Old Articles About Me
ALAN ZISMAN ON TECHNOLOGY
Don't let this happen to you!
Lock out email hackers before they try to scam all your friends.
By Alan Zisman © 2024-01-26
Yesterday morning, I got an odd-seeming email from an old friend. The title was Checking.... It read:
"Greetings from here, How are you doing?
I want to know if this email address is still valid to write to you. There is something important I would like to discuss with you.
Where most emails say who they're sent to, that information was missing - suggested it had been sent to a whole bunch of people, using the email BCC (blind carbon copy) option - which hides the list of recipients.
And the text was pretty generic. Let's call the sender 'Tom' (not his real name); Tom and I have known each other for a long time - probably nearly 40 years by now. But there's nothing in the message about Tom (who I know was on holiday right now)... just a request to verify the email address.
Still, I didn't think much of it, and I didn't reply.
Then I got a second identical email. Well, many people have two email addresses for me, and Tom might legitimately be checking which one to use.
Then I got a third.
Then I heard from two other people who know both me and Tom, who'd gotten the same message - in one case, a couple of times. They were wondering whether I thought it was legit. I said that I agreed that it sounded iffy. One of them had replied, without thinking, then wondered if in doing that, they'd infected their computer. She got a reply - and had deleted it without opening it.
I told her that she probably had not been infected by just replying to the initial email or by receiving an opened message, but knowing that she had the (very good) anti-malware app Malwarebytes installed (available for Mac, Windows, and Android - recommended) it wouldn't hurt to run a scan. It came up clean.
But that got my interest up... so I replied to the message. Just in case, I sent it from a lesser-used email account of mine; no sense in giving potential scammers an email address that I actually relied on. I said:
"Hi Tom. I hope all is well. What's up?"
I heard back pretty quickly. Whoever was on the other end wrote:
"How are you doing today? Thanks for your acknowledgment. I need to get an Amazon gift Card for a friend of mine who one of her daughter is diagnosed with stage 2 mesothelioma cancer, She lost her second daughter to the disease (COVID-19). it's her birthday but I can't do this now. I tried purchasing it online but unfortunately, I got no luck on that. Wondering if you could help me take care of this online or go to a store or Supermarket close to you? I'll reimburse you once I get back home.
Please let me know so I can provide you with her email."
As I'd suspected, it had quickly turned into a request for money. I wrote back asking for more information - but never heard any more, for reasons that will become apparent.
Meanwhile, I'd also emailed Tom's partner - I wasn't sure whether contacting Tom directly would get through given that it wasn't clear to me whether the faux-Tom was actually using (and possibly controlling) Tom's email accountor not And if that was the case, they could easily have changed the email password, locking Tom out of his own email.
I told Tom's partner what I'd learned, and suggested that she tell Tom to change his email password ASAP and to get Tom to contact me.
Tom got back to quickly, saying he'd heard about these messages from a lot of people and that he'd changed his email account password - which explained why I hadn't gotten a reply from my second message to faux-Tom. Real Tom asked me if there was anything more he should do.
My strong suggestion - enable two-factor authentication for the email account (along with Facebook account and any financial institutions with whom he did online banking).
So-called 2FA requires an additional step beyond logging in with a user-name and password - this extra step requires something of yours, typically a mobile phone. As a result, someone who's gotten your user name and password - but doesn't have your mobile phone - is unable to access the account in question.
Tom had known about 2FA but hadn't enabled it for his email account. He had two concerns about it:
- Google or Gmail
- Outlook.com or Microsoft account
- Facebook or Facebook Messenger
- Yahoo Mail
- Check your financial institution's website for information on how to do this for your online banking!
Older blog postings....