Recently I received an email from a friend—an email that immediately aroused suspicion. 

It was an appeal of the tear-jerker variety, designed to invoke a response through emotion-generating hooks and through a sense of urgency.

Like many such emails, it had an aspect of believability, along with warning signs. It even ended with a “God bless” sign-off, representative of the sender as I know the person.

None of it, of course, was true. It was quite an elaborate scam, although one which was dependent on a mistake by the ostensible sender.

I resisted immediately writing back with the typical “you’ve been hacked” or “you’ve been scammed,” opting to wait until I saw my friend in person two days later. Actually, I wouldn’t have used the expression “you’ve been hacked,” as my experience with these sorts of events is that nearly always it’s the victim who has “clicked somewhere” or used a fake site, believing it to be real and safe.

By the time I saw my friend, I had already learned from others in our mutual circle that they too had received the same email. What was surprising to me, in a good way, is that each of them immediately wrote off the message as being part of a scam. We’ve come a long way over the past decade or so when it comes to situational awareness and skepticism with technology.

When I saw my friend, he was already aware of the matter. Someone had indeed contacted him, via text message, to see if he was aware of the email in question. When another person reached him with the same concern, he took action which proved prescient under the circumstances.

He was actually out of the country at that point. He phoned the service provider. Amazingly, he reached someone who immediately guided him through changing the password for his webmail service. That action halted further use of the account by the scammer or scammers.

So, just what occurred here? Although my friend can’t specifically recall the trigger event, it is clear he was tricked onto either a fake version of his webmail sign-in page or onto a fake Wi-Fi node in the hotel where he was staying. No matter which of the two, his email credentials were compromised, and the scammer immediately harvested his entire contacts list—some 400 or so email addresses—spent a few minutes looking through his sent emails to get an idea of a typical sign-off he might use, and then sent out the emotional appeal to all those contacts.

In this case, the scammer did not change the webmail password or take any further action. When I was asked to look at my friend’s computer and webmail, I could find no evidence of tampering at the machine level. Of course, I didn’t expect anything, as the scam involved a compromised webmail account. I could not find the actual email or emails sent by the scammer through the account. These were presumably deleted by the scammer and selectively deleted from the trash folder, as this bin was essentially full of messages deleted over the past many months.

As for the come-on—the gist of the scam, if you will—it was an appeal to raise funds for the supposed surgery of a child with a rare medical condition. To complete the scam, respondents were directed to a WhatsApp telephone number where bids or payments could be made on a lengthy list of items being sold to pay for this “surgery.” Red flags everywhere.

If those flags weren’t enough, consider some of the items, again supposedly being auctioned: a Rolex watch, a Sea-Doo, a recent model pickup truck. You get the idea. Of course, the items don’t exist. The scam goes to completion when someone bids on and “wins” an item; the credit card used is harvested, or monies are collected through e-transfers.

Why, specifically, was my friend targeted for this scam? The answer lies in the webmail service provider, in this case Shaw (now Rogers, but the underlying mail service is still called Shaw webmail).

Scammers know that mail originating from Shaw, as well as from other trusted commercial webmail providers, is more likely to get through authentication checks as it traverses the internet on its way to recipients. Such mail is, after all, being sent from a legitimate user account—in this case, from my friend’s account.

In recent months, Rogers has stopped issuing new Shaw webmail accounts, perhaps a precursor to phasing out the company’s webmail service altogether. Scammers may be exploiting this by issuing fake transition or migration notice emails as a means of having users divulge their access credentials.

Another day, another lesson when it comes to personal technology usage. As of this writing, none of my friend’s contacts appears to have taken the scam bait, although one did write to ask for more information.