Talking to Yourself aka E-Mail Spoofing

Have you ever gotten an e-mail from yourself that you didn’t send?

Here’s an example from my inbox.

inbox

Yep, there are 4 messages to myself from myself that I never sent.  The modern day version of talking to yourself – except they aren’t legit.

They are supposedly from my e-mail address – but I didn’t send them.

That is something called “spoofing” on the internet.  It happens when someone, a “bad guy” for lack of a more descriptive term, wants to send spam or junk mail, or worse, and hijacks your internet e-mail address to do so.

No, they have not broken into your e-mail account, they are just appending your address as the “sent” address so that it gets through filters and such.  However, if this happens to you, the FIRST thing you should do is to check your “sent” folder to be sure you don’t have a virus or some kind of malware sending things from your computer.

The bad news is that there is nothing at all I can do about this – except wait until the wave is over and hope there isn’t another one anytime soon.

Why did they pick me?  Because they can – they search for valid addresses and the more widely received, the better, because it makes their target audience larger.

A few Internet Service Providers use “source assured addressing” schemes where they connect the sending ID with the address it’s supposed to come from and “flag” suspicious e-mails.  You can see that AT&T did just that and put it the messages into my spam folder, labeled “bulk.”  It’s up to me to delete them.  Some spam never makes it this far and the vendors just throw the messages away.

Now the bad news on my end is that my address may become associated with spammers and get blacklisted.  There’s nothing I can do about that.

On your end, consider this a heads up – for my e-mail address and others.  If you receive something you don’t expect from someone, or just a link to click – DONT CLICK.  Don’t EVER click.

If you receive something from someone you know with a vanilla sounding message like:  “You have to see this,” followed by a link – your internal neon danger sign should be flashing like crazy.  And for goodness sake, DON’T CLICK.

Another tactic is to attach a document of some sort that you are instructed to open.  Don’t do that either.  If you’re not expecting a refund or a package or whatever…the message is fake.  And by the way the IRS does not contact you via e-mail and neither does the court requesting jury duty, etc.

Conversely, if you’re sending a link to someone, send at least enough of a message that the recipient knows it really is from you.  For example, “I found this link about the first Algonquian Bible which was the first Bible printed in the US.”  Then add your link.  My friends will know that is something I would be sending – not a message that’s so generic they have no way of knowing if the e-mail is legitimately from me.

I received an e-mail last week from Justin, someone connected to genealogy with whom I communicate regularly.  The e-mail said Justin had sent me a message through XYZ and to “click here” for the message, shown below.  I found that odd since Justin regularly e-mails me and has never used any kind of message service.

scam email crop

I was suspicious, so I didn’t click.  I didn’t want to miss something from Justin, so  I forwarded the e-mail to Justin and asked if he sent it.  He said that he had clicked on that same link in an e-mail he received and it then sent itself to his entire e-mail list.  You can rest assured that’s not all it did and now he has some malware someplace on his computer as well doing who-knows-what.  The bad guys don’t do these things just for fun.

I quickly deleted that e-mail and was very grateful for my second sense that told me something was amiss.

While most genealogists do talk to themselves, it’s not quite like this.  Stay vigilant and if there is any doubt, don’t click.  Better wary than sorry.  Otherwise, you won’t be talking to yourself, you’ll be swearing at yourself!

11 thoughts on “Talking to Yourself aka E-Mail Spoofing

  1. Thank you for providing a free public service message to all of us that subscribe to your blog. The uninformed are warned, and the rest should appreciate the reminder. I was the victim of a fake UPS shipping notification once.
    “Roberta’s school of cyber security”

  2. Yes, this is relatively common. I’ve been totally paranoid about ‘bad’ emails for years, and always hover to see where this email is coming from… usually far, far away. I delete anything questionable then empty my trash, and reboot if I think anything might have got through. In rebooting my virus scanner does a quick scan. So far, so good. Twenty-odd years on the internet and only once got a bad virus.

    Very good reminder for everyone on how this happens, and how to be more aware of this spamming technique. Cheers.

  3. Oh YEAH! Boy did I ever learn a lesson the hard way back in the mid-90’s on AOL. Should have known better … but figured it was from one of geekie friends who knew my very secure and sealed private email … so didn’t check and opened it up … UGH! It was so full of smarmy schmutz that horrified me and it went to EVERYONE ON MY “PRIVATE” contact list. Everyone giggled except ME. It has never happened again. I’ve sent a FLASH EMAIL on a regular basis to everyone, private, business, etc that I do not accept, nor will I open an email I don’t recognize or ANYTHING with an attachment … if you know me .. you know my phone number and you can call me and give me a “head’s up” before sending me an attachment (even if it is my original Birth Certificate or long lost Adoption Records! lol). otherwise …. delete is the SOP. Even when it’s someone I know well (a lot of my friends HERE) … I still right click the little “View” option before I open anything. Technology is WONDERFUL and the almost daily advances in the electronic pro’s and con’s does keep one busy and watchful ….and I’ve been beating hardware & software into complete obedience since 8″ floppies and 3/4″ tape media …. and I can spot a Trojan Horse at 50 paces to this day! lol

  4. Some of these can be stopped by changing your email password. The Justin situation is one of these. The hacker hasn’t hacked his email, only his Web email address book.

  5. One can’t be too careful. At the risk of seeming too paranoid, I never open strange emails and don’t click on links unless I am positive that they are legit. Even that won’t prevent all problems. I have a close cousin in the internet security business that warned me about spoofing some time ago. The bad guys are using the same techniques on the internet that they have used for years for phone scams but now they are blocking “reverse look-ups” and parading as doctors, hospitals, and insurance companies on both the phone and internet.
    Facebook is horrible but I have to use it some for marketing my books. Not long ago, one of my technically savvy young friends immediately realized that my account had been compromised because of a suspicious chat message supposedly coming from me. Someone had stolen my information and profile picture and created a fake account to look like me and sent messages to all my friends. Fortunately I immediately chanced to see the rat as “myself” trying to friend me and sent the fake me a very real message that they were messing with the wrong person and that they had been reported. My profile picture on the fake page immediately disappeared. I changed my profile picture and cover to bushes and trees. I posted to let all my friends know not to click on any duplicate friend requests from me or anyone else. (I fell for that once quite some time ago when the unscrupulous were trying to sell sunglasses and so I learned to always check my friends list before confirming a friend request.) Some of my friends and I reported the scam to Facebook and they removed the culprit within 24 hours. Unfortunately for some of my less technically experienced and older friends, they clicked on the friend request and had communication with the scammer before they realized what had happened and one got very upset. I had to walk some of my friends through what they needed to do and sweep up the mess. I don’t think there was anything I could have done to prevent it and I don’t have a couple of thousand friends like some of my friends do.
    Not long after that I started getting duplicate requests from some of my other friends. I let them know what was happening and learned how to report it and nip it in the bud. Haven’t had anymore trouble lately. I see spam in my email intended to trick or make ones curiosity burn. Deleted – “classmates” …”see who just posted your picture!” I see a lot of stuff on Facebook designed to collect all sorts of personal information with a pitch like, “Take this quiz and we will tell you if you are a genius!”
    When I was three or four years old my father would look out the window, point, and excitedly exclaim, “LOOK! There’s a purple people eater!” While I was looking, he would steal my French fries. I can overlook Dad stealing my fries but I certainly don’t want to sponsor any malicious terrorists.
    Thank you, Roberta, for your vigilance and reminding us all to think twice before you click once.

  6. For the most part it is easy to spot those emails due to their generic messages or their email address gives them away. I’ve received some about an account being closed in places I had no accounts. I can only imagine people who have accounts in those sites and assume it is a real email.

    Anyways probably one of the worst types of malware is crypto malware. My dad got his computer infected without realizing. He had gone to a site to watch some sports related video and when he was done, he noticed the desktop background was different. He couldn’t close it and decided to leave it. He later told me about it that day and I went over to check it out. It had infected most of the computer by then.

    What it did was encrypt specific file types such as images, word documents, etc. Files that are most likely created by the user and may be important and irreplaceable. The new background would have a countdown and a message. This malware holds your files for ransom. So it is also called ransomware. If you pay within the time allotted (a few days) it would unlock your files. Otherwise they were encrypted forever.

    Thankfully he had nothing irreplaceable on that computer. I would keep copies of such files in multiple places just in case. So I wiped the system and started fresh. So always keep a backup or two of your most important files because some day you will need that. Even if you are not worried about viruses or malware, your hard drive will stop working some day.

  7. This tactic is also used on FB messaging. The difference is that you don’t get much info to ring that alarm bell. Several months ago I got a friend request from a cousin of mine. She was already a friend, but I thought she had just set up a new account, so I accepted. Immediately afterward, I got a private message from the same cousin telling me about an amazing refinancing opportunity that she had taken advantage of and knew that I would also want to access. There was a link in the message to the “wonderful agent who found $20,000 worth of equity in her home.” Her message went on to say, “I’m just waiting for my check so I can start living it up.” I knew this had to be bogus. I checked my list of FB friends, and sure enough, I had two listings for my cousin. I had to delete them both to solve the problem, since I couldn’t tell which was real and which wasn’t. I don’t know what this particular scammer was after, but it wasn’t good.

  8. Roberta, you hit the nail on the head with this one. There HAS been a real uptick lately with this stuff. lkpkw, you said, “I’ve been beating hardware & software into complete obedience since 8″ floppies and 3/4″ tape media.” I may have you beaten. I worked with analog computers back in the late ’60s. My company was using email internally 5 or 10 years before it became widely popular. I acquired my first public email address in the 1990s. Been there, done that.

    Email headers and their protocols have changed some over the years but the basic info is still there. Everyone should do as you suggest, Roberta, don’t open links or attachments from unknown sources. In most email apps, regardless of the email protocol used, you can hover your mouse over links and email addresses to reveal their true nature. If a link for example says it’s from the IRS but hovering over it reveals that is isn’t from irs.gov, best delete the email. Mind you, the IRS, as well as other agencies of the federal government, have been known to secure a private contractor to send out bulk emails to large numbers of recipients. These would be informative and would not be asking for your personal information.

    If you suspect a bogus web link, hover your mouse pointer (BUT DO NOT CLICK) on the link. At the bottom of your browser window (for most browsers) the true identity of the link will be revealed.

    The IRS provides a handy website for reporting Phishing and other bogus emails: https://www.irs.gov/uac/Report-Phishing

  9. Sometimes you can’t even trust a logical attachment from a reliable source. I had received an email from my doctor with an attachment on weight loss. From my doctor! Reasonable, yes? It contained a virus and she had not send it, it turns out. Opening the attachment infected my computer and every email contact I had, received an email with attachment that likewise infected each of their computers. These hackers use email contact lists to deceive your friends into thinking the email cam from you. We should have an email police force!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s