The Password Expiration Scam
Access to our accounts and applications can be vital for daily tasks. That is why scammers use the fear of getting locked out of these accounts or the urgency to reset your passwords to attempt to steal your information. They often include a button or link that will take you to a location asking for additional information to “keep your password” or “keep your account from expiring.” This additional information is most commonly the login information for your Microsoft or Google account. Once obtained, they will use the gathered information to hack into your email account to locate and steal important documents or emails. Sometimes, they even use your account to send new phishing emails.
What to Watch for
The sender address is the first thing to check on any suspicious email. While the sender name is easy to spoof, it is much harder (while not impossible) to spoof the sending address. In this case, we can note that the sending address is not an official Microsoft address but a different sender. Because it is not coming from an official address, this is immediately a red flag.
Another red flag is that Microsoft (and many other major software companies) do NOT send an automated email to inform you about password expiration. If your password expires, they will often let you know directly the next time you log in, so you can change it only after logging in with the previous correct password.
A third red flag is to note whether the email has a generic greeting or phrasing. For example, this email says, “Your password is set to expire today”. In the body of the email, it does not refer to the specific email address or account with an expired password. This indicates that the spammer set up this email to be sent to many people. While looking at the text, spelling and grammatical errors can also be an indication that this “official” email is not what it seems.
Finally, if you are concerned, or unsure about an email, make sure to send it to your IT department to verify, or call the sender if you know them to make sure. It is always better to be extra vigilant than to fall for one of these scams.
