A Sophisticated Email Scam: Beyond Password Changes

Many individuals often find themselves serving as informal IT support for family members. Recently, a relative experienced a sophisticated email scam that required extensive remediation.

Initially, the relative's email password was compromised. Family members subsequently received phishing emails requesting Amazon gift cards. The immediate response was to advise a password change, assuming this would resolve the issue.

However, the situation escalated when the relative reported not receiving any new emails. Upon investigation, a cleverly concealed email forwarding rule was discovered within the account settings. The legitimate email address, for instance, johnsmith@something.com, was set to automatically forward all incoming mail to an attacker-controlled address like johnsmith1@gmail.com. The forwarding rule was deceptively labeled “Default Forwarding,” designed to evade detection by an untrained eye.

Further scrutiny of the relative's sent emails revealed that all outgoing messages had a 'reply-to' address redirected to another fraudulent email, johnsmith1@outlook.com. Crucially, this fraudulent address had also been established as the new two-factor authentication (2FA) recovery email for the account. This configuration ensured that any attempt to recover the account or any replies to scam emails would be directed back to the attackers, maintaining their control.

Fortunately, these malicious settings were identified and removed, and the account was secured. This incident highlights the critical importance of thoroughly examining all account settings, beyond just password changes, when assisting individuals with compromised digital accounts. It serves as a stark reminder that cyber attackers employ increasingly sophisticated methods to maintain access and control.