Email Account Phishing

Not all phishing attempts are out to gain access to your bank account. Some are after a lower profile target that can ultimately be worse: Your email account.

Many people have several email accounts so the damage incurred from handing over access to one of them can range from mildly irritating to totally devastating. If you maintain “throwaway” accounts that primarily serve as spam traps and/or places to send login info for unimportant sites, having one of them breached is not a big deal.

On the other hand, allowing access to an account that processes email for your bank, credit card companies and other important relationships can have dire consequences.

From the Phisher’s point of view, the minimum benefit of gaining access to your email account is having another resource to use for sending¬† spam.¬† If they’re lucky, they may also tap into a rich stream of personal data that can be used to enhance future fraud attempts and possibly give them direct access to important financial accounts.

Here’s an example of how one might go about persuading you to let them into your email account:

Subject: Dear WebMail Subscriber

From: “Webmail Account Alert” <admin@messaging.org>

To: undisclosed-recipients:;

Dear WebMail Subscriber,

We would like to inform you that we are currently carrying out scheduled
maintenance and upgrade of our webmail service and as a result our email
client has been changed and your original password
will be reset. We are sorry for any inconvenience caused.

To complete your webmail account, you must reply to this email immediately
and enter your password here ( )Failure to do this will
immediately render your email address deactivated from our database.

Thank you for using our webmail !

Sincerely,

Webmail Support

Right off the bat you should notice how generic this is. There is no branding whatsoever. No legitimate company would pass up a chance to show their logo and mention product names in a message like this. (For those of you who think WebMail is a brand or product name, it’s not, it’s a generic term for any web based email client.)

Another clue is found in the “From:” address:

“Webmail Account Alert” <admin@messaging.org>

As a rule of thumb, any message claiming to be about your email account that doesn’t come from the domain your account is on is suspect. So unless your account is at “messaging.org” you shouldn’t trust this message. There are plenty of exceptions to this, such as the email coming from the company hosting your domain, but in this instance it’s better to start from a position of skepticism.

Finally, they’re asking for your password, and no legitimate email would make this request.¬† As a rule of thumb, never ever give your email account password to anyone you wouldn’t trust with your life. Even then it’s risky.

There are two scenarios where you will be asked for your email password in an email message:

  1. You receive phishing attempt like the one above
  2. A friend, co-worker asks for whatever reason

In the first scenario, you don’t know them so don’t give them your password.

In the second, you might know the sender, but you can’t really be sure it’s not a Phishing attempt that is spoofing their address or they their email account hasn’t been compromised too.

Sooner or later you’ll be tempted to ignore this advice because somebody locked themselves out of the system at work or your spouse needs to do some emergency banking. Hopefully, you’ll remember this article and figure out something safer (a phone call might be better if you’re in a business that doesn’t have a lot of industrial espionage). If not, don’t say we didn’t warn you.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , ,

Comments are closed.