| I was a recipient of just this scam a couple of weeks or so ago (some may remember the email I received) and it’s interesting and probably helpful to understand how scammers can show a legitimate email address in the From box. This partial explanation is from the Malwarebytes website. A highly sophisticated email scam is targeting PayPal users with the subject line of “Set up your account profile.” We decided to see what the scammers are after. First thing to do is to look at the headers: You received this message because you are subscribed to the Google Groups "Sussex Mac User Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion, visit https://groups.google.com/d/msgid/smug/2841D2B5-5329-4242-8ACA-C41B752370D9%40mac.com. |
The sender address [email protected] (sometimes the emails come from [email protected]) looks legitimate because it is, but the scammers have spoofed the address. Basically, when someone sends an email, their computer tells the email system what address to show as the sender. Scammers take advantage of this by using special software or programs that let them type in any “From” address they want. This technique is called spoofing. The scammer sends their email through the internet, and since most email systems aren’t strict about checking this information, the fake sender address is displayed just like a real one would be. So it’s hard for the everyday user to tell if the email has been spoofed or not. There are other signs that the email might be a scam though. There is the unusual recipient address, which is nothing like the one of my co-worker. Rather than targeting one individual, scammers set up a distribution list (often using Microsoft 365/Google test domains) with their own domain or, in this case, a compromised one. This allows them to send bulk phishing emails while masking their intent, but does mean that recipients see an unfamiliar address, e.g. {somebody}@{unknow-domain}.test-google-a.com, instead of their own. The “.test-google-a.com” part of the address refers to a domain often used in testing or in cloud setups through Google Workspace, but in the context of this scam email, it’s a strong indicator of malicious activity or advanced phishing techniques rather than official Google practice. So, that’s red flag #1. Nick Sent from my iPad You received this message because you are subscribed to the Google Groups "Sussex Mac User Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion, visit https://groups.google.com/d/msgid/smug/2841D2B5-5329-4242-8ACA-C41B752370D9%40mac.com. |
