for the advice, everyone.
posted by polecat at 3:31 PM on February 15, 2022 [6 favorites]

« Older Inventory of plant orders, many: plants, jobs...   |   Where to find piano/guitar sheet music for kids'... Newer »
This thread is closed to new comments.