Eugene's observations

I took a call last evening from a client with a distressing tale: every e-mail and the entire contents of his contacts list had been deleted. This came about because he received an e-mail purporting to come from BT Yahoo (his e-mail provider) asking him to confirm his details on their website as they had noticed suspicious behavior or over quota patterns coming from his address. He clicked through the link and was taken to a website that looked exactly like the real BT Yahoo one. He entered his normal login details and was told that his account would now be reactivated and the browser page was then directed to the genuine BT Yahoo web site.

The initial website was an exact replica of the real BT one which captured his e-mail details. Shortly after that a message purporting to come from my client was sent to most people in his stolen address book asking them to send money as he had had an accident overseas.

Any reply sent to the fake e-mail did not reach him as not only had all his e-mails he had ever sent or received been deleted, but automatic forwarding was set up so he was not receiving any new messages. Offers of help from his friends were going direct to the scoundrel who perpetrated this scam. I was able to draft a message to BT for him asking whether any backup copy of messages or contacts list could be used for recovery, and attaching the header of the fake message so that the IP address of the sender could be used should they want to take any action. They should reply within 72 hours.

So the obvious lesson is to never click a link an an e-mail message whoever it appears to come from, but to type the address in a browser or select a favourite bookmark. But there is another lesson: by using just the web interface to access his mail all eggs were in one basket. If an e-mail client (e.g. Outlook, Windows Live Mail, Thunderbird etc.) was used to store messages on his own computer, then his own backups (because we all take backups) would have captured the messages and practically nothing would have been lost. Finally, make sure spam & phishing filters are effective and tuned to match your own requirements.

Given all the private information in his e-mails all passwords have had to be changed and we wait to see if enough information has been gleaned to enable a loan to be requested in his name or other bad things that come from having ones identity used for bad acts.

How to stay safe.