The Letter From “Microsoft” Is Actually a Scam.
We all receive enough spam these days to be wary of obvious scams: if you receive a message from an unknown number asking for money or a suspicious email address warning of a computer virus, you’ll likely delete it and move on. But if the message comes from a company you trust, like Microsoft, and you have a legitimate email address, you won’t be judged for assuming it’s genuine. However, in this particular case, it’s not, and you should exercise caution when interacting with such an address.
As Zach Whittaker of TechCrunch reports , scammers are sending emails from a legitimate internal Microsoft email address: [email protected] . Microsoft uses this address to send a variety of important messages, such as two-factor authentication (2FA) codes and other informational messages about user accounts. If you receive an email from this address and verify its authenticity online, you’ll find it’s legitimate, which may confirm the authenticity of the email itself.
In his report, Whittaker emphasized that he had received numerous emails from this email address. According to Whittaker, the messages themselves were rather crudely composed, with spam links in the body. Some emails featured subject lines citing fraudulent activity on Whittaker’s Microsoft account, while others stated that Whittaker had “one new private message” and needed to “confirm account access using an email verification code.” While scammers may not use sophisticated subject lines and emails, they are sophisticated enough to send messages from legitimate Microsoft email addresses, increasing the likelihood that people will fall for these scams—even if the emails are poorly crafted.
Microsoft declined to comment when contacted by TechCrunch but acknowledged receiving the request. To be fair, while it’s unclear how the scammers achieve this, Microsoft isn’t the only company facing similar schemes. Earlier this year , Betterment experienced a similar problem involving the abuse of a third-party system used to contact customers. Namecheap, a domain registrar, has also had problems with scammers using its legitimate email addresses .
How to spot fake emails from legitimate addresses
Verifying the email address in a suspicious message is often the first step to determining its authenticity, so the fact that scammers can obtain these addresses can seem alarming. But there are many other signs to look out for to avoid falling victim to phishing emails.
First, while the address may be legitimate, fraudulent links most likely are not. Hover your cursor over hyperlinks in the email to see the URL. If you see shortened links or long, confusing URLs, assume the worst. Also, critically evaluate the structure of the email. If the subject line or body text contains spelling or grammatical errors, or if the overall design doesn’t meet company standards, it’s likely a scam.