Because spam, of course.
Some years ago, while I was away on a business trip, my wife received this email:
From: Leo A. Notenboom [mailto:********@yahoo.com.sg] Sent: Thursday, September 13, 2012 10:10 AM To: ****@*********.*** Subject: http://********.av.tr/cheeseblind/davidmiller24/?/b34a/
I’ve used asterisks to obscure a few things, but the essence is this:
- The From: line displayed my name
- However, the From: line also showed a completely random, unrelated email address that most definitely was not mine.
- The email was sent to my wife’s email address.
- The email message had no Subject line.
- The email message consisted of only a link.
Because we communicate a fair amount by email when I travel, she thought it was from me and clicked the link.
Whoops.
I’ll describe what I did next and what this appears to be… and perhaps reassure you a little about what it is not.
Become a Patron of Ask Leo! and go ad-free!
Email from you, but not?
Spammers often send misleading emails that appear to come from someone you know. This email spoofing tries to trick you into clicking harmful links. It’s not caused by viruses or hacks; it’s just spam. Be cautious.
What I did next
My wife realized what had happened immediately; it was some kind of “get rich quick” thing. She immediately did the right thing: she closed the browser, instant-messaged me about what had happened, and stopped using the computer.
As soon as I had a chance, I connected remotely and began a series of scans.
- I made sure the anti-malware database was up to date.
- I ran a “quick” scan, which turned up nothing.
- I ran a lengthier “full” scan, which turned up nothing.
When all the scans failed to find anything wrong, I decided that we’d probably dodged a bullet. I told my wife she could use her machine but to keep an eye out for any odd behavior.
There could still be malware involved. But with scans showing nothing, I felt it safe enough to play the odds.
This is not the result of a virus or a hack
In this scenario, many people would assume that someone’s computer is infected and that malware is to blame. They would think that either my computer or my wife’s was infected and that the email sent to her was a result of that infection.
Not so. Almost all email-spoofing scenarios we see these days have nothing at all to do with malware.
If you get spam from someone you know, it’s more likely that their email account has been hacked. But that’s not the case here, either.
The clue?
Regardless of the fact that my name was displayed, the email did not come from my email address, and thus it did not come from my email account.
There were no account hacks involved in the creation of this spam.
So what is it?
It’s nothing more than spam
Hackers have one goal when they send you spam: to trick you into opening and acting on the message. Here, that means they wanted the recipient to click the link.
And that’s exactly what happened.
The technique they use is to make the spam look like it came from someone you trust. It looked like it came from me (at least from the name displayed), and thus my wife trusted it.
That’s all this is: spam. It is misleading spam crafted to evoke trust.
Spam. Plain and simple.
Connecting people who know each other
The thing that might be confusing is how spammers connect people who somehow know each other without having access to things like email address books.
They were able to connect my name as being someone that my wife would know and send that message to her email address.
But they didn’t spoof my email address as well; just my name. That tells me that they don’t have my email address — at least not as part of this particular approach to spam.
So how’d they do it?
Could be a data breach. Could be public information, could be something shared via social media, could be just about anything someone could run across associating my wife and myself.
Bottom line: classifying the problem
Naturally, as spammers get more creative, things get more complex.
- If something that looks like it might be spam displays a From: name that you know but an email address that you do not, it’s just spam. Mark it as such and move on.
- If something that looks like spam displays a From: name that you know and an email address you recognize as belonging to that name, it still may be spam. Look carefully at the contents of the message to confirm that it could likely have been sent from them.
- If you are unsure, don’t click on any links.
Do this
Be cautious. Think twice before clicking on links or opening attachments.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Hi Leo
Excellent article – thanks! We have a problem that is slightly different and hope. you can help. My wife has been receiving emails from people saying they have received emails from her, and like the case above they have the from name correct but not the email address. The big difference is that these have been replies to emails that have been sent to my wife! I have scanned her PC with Malwarebytes, Avast and the Microsoft tools without finding anything, and there is nothing in the sent folder.
The only thing that I can think of is that the emails are being intercepted somewhere along the way – possibly at our ISP. Have you heard of this happening before, and what can we do next? I have changed her email password to something extremely complex, perhaps that will do the trick.
Cheers
Richard
While possible I’ve never heard of interception actually happening. From spoofing, on the other hand, is common and trivial for spammers to accomplish.
I have a questions, hope it’s okay to ask here. On certain sites i cant register with my email address and it always says “you can’t register with this email address” and no i didn’t register with that email before so that’s not the case. It is true that i do have a lot of spam on that email and thought maybe they are seeing my email address as spam. Do you know maybe what could be the case?
I’ve most often seen this when people register using email addresses from “untrusted” domains. I’ve seen sites not allow @hotmail.com addresses, for example. But there is no general answer to this — it’ll vary from site to site. You might reach out to the site owner to see if they can explain.
Thank you for answe Leo. Is it maybe possible i registered and because i didn’t use it for a long time they decided to block my email?
I would expect the message to be clearer: “this email address is already in use” or something like that. Again, all I can suggest is you reach out to the site owner for more details.
Other red flags in that email which Lei mentioned but didn’t include in the bulleted list
* No subject line – not a sure sign of spam, but it’s a red flag
* Only a URL with no text in the body of the email. Almost a sure sign of spam unless you’re expecting a link from that person.
For the case where I receive an email message from someone I know, I always check the sender’s address, and name. If either are wrong, I simply delete the message. If everything looks correct, I call my friend’family member to insure they sent the message; If they did, I read it, if not, I delete it.
I’m fortunate in that I have time to take this extra step. Many don’t, so if you’re in that group, at least take the time with each message, when you open it, to NOT click any links without checking the URL they’ll take you to. Unless the label on the link relates appropriately to the URL (e.g.: a URL of [Url removed], and a label that refers to [removed], DON’T CLICK! Instead, mark it as spam.
Ernie (Oldster)