Password reset scams
Users of many webmail suites such as Gmail or Outlook register their mobile phone numbers with the service as a way of getting password reset codes sent to them securely, but Symantec is warning that scammers have worked out ways to con users and engineer the situation to their advantage.
Do you worry about forgetting your Hotmail password and being unable to ever regain access to your email archives? You can take precautions against that by giving Hotmail a backup email address or your mobile phone number. Then, if you do forget your password, you can ask Hotmail to send a six digit password reset rescue code as an SMS message to your mobile phone. This should be very secure. If an attacker poses as you and claims to have forgotten the password to your Hotmail account, they can ask Hotmail to send a reset code to your mobile phone, but they can't get at your phone to read that code.
However, Symantec has identified a social engineering scam which exploits this system, provided the scammer knows both the email address and mobile phone number of the victim, and which relies on the victim not being familiar with how the verification system works. The scammer first goes to hotmail and requests a password reset, with a verification code being sent to the victims mobile phone. Immediately they have done that, the scammer sends a text message to the victim saying "This is Hotmail. There has been suspicious activity on your account. We have just sent you a security code in a text message. To confirm you are the owner of this email address, please text the code back to us." If the victim is deceived by this, they obediently send the six digit code to the scammer who can then use it to reset the Hotmail password. Symantec has put together a very good video which illustrates this.
Why would a scammer go to all this trouble to break into someone's Hotmail account. Most people will laugh at the idea and say they have nothing worth stealing in there. Maybe not, but once inside, the crooks may be able to use that account to request password reminders for online banking accounts, order things from Amazon using saved credit card details, and so on. The important thing to note is that you should never respond to "security" messages that you didn't specifically ask for.
24th June 2015
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.