Forged email scam

Not this particular scam but there is an annoying email scam going around where the creeps (polite version!) have my email address, as a recipient, plus the name (but not email address) of someone I possibly know. So the email arrives apparently from that person. It asks me to click on a link to see some photos.
So far these emails are ending up in Spam and, of course, I don’t click on the link. The sender/return email address is currently from Brazil (.br) but I realise that any sender address can be spoofed.
This type of scam could easily trick less savvy recipients.

Or when somebody, regardless of savvy, is in a rush, distracted, or tired. This is why I think it’s good to check with the claimed sender whenever an unexpected or odd-feeling message appears.

Sadly, these have been going on for over a decade.

The scammer has data from some well-known breach of a social media site. Facebook is often the one used. This gives the scammer not only a huge list of names and e-mail addresses, but also the list of friends for each of them.

So even if you don’t have an FB account, if someone else has an FB account and has incldued you on their friends list or in the set of e-mail addresses they uploaded (remember how social media networks ask you to do this so they can solicit people you know), the scammers know that the two of you have a relationship of some kind.

They then send you their scam-mail with your friend’s name as the sender. Using a scam-account as the return address, so if you blindly reply, you will be talking to the scammer instead of your friend.

I’ve never gone further than deleting the messages, but I assume every link in the mail, including the “photos” are links to malware so the scammer can take over your computer and do real damage.

There’s not a lot you can do to avoid receiving this (although a mail account with good spam filtering helps enormously), but there are some things you can do to avoid getting taken in. One is to configure your mail client to always show you the full e-mail address of senders, not just the friendly name. If you get a message from your mom, but the address is from a random-string mailbox belonging to an ISP from Upper Slobobia, you can be sure it’s not really your mom.

Or just delete it all. :slight_smile:

I’m reminded of a quote (I think it was Erma Bombeck): “Never answer the phone. If it’s important they’ll call back.”

2 Likes

Thanks David. Is there a way to do this with iOS Mail?
In any case, my understanding is that sender emails can be falsified so the scenario of a scammer knowing the sender name and email (eg from Facebook) is still a risk.

In addition to social media, any site, especially email providers (all want to import contacts from address books at first registration) and alumni directories, can be a source for friends-and-family information.

I don’t know of a way. But when you’re viewing a message, you can tap on the sender’s name twice to get a contact card containing the information from the mail.

I know that on the desktop, Thunderbird will show you the full name and address, giving you the option to hide the address for people in your contacts:

Yes. Anything in the mail header can be spoofed. So seeing the correct address is not proof that the sender is real. But seeing something obviously wrong is proof that the sender is fake.

Based on Apple Discussions, it turns out that users have been requesting this feature (showing sender email address) for iOS Mail for many years. The only action, it seems, is to submit “feedback” to Apple. This is made more difficult because iOS Mail is not listed on the Apple Feedback page:

I ended up submitting the feedback to macOS Mail!

I wonder if something like this should better go to iPhone under “Feature Request”. I suppose Mail is considered part of core iOS so it doesn’t get its own app section under iOS (?).

That page is unnecessarily confusing and has been so for a while I’m afraid. Either they should add a couple of the obviously missing categories or else at least introduce a more obvious catch-all.

One way of seeing the full e-mail address of the sender, and the rest of it in raw ascii format, is by pressing the Option key while dragging the mail from the e-mail window to the TextEdit application. It is handy when you absolutely want to know what is in it but don’t want to open it in the Mail app.

What’s wrong with choosing this?
View > Message > Raw Source (Opt-CMD-u)

Thank you but my issue is with iOS Mail. If I am not sure of a sender address when using my iPhone I have to go to my Mac computer and open Mail on it to see the details.

1 Like

With iOS Mail, you can check the sender address (that is, what appears in the “From:” header line - which could still be forged) with a few taps. But you do have to first open the message:

When the message is open, tap the sender’s “friendly name” in the header section:

When you do, the header lines will turn to links. Tap the sender’s link:

Mail will then show a contact card for the sender. You’ll see the address there:

If you want to keep this address as a contact or add it to an existing contact card, you can do so from there. Or if you just tap “Done” (in the upper-right corner), it will just close the card without saving it.

This does require you to open the message, but that should be safe if you disable automatic image loading (as I do - note the link to load images at the top of my screen-shots).

Thank you. I used this method to discover that the forged email was (apparently) from Brazil.

However if the email address is in your Contacts data and that contact has several email addresses there appears to be no way to easily see which email address was used.

This is important because genuine emails from that contact might not use a “public” email address like Gmail for personal emails. I would be wary of a forgery if that address was used.

It should be simple for Apple to provide a setting to display a sender’s email address in iOS Mail.

1 Like

I just checked a few saved emails from people in my contacts with multiple addresses. When I tapped the name in the message and went to the contact info, the email address that was used to send the message was marked “RECENT”. This was true for several emails from the same contact using different email addresses. It looks pretty reliable to me.

1 Like

I regularly send news links to myself using a “non public” email account. Here is the resulting header from my Inbox:

IMG_4932

When I click on the top carat > my contact card is displayed and lists several emails. Only the iCloud address is marked recent. The one I used to send the email (green arrow) is not marked.

Update: I got confused about which account I used to send the email - see below

Strange. My experience has been identical to @ddmiller’s.

I assume your outbound mail client isn’t using your iCloud address in the message’s header. Can you check the headers (from a different mail client) to see what address is used by the From: header? Is it your green-arrow address or one of the others?

Ah… I got confused. I sent the email from iCloud to my VDR account. When I look at an email from that account it is the one marked “recent”
I will retain the images above for reference.
Cheers

Shamino’s “how to” see the sender’s address in iOS/iPadOS Mail is excellent. However, before you start fiddling with email messages (or, better, before you receive any questionable messages in Mail at all), I highly recommend turning on certain Mail Privacy Protection settings on iOS/iPadOS as follows:

in Settings > Mail > Privacy Protection do not jusst turn " Protect Mail Activity on. Instead, turn on both of these:

Hide IP Address
Block All Remote Content

The second one won’t automatically be turned on if you just turn “Protect Mail Activity” on. Because some people will find it annoying with remote content not automatically loading as they browse their email messages in Mail.

If there is any remote content to load, on the top of that message you’ll see a note that:

Message contains unloaded images.
[and a link to] Load All Images

The corresponding settings for Mail on MacOS (Sonoma, at least), are in: Mail > Settings > Privacy.

And, yes, I do run with all of those set (in all my mailing programs’ settings). All of the time.

Bob

Yes, forged email scams have been going on for over a decade. But the volume and sophistication have recently been increasing. Three flavors for sure:

  1. You suddenly find yourself apparently CC’ed (or BCC’d) into a conversation between someone with whom you’ve previously swapped email addresses with. Curiosity may tempt you to either:

A. Reply to the sender (and/or the other apparent participant) asking what’s up.
B. Or clinking on a link within one of the messages.

Don’t. If you want to contact your friend, do so “offline” in some other way, or at least by originating a message to what you believe is their real email address. Because one (most likely both) of the parties’ email addresses is either being spoofed or intercepted.

  1. You get one or more messages from someone responding to some sort of invitation that you never sent. The sender is most often [someone]@gmail.com that you’ve never heard of before. You may be tempted to respond with “What??”. Don’t. This is a teaser from a spammer – you’ll be corresponding with the spammer and giving them at least a bit of personal information (e.g., your return email address, IP address (and location).

  2. A message – which certainly looks authentic – to “Renew Your Premium Membership” from Spotify or some other service, saying something like “your payment wasn’t successful, so we’ve temporarily paused your subscription” accompanied by a button to “RENEW NOW”. Whether or not this is a service you’ve ever subscribed to or not, you may be tempted to click on that button. Don’t, at least not until you’ve looked very carefully at the raw source of the message and can determine exactly where that button will lead you to. And, oh yeah, where was the message actually sent from?

There are probably other variations, but these are the most recent that I’ve seen sent to an email address of mine that I hardly ever use – where I treat each and every message with suspicion.

Bob

1 Like

Honestly I am fine with just protect email activity on. It hides enough from the sender that any message I actually open - it’s rare when I open mail on iOS from senders I don’t recognize, advertisers, etc. - that having remote content turned off becomes more annoying than it’s worth to me. As they say, you may feel differently, but that setting is good enough for me.