Thursday, October 12, 2017

How to recognize a scam - Email will be deactivated

How to: Recognize a scam email.  "Your request for EMAIL deactivation..."

A good friend of the family hosts their own email server at their business.  They received the following email, threatening to delete their business account if they did not act.  The message: 

Our record indicates that you recently made a request to deactivate email And 
this request will be processed shortly.

If this request was made accidentally and you have no knowledge of it, 
you are advised to cancel the request now. 

However, if you do not cancel this request ... your email data 
will be lost permanently

There was panic and mayhem...

This email was a scam. But, to the uninitiated, it is scary
and your first inclination is to click the big, important
button and make the problem go away.

What to look for

Click for a larger view

  • The "From" line was empty or was not your email service provider.   In this case, the From line was blank, but be aware it could be your normal email provider (Hotmail, Outlook, Yahoo, etc.)
  • "Your request for email deletion...." was unexpected.  Any unexpected, out-of-the-blue email should be met with great skepticism.
  • Bad grammar.   I am constantly amazed at how bad the sentences are constructed and mistyped.  "you recently made a request to deactivate email And this request will be processed shortly" -- nobody would write a sentence this clunky And capitalize the word "And".
  • The email has one button - one easy, but urgent button.  You had better click it now or else bad things will happen.  This is a clue you are being scammed.
  • With a PC client, you can hover over the button and see the real link; in this case, ""  Who is this?  Certainly not your email provider. 

    We didn't click the link.  It could be an innocent advertisement, but more likely, it will ask you to confirm your email address and ask you to login.  When you do, you will probably lose control of your email account. 
  • The link can be disguised.  If you were a gmail user, the link could look something like this:


    All the stuff in front, no matter how official-looking, can be ignored.  Only the (.com) domain-part of the address is important.
  • The closing was again vague, "Email Administrator", but it could have a Google graphic, with Google's address, legitimate phone numbers, and all kinds of official stuff.

What to Do

With this email, it can be safely ignored.  Delete with no action, provided you didn't click the link.

If you clicked the link, and provided your login credentials, you are in trouble. 

a.  As soon as possible, login to your email account and change your password.

If you cannot login, contact your email administrator and try to reclaim your account.  Or with many email providers (Gmail, etc.), try the "Forgot password" or "my account has been hacked" links. See the end of this article for more help.

However, many thieves will leave your original password; see below.

b.  Check the email's forwarding rules to make sure your emails are not being forwarded to a third-party. 

Sometimes the crooks will compromise the account, leaving the password untouched -- but they use a vacation rule to forward all mail.  If you can't find this feature, look harder; it is there.

c.  Consider looking in your Outbox for unusual activity.  The better thieves will keep this clean and leave no evidence

d.  Look for Login history (for example, google, android) has this in your myprofile area.  It will show what cities were last logged-in from.  Naturally, you must be logged in to see this.  You might be lucky and they've not had time yet.

e.  Seriously, enable two-factor authentication for your email account (sometimes called 2fa, or MFA multi-factor authentication) and tie the login to your phone.

f.  If you know you were compromised, contact everyone in your address book and advise them to be suspicious of any unexpected emails sent by your account.

g.  If you have other accounts that share this same password, such as Amazon, Gmail, Twitter, etc., do these same steps to re-claim those accounts.  Do not re-use the same password on other accounts.  

See this helpful article:  Keyliner Better, Stronger Safer Passwords


Many of us now read email on a phone or tablet client.  The trouble is, you can't hover over the "link" to see where it is going.  If reading email on these smaller clients, do not click links until you can view them on a desktop or laptop.  But still, unsolicited, unexpected emails should make you think twice, if not three times.

Hosted Good

My friend hosts his own email server and it is old and out-of-date.  In other words, he is managing his own email system.  Because of this, he loses the benefit of having a global email provider's smart algorithms.  Hopefully you are not in this situation.  He now has more impetus to move his email to a hosted vendor.

When he forwarded the message to my email, I could not find it.  My ISP hid it deep within the SPAM folders.  The email was marked as "Read" so I wouldn't bother looking for it.  Not bad.

When the sane email was forwarded to Gmail, Google did this:
My office email would have replaced the "Cancel De-activation" link with the actual link.  I wish all email clients did this.  It is really handy.

All three of  my email accounts protected me in one way or another -- but diligence is still needed in case they miss the target.  My friend was lucky; the clicked-link on the phone went no-where, but I bet from a desktop client, it would have been more exciting.


Imagine if my friend had two-factor authentication on his email account.  Even if the crooks infiltrated his email account, having both his login-ID and password, they still could not login without his cell-phone.  Two-factor is not perfect, but it is better than a standard password.

I am reminded of a text message on my phone a few years ago, saying my "gmail account had been hacked.  Click this link to restore your password."   I laughed.  I was not hacked.  I didn't even bother checking my account.  I used 2-factor-authentication and they could not get past my phone.  I deleted the message and wrote an article.

He had a few moments of fear, thinking his business email account was about to be deleted, but once we saw the message, finding all of the inconsistencies and oddities, our fears were allayed.  We deleted the message and went about our day.

See these related articles:

Related articles: 
Keyliner Better, Stronger Safer Passwords
Keyliner: Using Google's Two-Factor Authentication
Keyliner:  Your Gmail account has been hacked
Keyliner:  Gmail Protection Steps

Google Account Compromised
Google has these instructions if your account were hacked and the password was changed: