Yesterday I received a query from a client about a suspicious email, included below. This client uses Hostgator for a hosting service for both their website and email. My response follows the message
Message follows:
> —–Original Message—–
> From: WEBMAIL ADMINISTRATOR [mailto:WEBMAIL ADMINISTRATOR]
> Sent: Tuesday, February 16, 2016 9:47 PM
> To: Recipients
> Subject: ***NOTIFICATION ALERT WARNING**PLEASE URGENTLY*
>
> Dear Webmail User,
>
> Due to excess abandoned Webmail Account, Our Webmaster has decided to
> refresh the database and to delete inactive accounts to create space
> for fresh users. To verify your Webmail Account, you must reply to
> this email immediately and provide the information below correctly:
>
> Email:
> Password:
> Verify Password:
>
> Failure to do this will immediately render your Webmail Account
> deactivated from our system. Webmail Database refreshing shall
> commence once a response is not received within 48hrs.
>
> Thank You!
> Web Admin Support Center
My response was as follows:
"This is a classic if clumsy phishing attempt. No provider is going to ask you for your password in an email. Hostgator isn't going to ask you to do this – at worst they'd start charging you for disk space usage. They don't care if you have a thousand abandoned accounts."
"By the way, another clue would be that the message was composed by someone for whom English is not their primary language – phrases like “PLEASE URGENTLY,” “excess abandoned Webmail Account” (no plural) and “Failure to do this will immediately render your Webmail account deactivated” – all awkward phrases. In the case of the last one, “immediately deactivated” is designed to scare you into acting without thinking – “immediate” doesn’t make sense because they don't know when you've read the email and wouldn't be able to "immediately" deactivate the account. The other thing to look at is the headers on the original message. When you get stuff like this, if you could send it to me as an attachment rather than reply-to or forward, then I’d get the header along with the message and could tell you a bit more, such as which account it was sent to, where it originated, and so forth. It’d be good to get the reply-to: address to report it to the FBI, even if they’re not likely to do anything.
But yeah, it was a phishing attempt. Never, imean NEVER send your login/password to anyone in an email or otherwise give account information to anyone. Even if the email was from someone you think you know, it could be forged or the email account could be compromised. Don’t even reply to something like this – it just confirms to them that the address is valid. Legit businesses will never ask you for your password. "
But yeah, it was a phishing attempt. Never, imean NEVER send your login/password to anyone in an email or otherwise give account information to anyone. Even if the email was from someone you think you know, it could be forged or the email account could be compromised. Don’t even reply to something like this – it just confirms to them that the address is valid. Legit businesses will never ask you for your password. "