Last week, a coworker tapped me on the shoulder and said, “I got this weird e-mail.”
It was from “accounts@[his bank].com.” It read, “Your account has been overdrawn by $1 billion. Come up with the money by five o’clock, or we’ll break your legs.”
I waited for Nick, my coworker, to share his thoughts and then told him, “I sent that e-mail.”
It’s easy to commit this fraud
I don’t have access to Nick’s bank’s mail server; anyone can send an e-mail like this because the sender of the e-mail (you, me, anyone) can set the ‘from’ header of the e-mail transmission to any value he pleases. (No, your e-mail website or client software won’t let you set this header manually, but a very little bit of computer coding is all you need.)
So suppose I compose an e-mail to Nick, and I include his bank’s info in the mail, complete with logos and official-sounding text. My fraudulent e-mail instructs him to login at the website and check his messages, then provides a link to the login page.
… Only the page that it opens isn’t the bona fide login page. It’s a page I’ve built that looks identical to the real login page. (It might even have a URL almost identical to your bank’s webpage’s URL.) As soon as you try to login on my imitation webpage, I get your bank login information. Then I go to your bank’s real website and steal your money.
The good news
The good news is that it’s easy for your mail server to warn you of this kind of fraud: when your mail server (i.e. the recipient mail server) gets the fraudulent e-mail, it can compare the ‘from’ address with the address of the mail server that actually sent the e-mail (i.e. the sender mail server). If the two don’t match, your mail server can attach a warning flag to let you know that this e-mail may be fraudulent.
E.g. some months ago, I sent an e-mail to my bishop (using Mozilla Thunderbird), and his mail server rejected it because I used an AOL account to identify myself (i.e. the ‘from’ header) but configured my mail client to use my ISP’s server (i.e. the sender mail server).
Disappointing news about Gmail
The bad news is that detecting this warning sign appears to be out of common practice. As implied before, my office’s e-mail server did not give my coworker any warning about the fraudulent e-mail I sent him.
Another surprise for me: Gmail also provided no warning when I sent similar e-mails to my Gmail account. Because of Gmail’s good spam filtering system, I assumed that Gmail was watching out for its users better than this.
I use gmail, and have periodically gotten that warning. Usually, I get it on legit emails though.
Ah. Well, I guess they don’t eschew warnings altogether. They just didn’t issue any in my experience of last week.