Beware of an email-based scam that’s making the rounds this year! Since January, I’ve been targeted three times, and I wanted to share the story—both to help you avoid falling prey to the scam and so you can better alert any friends or acquaintances whose email accounts have been hacked.
First, let me bang the drum one more time: None of these people would have had problems if their email passwords had been strong and unique. If you reuse your email password anywhere, or if it’s short and obvious, stop reading right now and go change it.
Your new email password can be at least 13 truly random characters (something like iR82dGlQf3&@C) or at least 28 characters of common words separated by hyphens (like the classic correct-battery-horse-staple), or you could generate it through some combination of numbers (like dates) and letters (such as initials) that make sense to you. Whatever you choose, it must be strong and unique. And if you’re not using a password manager, you’re wasting your time and likely being insecure.
How the Scam Progresses
The email scam message I received came from someone I know quite tangentially—John is a runner from a nearby city who had participated in some of the track meets that I organize. Since I assign bib numbers and announce all the races, his name was sufficiently familiar that I wasn’t surprised to receive email from him—we had corresponded once in 2021 about an upcoming track meet. But with only one prior conversation, I had no sense of his email style, so his first message didn’t raise any alarm bells in my head.
I replied generally to the first message—there were various reasons an upstate New York runner might contact me—but those alarm bells went off instantly upon receiving the next message.
I couldn’t see any reason why a person I barely knew would ask if I had an Amazon account, and besides, at this point, who doesn’t? I switched into investigation mode. What you can’t tell from the message above is that although the sender’s name remained the same, the email address had changed from windstream.net to yahoo.com. Combined with the strange request about an Amazon account, I was now nearly certain I was talking to a scammer who was using the email address switch to get me into their own account in case John locked them out by changing his password. I decided to keep the scammer talking and see what I could learn.
After sending that message, I looked up John’s phone number in his most recent track meet registration and texted him. Luckily, I was able to provide sufficient context in my initial text that he knew who I was. As I expected, he knew nothing about what was happening and confirmed that the Yahoo account wasn’t his.
By now, I was curious what the scam would be, so I kept pretending that I was skeptical but still going along with it all. After another message or two, it became clear—the scammer wanted me to buy a $300 Amazon gift card for which they would reimburse me later. Yeah, right.
Throughout all this, I made sure to send only to the windstream.net account in part to see if the scammer would lose access. I was simultaneously keeping up the text backchannel with John, who said that he saw none of these messages in his Sent mailbox nor messages from me in his Inbox, which suggested that the scammer was somehow deleting them instantly to cover their tracks. I assume that John changed his password, but if so, that apparently didn’t kick the scammer out because I kept getting replies to the messages I sent to windstream.net.
I entertained a faint hope that Yahoo would be interested in shutting down both the scammer’s address and the address they wanted me to use for the Amazon gift card. But no, my attempt to alert abuse@yahoo.com failed. I subsequently tried to contact Yahoo via a recommended Web form after I mentioned the issue in “Yahoo-Backed POP Connections Cause TidBITS Formatting Error” (26 January 2022), but that was equally unsuccessful.
By this time, I had traded a few more messages with the scammer to keep the conversation going, but they eventually gave up on me. I never heard back again after this message.
I didn’t get around to writing up this story right away and quickly forgot about it. But a month later, it happened again! Vern isn’t someone with whom I’ve ever exchanged email, but he runs an excellent U-Pick blueberry farm in my nearby hometown, and I had left my email address in his visitor book the last time I picked berries there. Luckily, I had an in for contacting him—my father used to be the mail carrier, and he still knows most people in town. Dad was able to call him and let him know about the problem, and Vern changed his password and alerted all his email contacts not to reply to the scam messages. Amusingly, this time, Vern’s real email address was at Yahoo, and the scammer was trying to redirect replies to a fake Outlook account.
Two months later, the scam reappeared in my email, with the scammer victimizing an older runner in the area. In this case, I’d been talking about Tom with another friend who worked with him regularly just the day before, so I recruited my friend to encourage Tom to change his password.
How to Help Your Friends
Let’s assume that you get one of these messages. They’re so weirdly generic that you’ll realize it’s a scam right away if they come from someone you know well. Or, as in the case of my second example, you’ll know the person so slightly that the scam will be obvious purely because a stranger would never ask such questions. The awkward middle occurs if the message is like my first and third examples, where I knew the people just well enough that I wasn’t surprised to get email from them but not well enough to be certain that the message was fake.
Nevertheless, if you’re unsure, there’s no harm in replying—just don’t get sucked in! If you notice that your reply (or any subsequent one) is going to an address other than where the first one originated, that’s another clue that you’re in the middle of a con. Once you realize what’s going on, here’s what I recommend doing… and not doing:
Do recommend a password change: By calling, texting, or emailing a secondary address, tell the person whose account has been hacked to change their email account password immediately and recommend that they create a strong, unique password using a password manager. You must assume that the scammer has full control over the victim’s primary email account and will delete all warnings and evidence of wrongdoing.
Do encourage alerting of other contacts: Although the person whose account was hacked probably won’t be able to tell who received the scam message, encourage them to alert all their contacts that the previous message was fake and should be ignored. Also, suggest that they encourage their contacts to check their passwords—might the acquaintances of people whose passwords were so weak as to be compromised be likely to have weak passwords as well?
Don’t fall for the scam: Never buy an Amazon or other gift card for someone you don’t know just because they ask. (If you want to give someone money, become a TidBITS member.)
Don’t mark it as spam: Don’t mark the initial message from the scammer as spam or report it as phishing. Remember, it’s essentially legitimate email, having been sent from the compromised account, so marking it as spam could cause future real messages from that person to be filtered too.
Don’t bother reporting the scammer: Sadly, I don’t recommend trying to report the scammer to whatever email service they’re using. The goal is good, but it’s all too likely to be a waste of your time.
To make it easier to alert victims, here’s a sample message you can text them or use as a script when talking to them:
It looks like your email account has been hacked and used to send scam messages to contacts like me. I’d encourage you to change your email password immediately, making the new password strong and unique, ideally using a password manager app. Also, it would be good to alert your contacts to ignore the scam message and encourage them to make sure their own passwords are secure.
Finally, if you have friends who aren’t Internet-savvy, share these stories so they have a better chance of avoiding being scammed or having their accounts compromised.