New Twist on Nigerian Email Scam

Users of Yahoo, Hotmail, and other similar services need to be on guard for realistic emails supposedly coming from Yahoo or Hotmail, whoever your email provider is, requesting you to “confirm your account” or similar nonsense.  Basically you give them your user name and password on a realistic looking fake web site, and these fraudsters take over your email account, change the password, and then send a plea for money to everyone in your address book.

I got an email today from a the compromised email account of a business associate.  In the email (supposedly from him) he explained how he had been robbed in Nigeria and needed $2700 to settle his hotel account and get his plane ticket, etc.  The Nigeria reference raised a flag, so I called him, and left a voice message.  Then I sent him an email asking him some questions only he and I would know the answer to.

He called back.  He is in town, not in Nigeria, and cannot get into his Yahoo account.  I worked with him to get a password reset sent to him at another email account.  He will have to contact everyone in his address book to let them know the email was a fraud.  He is also going to report this to Yahoo.

We all need to be very suspicious of any email request from anyone we regularly do business with for personal information like this.  Clicking on the link to a realistic looking website, answer a few questions, and you too can be helping a Nigerian criminal feed his family.  A real vendor WILL NEVER ASK FOR YOUR PASSWORD. 

At least they shouldn’t.  I was on the phone with one of mine lately, who I had called myself, and so I knew they were legitimate.  She asked for my account password and I REFUSED TO GIVE IT TO HER, and told her why.  Never, ever, give your password to anyone who claims to be from a web vendor company, even if you contacted them yourself.  Remember, these call centers are not necessarily in the United States, and you never know if they are going to sell your information to a “friend.”

Have fun out there, but be careful.  Trust your gut – if something seems odd – DON’T DO ANYTHING before you check it out yourself by contacting the vendor directly yourself and verifying the request.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.