• I want to thank all the members that have upgraded your accounts. I truly appreciate your support of the site monetarily. Supporting the site keeps this site up and running as a lot of work daily goes on behind the scenes. Click to Support Signs101 ...

Need Help How to stop phishing emails being sent from my address after email being compromised

White Haus

Not a Newbie
My email was compromised at the beginning of the year and they managed to copy a bunch of email trails from a 2-3 month period.

The hacker(s) have been sending out phishing emails that (at first glance) look like they're coming from my email address, replying to these old emails from clients, with a link to review "the documents" which I'm assuming goes to an infected site.

I've secured my accounts and changed every single password I use, and as far as I know they no longer have access to my account.

They quieted down for a while but just decided they'd go on another tear this week and I'm getting non-stop calls, texts, and emails from customers wondering why I'm sending them weird emails.

Luckily (knock on wood) no one has been dumb enough to click on any links but it's becoming a huge problem.

Is there ANYTHING that can be done to put an end to these emails? They're using random domains every time so I'm not sure how that could be blocked.

Change my email address and tell all my customers/contacts to just block my old address?

Can you report this to any sort of authorities that can actually do anything about it?

All our email is through Google Workspace and as I'm sure you all know you can't talk to a human there and all their "help" articles basically just say "it's your problem if your account gets compromised".
 

balstestrat

Problem Solver
Send an email explaining that your contacts might get phishing emails looking like coming from you and that's about all you can do. Always contact you if they are not sure about it, disregard all old emails and topics.
The rest depends on the receiving end on how well they can block spam.
 

Pauly

Printrade.com.au
All our email is through Google Workspace and as I'm sure you all know you can't talk to a human there and all their "help" articles basically just say "it's your problem if your account gets compromised".

What? Of course you can talk to a human. I do all the time when i need help with something. They'll even call you to help resolve it quicker.

The chat has the option to talk to someone after the bot tries to help.
 

CanuckSigns

Active Member
Damn Pat, that sucks!

I don't think there is anything you can really do unfortunatly as they are spoofing your address.

I would send out an email to all your clients explaining what has happened, tell them not to click any links or open any files, and if they are at all unsure if an email is legit to call or email you.

This happened to a client of mine about 5 years ago and I still get phishing emails from them a few times a year.
 

Texas_Signmaker

Very Active Signmaker
That sucks. It can go on for a long time. After a few years I still get an occasional email from a sign company that got hacked.
 

White Haus

Not a Newbie
What? Of course you can talk to a human. I do all the time when i need help with something. They'll even call you to help resolve it quicker.

The chat has the option to talk to someone after the bot tries to help.

Thanks Pauly, I'm really glad you mentioned that. I've been using chat feature and they're walking me through how to update spf dkim etc etc.
 

White Haus

Not a Newbie
If u are using your own domain, configure spf, DKIM and dmarc (as strict) so those emails will be flagged. Be sure to setup ok or you will have more problems lol
The google man walked me through all of this. All mumbo jumbo settings to me but it seems like it worked. Apparently takes a couple days for it all to kick in but hopefully that will stop the spoof emails.
 

unmateria

New Member
The process can be long depending on the botnet... You should setup dmarc (specially using strict setup) to send reports to you daily. Copy the ip adresses of the servers they are using and check the AS relative to that domain, then write a small report to the abuse@ propietary of that AS. We all usually act fast since its very bad for the reputation of the ip range altough there are many that really suck like ovh, quadranet, aruba, digital ocean, ionos/1and1 between others.
Anyway, major emails providers (gmail, outlook, yahoo, etc) will inmeadiately block them or send emails to spam since day 1, and every mail server with a minimum security will derate them a lot (altough many wont block them directly, so its better to help to end with the botnet reporting to the AS abuse personal... Use whois.con/whois or other ip whois service)
 

CanuckSigns

Active Member
The process can be long depending on the botnet... You should setup dmarc (specially using strict setup) to send reports to you daily. Copy the ip adresses of the servers they are using and check the AS relative to that domain, then write a small report to the abuse@ propietary of that AS. We all usually act fast since its very bad for the reputation of the ip range altough there are many that really suck like ovh, quadranet, aruba, digital ocean, ionos/1and1 between others.
Anyway, major emails providers (gmail, outlook, yahoo, etc) will inmeadiately block them or send emails to spam since day 1, and every mail server with a minimum security will derate them a lot (altough many wont block them directly, so its better to help to end with the botnet reporting to the AS abuse personal... Use whois.con/whois or other ip whois service)
I'm sure this makes sense but it's all gibberish to me lol
 

unmateria

New Member
Ahaha ok, i will explain easy... If my english let me... Lol

With Spf you tell the server who receive emails with your email address (not only from you), that emails from your domain can only be sent from server x.x.x.x, or several servers.

With DKIM your server signs the email with a private key so the server who receives the email can check really if the email was sent from you.

With dmarc you setup what do you want to happen when any of both conditions are find in an email, and report the tries to you (or not)

... Thats all (simplyfing a lot lol)

So at the end, if someone sends an email in your name, the other server knows it, and you have the ip who tried that
 

bob

It's better to have two hands than one glove.
Change your password to a strong one and turn on 2 factor authorization.
Why should I inconvenience myself in order to protect someone else? Of all of the passwords a person is expected to juggle only a minuscule number are protecting you from anything. The vast majority exist to protect those that demand you use and somehow keep track of Yet Another password. My lack of interest in participating in someone else's security procedures approaches total.
 

Solventinkjet

DIY Printer Fixing Guide
Why should I inconvenience myself in order to protect someone else? Of all of the passwords a person is expected to juggle only a minuscule number are protecting you from anything. The vast majority exist to protect those that demand you use and somehow keep track of Yet Another password. My lack of interest in participating in someone else's security procedures approaches total.
I use a password manager so it's not an inconvenience at all. Once someone can get into your email, they can get into pretty much every other account you have. Your email should be protected the most. Not to mention it looks pretty unprofessional when you customers get phishing emails from your address.
 

White Haus

Not a Newbie
Not to mention it looks pretty unprofessional when you customers get phishing emails from your address.

Agreed. This whole thing has been pretty embarrassing to say the least.

Everyone has been understanding but I can do without getting lectured by clients at big companies that have IT departments and have enough time on their hands to open investigations over this matter............
 

unmateria

New Member
Its not so difficult, just a non-dictionary complex password above 10 characters, 2FA if you can, and for god shake... Stop using unencrypted connections lol thats the main cause of those hackings, a computer/mobile in your network sniffing traffic to ports 25/110. Always use tls/ssl. And well, a password manager on 2022 is a must (i like lastpass, but there are many out there)
 

bob

It's better to have two hands than one glove.
I use a password manager so it's not an inconvenience at all. Once someone can get into your email, they can get into pretty much every other account you have. Your email should be protected the most. Not to mention it looks pretty unprofessional when you customers get phishing emails from your address.
Why should I have to engage the services of a password manager? I derive little to no benefit from all of these passwords. As previously noted, they exist, for the most part, to protect those demanding that I use a password. Not my problem and therefore not interested in participating in their solutions. Any and all financial as well as other institutions with which I do business have strict instructions that require phone or in person requests on any account of mine. The will pay no attention to any on line requests for my account. The rest of my 'accounts' are merely web sites that I browse occasionally. I never order anything on line, only via phone or in person. If any client of mine is disturbed by an errant email from some miscreant or another, I'm sure they'll survive.
 
Top