Email Scams

That’s very likely where the connections came from.

If you haven’t already done so, I advise you to follow the recommendations given in articles about what to do if you’ve been pwned. Here’s a sample:

1 Like

Any breach makes for a greater likelihood of receiving spam whether email or text. As our usual addresses are often used for many sign-ups and mobile numbers are used as well, it is something we need to expect but not accept. I use disposable email addresses when possible, noting that some sites do not accept disposable addresses. It is becoming more important to submit scam messages to the appropriate authorities and the email companies a person uses. As I noted before, filtering rules can help a great deal and it is easy to set some basic ones, if ever one is unsure they can ask here on the site about some rules and how to set them up as many of us are happy to help.

Found out how it works from one of the victims. She had her email account taken over, they changed the password and used her Contacts list to send emails asking for help. Many different messages, but the most damaging asked for money - gift cards etc - with the number or photo to be sent back by reply. The scammers than got other people’s money.

She’s a bit naive when it comes to technology, so she tried to change her password on Facebook, but her email was 2FA and the scammers used the new password to take that over and contact all her friends with messages of needing money. Her husband tried to help but only succeeded in losing control of his email & FB too. The landline has been ringing relentlessly as people try to make sense of it all.
A little relieved that is wasn’t my breach that caused this. But sad that this chaos is happening to a couple who are pillars of the local community and in every fundraising, not-for-profit endeavour in town.


That is one unfortunate story. Yikes.

Probably a very good reason for not having email for ones multi-factor authentication.


Certainly a very good reason not to have just email address as the MFA recipient. Unfortunately, not all systems even now offer anything other than email or SMS for MFA. If they have MFA at all. :confused:

Some things to do with every account you set up, and with all accounts you currently have:

  • Check for MFA options. If there’s an option to get the code from an authenticator app, and you have a smartphone, use that option. Although a system might specify a particular authenticator app, in practice you can normally use any authenticator app that does TOTP (Time-based One-Time Password). You won’t have to install half a dozen different authenticator apps.

  • If there’s any option to generate pre-set ‘backup codes’ or ‘recovery codes’****, use it. These are intended for emergencies when the account’s been compromised, you’ve forgotten the password, you don’t have access to the authenticator app, etc. Store these codes carefully - but not on your phone! Print it/them (without anything identifying the relevant account) and store in a filing cabinet, for example.

@zackarii - a backup/recovery code could have rescued your friend and her husband from the nasty situation they’ve been caught up in. Using a backup code, they could have changed the Facebook password safely when MFA to email had been compromised. Similarly, a backup code on the email account would have allowed changing its password and MFA settings safely.

Recovery codes for Facebook accounts:

Backup codes for Gmail accounts:

Recovery key for Apple IDs:

Many other systems have similar options.

1 Like

In the hands of the naive, MFA may add to the confusion and risk.

What I like about TOTP is that it can be completely offline i.e. if so, it cannot be attacked via technology (at your end). It can of course be attacked via so-called social engineering (and there have definitely been instances of people being tricked into revealing MFA codes).

I’m unclear on how that happened. The mere fact of knowing someone’s email username and password does not automatically get access to contacts. However there are factors to consider:

  • If you store your email on the server (/internet/cloud) (IMAP as distinct from POP) then the hacker does get access to every email that you have sent and received (and retained) and hence can extract some kind of contact list, and even focus on recent and frequent contacts who are more likely to reply.
  • If you use some kind of webmail interface and that interface allows you to maintain your contacts on the server (/internet/cloud) then the hacker may well get access to all your contacts, regardless of whether there is any accessible email to or from that contact.

Both of these are classic security–convenience trade-offs.

My answers are “no” and “no” - but that’s just me. :wink:

Slight digression … where I work, they test out employees with fake scam emails i.e. it is the IT team or the IT team’s security auditor sending out emails that won’t actually compromise you but which are designed to see how many employees will get sucked in, and then allows additional training to be targeted.

So now I have to contend with the many real scam emails and the fake scam emails. :frowning:

I am still getting messages from Contacts that indicate that scammers have taken them over. I am on a committee liaising with the Council and Main Roads on the town By-pass. Emails go out to us with addresses visible. I guess they only needed to hijack one (from a security breach or readily guessable password) and they had access to these addresses.

So far about 50% of the committee have messaged me, but obvious scams. Messages like "I need help, can’t talk have laryngitis / travelling / battery going flat / phone out of order … " If you reply the scammers ask for money in various forms. Now they have started sending photos or videos to download - I haven’t so don’t know where that leads.

The issue has moved to my Scouts contacts, even though I have not been a Scout leader for 10 years, my emails are gone, but they must be getting my contacts from people who kept my contacts. Now a Cousin we see regularly has lost her email. She has no idea why, but her ISP said she changed her password. Negotiations are on-going for her to get it back, but probably removal and a new email is the only way forward.

I am warning these people to change their FB password, but not through a reset to email. Some of those I have had contact with have lost their FB page, but most I have not spoken to as they have moved on from when I knew them. They try to get on to FB but get the “Not Logged In” and can’t see (probably a good thing…) what the scammers are doing with their page. Setting up a new page is difficult as FB say that 2FA etc is already linked to someone else.

Very frustrating, especially for people with large contacts lists, low computer literacy or scam awareness, (and for the scammers’ advantage) large social capital & community trust (ex-Mayor, OAM, District Commissioner etc). I wish there was more I could do for them.

That leads to download and installation of malicious software. Spyware and capturing login details and passwords; ransomware, and encryption of your data with a demand for payment to get it back; blackmail; and more.

A sad state of affairs. And not easy to fix.

There is a bug that can allow scammers and other threat actors to impersonate legit Microsoft emails. It appears to only affect Outlook users, but that is still a big slice of the pie with around 400 million users of the software. As far as I am aware no patch for the problem yet (as at 9 July 2024), so be wary,

1 Like

It’s a bit hard to tell just what level of spoofing this bug is doing and why it’d only affect Outlook.

But as usual,

  • Do not assume that the apparent email address of the sender as displayed by Outlook (or any other email client) is the real sender of the email.
  • Never trust an unexpected email from Microsoft, your bank, the ATO, etc. Especially don’t touch any links in the email. If you receive a ‘cold’ email from such an entity and it looks like it might matter, go to the relevant website via your browser and look for evidence there. If you don’t find any such evidence, treat the email as scam and delete it.
1 Like

Even this is not very clear. The linked article says “Outlook account holders”. So we may be talking about anyone using a Microsoft-hosted email address, and not talking about the software, Microsoft Outlook.

And if we are talking about the former, are we talking about “as receiver” or “as sender” or “both”?

I guess this is the trade-off in “responsible disclosure” i.e. too little information to be useful - so we just hope Microsoft FIXES IT.