Yesterday I got a screen shot in the form of a text message from Chris Loach, a good friend and one of our volunteer staff at Two Cities Church. It was an email sent from… me. Only it wasn’t from me and I immediately thought, “OH NO! I’VE BEEN HACKED! WHO ELSE IS GETTING THESE?!!!” I’m sure you can relate to those kinds of panic moments. I haven’t had a hacking situation like this since MySpace was a real social media option. Here’s a screenshot of the email Chris received.
After a few minutes of digging around, I realized I wasn’t hacked, I was Spoofed.
There’s different kinds of spoofing attacks, but mine was fairly simple and just about anyone can do it explains askleo.com. My spoofer simply sent an email from what looked like me, but when you press reply, it showed his real address. He or she was not using a very complicated method. However, sometimes they’re a bit more complicated as lifehacker.com explains. So what did I do about it? The following is how I seem to have spooked my spoofer from spoofing me again.
5 Steps to Spooking your Spoofer
Step 1: Know When it Hits
In order to go from spoofed to spooker, you’ve got to know when it happens and you need to know fast because the chances are, they’re not stopping with one email. That means you need your contacts not to just delete the email, but to actually inform you that it happened, like my buddy Chris did for me. (Thanks man!) Once you know, you need to take immediate action to avoid fall out from your contacts.
Step 2: Hit Reply
I asked Chris to click on the name and make sure it says my email. He did and it did. Then I said, “I wonder what would happen if you hit reply” and boom. There it was, the real email that the spoofer was spoofing from.
Step 3: Research
Once I had the real email this person was sending from, I went on a hunt for information about that person and that email. First stop, google.com. Google had nothing to say about that email address. No social media accounts. No other usages in forums. No previous articles, websites or blog posts mentioning the email (firstname.lastname@example.org). So I decided to figure out what I could about the user via the gmail account recovery process. I went to gmail.com and plugged in the address, then I clicked on “forgot my password” and chose the text me option. In order to actually get the password you’d need a lot more information, but I wasn’t trying to hack them. I was trying to get information about them. It revealed that their phone number associated with their account is **********77. Here’s what that tells me, their number ends in 77 and it’s one digit too long to be a number from the USA. So they are international.
Step 4: Invite Them to a GoogleTalk Video Chat
I invited them to a video chat. Imagine, what if they had actually accepted my invitation and I could video chat with this person? Wouldn’t that be shockingly amazing?! But they didn’t. But I’m sure that’s when they started getting a little spooked.
Step 5: Email Them and Block Them
I sent two emails to the address and explained that their attempts to scam my contacts would not work. They’re much too smart. People doing these kinds of scams are looking for low-hanging fruit, people who are frazzled by emergencies and many of whom are elderly. As soon as they realize they aren’t going to profit from scamming you or your friends, they’ll move on. In the email I sent, the point was not to make them angry, it was to scare them…hopefully enough to abandon or close the email they used completely and or out of the business. I’m hoping by the end of the time that they realized someone tried to log in to their real email, the person they were spoofing tried to video chat them and they were found out that they were spooked.
Bonus Step: Don’t Get Spoofed Again
I am the administrator of our church domain, twocitieschurch.com, and so I have the ability to go into the admin console and block them from emailing anyone within the organization. I took great pleasure in that step.
Here’s the deal, you can’t stop people from being dumb and trying to scam you, but you can make it difficult for them and you can spook them. So let’s make it difficult for the spoofers who are trying to take money from your contacts. Have you ever been hacked, spoofed or scammed? What was your experience and how did you deal with it?