Dave! I got an email last night saying that my email was on hold because it was being migrated to a new server and I needed to verify my account. I’m suspicious by nature, and it smelled fishy. Do you think it’s legit or a scam of some sort?
While it’s theoretically possible that your hosting company is migrating email servers from one computer to another, this is not something that you’re going to be aware of, nor would they inform you. Your web site, email server, and other online services are constantly moving around, actually. If they use Amazon Web Services, it might be served by a different virtual machine for each email message or web image! Conclusion: Odds are extremely good that it is indeed a scam, or a type of spam known as a “phishing attack”.
What, I can hear you asking, is a phishing attack? It’s an attempt to have you give up some critical information, typically login credentials for a website, business, or online service. Imagine that criminals get your account info – and password! – to your bank account, then login in and transfer your entire balance to their own account. A nightmare! As a result, your attitude of being suspicious about odd email you receive is critical for modern online safety. Well done!
As it transpires, I actually have also received a very similar email about my mail server being “migrated”. Let’s go through my process of verifying it’s bogus and you’ll see how you can do the same.
THE EMAIL MESSAGE: MIGRATION!
Going through my email, a message like this certainly gives me a moment of concern:
“Click to migrate” seems reasonable, right? Wrong. There’s a lot that’s already wrong with this message, but most obviously, they don’t know my name or customer ID and they don’t even refer to my actual email address. I actually have quite a few so which one’s this regarding?
As usual with spammers there are also typos and grammatical errors (for example “un-monitored”). Now, let’s dissect it.
EXAMINING THE EMAIL DETAILS
The first and easiest check is the sender: Who sent this message? In Gmail, that’s revealed with a tiny grey triangle right by the “to” information at the top. A click and it reveals the sender:
As I said, I have email accounts on a variety of systems, but none of them are called “reagan.com”. A big red flag! THis is also from “jbrown911b”, not “support” or “customerservice” or “IT”. Then there’s the TO address. Who’s mail-info@mail.com, particularly given that, again, I don’t have an account @mail.com either. Two red flags right there, but there’s one more thing to check that’ll confirm it’s bogus: The link.
Most modern email systems have a super helpful feature that shows the target URL for a link in an email message. In Gmail, it’s a tiny pop-up on the lower left corner:
I haven’t clicked on the link, just moved my cursor over it. I’m 100% confident that no legitimate online service would send me to “mystrikingly.com” to confirm or migrate anything!
That’s enough. I would normally just delete this message and move on with my day.
But I know you’re curious, so I am going to click on the link (I do not recommend you do this, however!) to see what’s at the other end. After a pretty typical series of redirects…
THE PHISHING ATTACK IS REVEALED
The goal of the malicious spammers is to now present me with what looks like a legitimate login or landing page screen. Here’s what’s displayed:
I don’t have an account or server with Rackspace, but it’s a very popular hosting company so it’s possible this might seem legit until you look at the URL. Since you’re already suspicious, hopefully you already do this. If this were “support.rackspace.com”, maybe I’d be slightly less assured that it’s a scam, but there’s no question at all.
Proceed? Well, okay. I click on “PROCEED” and get to a login screen!
Looks pretty good, though if you zoom in you’ll see that the prompt is “Passvvord” not “Password”. The URL even embeds “spacerackmailweb”, but now it’s on “weebly.com”. This is sooooo wrong.
To test it, I entered a colorful and possibly profane message to the spammers in both the address and password fields. With a legit login screen, it would return an error. In this case it just bounced me to the real Rackspace webmail login screen:
Looks pretty darn similar, doesn’t it? But this time, at least, the URL makes sense: apps.rackspace.com.
This trick of bouncing you from a phishing login screen to a real login screen is quite common, and it’s a bit of social engineering. You log in, it fails, you enter your password again and this time it works. Hurray. Except you entered it correctly the first time too and gave them your login credentials! Not good.
So that’s the deal. Always be suspicious of any email message you receive, text message, even phone call. Independently verify and remember that if it’s legit, you can just log in by typing in the address of the company rather than clicking a link. Be careful out there!
Pro Tip: I’ve been writing about online scams for many years. Please check out my spam, scams and security help area while you’re visiting for more informative articles on how to stay safe online. Thanks!