Good grief.
Scammers tried to trick me again. And once again, their sophisticated methods surprised me, someone who sniffs out scams for a living.
I received an email purporting to be from a bank. It’s the same bank that actually holds my mortgage, and my husband has a credit card with the bank, too.
I’m not naming the bank because really, this could happen with any bank. Let’s call it Bank ABC for now.
Legit notifications from that bank do come for me by email, so I took a look. It was sent from “noreplyemail1@BankABC.com.”
This one had a subject line that said: “Activity Alert – See details about your recent activity.”
The message, complete with the bank’s logo, said a new address had been posted to my credit report.
My address? That sent chills down my spine.
Two years ago, someone changed my mailing address so that all of my mail would be forwarded to an out-of-state address. Imagine the bounty a scammer might get if the postal service forwarded statements from my financial accounts to their door.
We got lucky. Really, really lucky.
First, most of my statements don’t come through the mail, but instead, I receive them electronically — so my mailbox isn’t usually a treasure trove for thieves. I’m also signed up for Informed Delivery, so I get a daily email from the U.S. Postal Service detailing what pieces of mail I should expect to be delivered each day.
Informed Delivery said a personal letter and a gas bill were coming, so when they didn’t arrive, I realized something wasn’t right. A visit to the post office revealed that someone, somehow, had actually told the postal service to send my mail somewhere else.
We notified the Postal Inspection Service, which opened an investigation, and our mail was redirected back to our home.
And just in time.
We received an unexpected debit card for a new bank account that was opened in my husband’s name.
Fortunately, it was delivered to us instead of to the scammer. We were able to get it all canceled with no negative consequences to our credit.
Back to this email that said our address was changed.
Rather than click on the link offered in the email — something you should never do — I logged in to our mortgage account to see if there were any changes. Nothing had changed.
My husband had to get on the phone to check on the credit card account. Nothing had changed there, either.
Okay, so this was a scam attempt.
But what of the email address? It had no misspellings. It was clearly “@BankABC.com.”
It turns out that hovering your mouse over an email address isn’t always enough to reveal the true sender, said David Opderbeck, a law professor and co-director of the Gibbons Institute of Law, Science & Technology at Seton Hall University.
“Internet protocols do not provide mechanisms to confirm that the visible content is consistent with the hidden routing information,” Opderbeck said. “Because of this, it’s easy to forge a visible `from’ line that is not actually the domain from which the email originates.”
He said cybercriminals can do this at scale for large batches of phishing, spearfishing and spoofed emails.
But, he said, most email programs allow you to view hidden metadata so you can confirm an email’s authenticity, but you’d have to know where to look and what to do, which might not be feasible for everyone.
Instead, you can use added protections provided by some email services.
Gmail, for example, offers “enhanced pre-delivery message scanning option.” With this, when Gmail detects suspicious content, “message delivery is slightly delayed so that Gmail can do additional security checks on the message,” its help site says. But it’s not automatic. You, as the user, would have to activate the function.
Some email services, and companies that offer anti-malware and anti-spam services, offer similar functions, Opderbeck said.
But nothing is foolproof, and scammers are always looking for ways to up their games and beat protection technologies.
That’s why the best prevention is education and vigilance, Opderbeck said.
“Understand that service providers such as banks and medical providers will not send unsolicited emails seeking personal information,” he said. “If you have any doubt about whether an email is authentic, give the purported sender a call before opening it or clicking on any links.”
Good advice.
The day after I finished writing this column, I received another email with the same bank logo.
This time, it was alerting me to a mortgage escrow shortage.
The “from” address was less convincing than the first spoofed email: BankABC@eBankABC.com.
But the creepy part? It showed the last four digits of our mortgage account number. It also said it made a property tax payment to my actual town, and it gave the date and an amount.
That was a lot of detail. So I logged in again to my online account. Interestingly, our escrow history showed a different amount was paid to the town for several quarters, but a payment made nine months ago was for the exact amount indicated in that email.
Creepy, indeed.
Please subscribe now and support the local journalism YOU rely on and trust.
Karin Price Mueller may be reached at KPriceMueller@NJAdvanceMedia.com. Follow her on X at @KPMueller.
