Join speakers from the Department for Science, Innovation and Technology in Manchester (The National Football Museum) & London (The Gherkin) for CyberSmart Live. Register your interest today 🚀
Login Book a call
Search
Clear search icon

“Note to self” phishing scams explained

Rob S
Note to self phishing scams
Back to blog

Table of contents

Want to speak with sales?

Book a call

Phishing scams have been around almost as long as email has existed. The first recorded use of the technique was in the mid-1990s, when a group of enterprising hackers posed as AOL employees and used email and instant messaging to steal users’ passwords and account credentials.

For the most part, phishing scams have remained remarkably unsophisticated across the intervening decades. Most phishing attempts are fairly low-effort and pretty easy to discern as scams. However, every now and again, cybercriminals come up with something a little different. This blog covers one such tactic: “note to self” phishing scams.

What do we mean by “note to self”?

Simple, most email providers offer users the ability to send a message to themselves from within their account. This then appears in your inbox as a “note to self”. You’ve probably done this at some point; it’s an incredibly handy way of setting yourself reminders.

However, as we’ll see, cybercriminals have found a way to weaponise this feature.

How do note-to-self phishing scams work?

So, how does a pretty humdrum email feature become a key part of a successful phishing scam?

Well, crucially, you can only send a “note to self” from within the same email account. This is the crux of the scam. 
A cybercriminal spoofs your email address and sends a “note to self” claiming to have breached your account.

They’ll then usually demand some form of ransom, such as cryptocurrency, in exchange for deleting some compromising files, photos or data they claim to have on the victim. There’s usually a strict time limit given for payment, say 48 hours, after which the hacker will threaten to leak this data or email your contact list with it.

To illustrate, here’s one I made earlier:

But here’s the clever bit: the cybercriminal doesn’t actually have access to your account or any compromising or sensitive data. They just want you to think they do. 

Instead, the hacker has used something called email spoofing to make it appear as though the message has come from inside your account. It hasn’t, but you won’t immediately know that. In fact, you’ll probably panic (don’t worry, I did). And it’s this panic that the cybercriminal is trying to induce, hoping you’ll act before you have time to think about it too much.

What is email spoofing?

Every email contains a header, which is a code snippet that contains important information about the message, including the sender, recipient and tracking data. Unfortunately, hackers have learned how to weaponise this to deceive victims.

Email spoofing is when a cybercriminal uses the header to mask their identity and impersonate a legitimate sender. There are usually two approaches to this, one we’re going to call the ‘sophisticated way’ and another, which is less impressive.

The sophisticated approach

This technique is rarer than the one we’ll discuss next and much more convincing, making it a lot more dangerous. Cybercriminals use a script to forge the fields the recipient can see in the header. In simple terms, this means the email will appear to come from a legitimate sender.

This is possible because the email transmission protocol, Simple Mail Transfer Protocol (SMTP), doesn’t have a built-in method for authenticating email addresses. It also means that these spoofs will evade most email security.

This technique is the one typically used for note-to-self phishing scams, and it’s what makes them so effective.

The more common approach

The less sophisticated email spoofing technique is to register an email domain which is very similar to the legitimate one being impersonated. For example, CEO@m3gacorporation.com rather than CEO@megacorporation.com

You’ll see this approach more often in the wild because it’s easier to achieve and doesn’t require any specialist tools or knowledge. However, it’s generally less effective as it relies on victims not paying attention, meaning it can be pretty easily foiled with just a little thought.

How to spot a note-to-self scam

At this point, you might be wondering how it’s possible to avoid falling for a note-to-self scam. If the spoofed email looks totally legitimate, how are you supposed to tell the difference?

Fortunately, it’s actually very simple. If you receive an email like the one we’ve outlined above, here’s what you should do.

1. Don’t panic

As we mentioned earlier, if you receive a note-to-self phishing email, your first instinct is probably going to be panic. It’s often easier said than done, but try not to. Take a deep breath and don’t do anything drastic or click on any link until you’ve worked through the next few items on the list. 

If it’s helpful, you can use the “Stop, Look, Think” anti-phishing technique. Remember, cybercriminals rely on creating a sense of urgency to get you to act before thinking critically. After all, it’s one of the most common and effective social engineering techniques in existence.

Don’t fall for it. Tell yourself that nine times out of ten, this is a phishing scam, not a real compromise of your email account.

2. Check the sender's email address

Next, check the sender’s email address. Does the email really match your own, or are there subtle differences? If the attacker has used a less sophisticated spoofing technique, this is where they’ll give themselves away as phoney.

3. Check your sent folder

If the email address appears identical to yours, it’s probably a more sophisticated spoof. However, there's still an easy way to tell if your email account has really been breached.

As the name suggests, “note to self” emails can only be sent from inside the account, so check your sent emails. If the email doesn’t appear there, then it hasn’t been sent from your account, meaning it’s a phishing scam.

4. Check the IP address of the sender

You shouldn’t need to do this, but if you want some extra peace of mind, check the sender's IP address. If the message had really been sent from inside your account, the IP address would match the one associated with your email.

To find the IP address associated with an email, you need to analyse the email header, specifically the "Received:" lines.

To do this in Gmail, open the email, click the three vertical dots, and select "Show Original" or "View original message". 

In Outlook, open the email, go to File > Properties, and look at the Internet headers. 

You can also use tools like WhatIsMyIP.com to check email headers. Although it’s worth noting that if you use a virtual private network (VPN), this step won’t work. This is because VPNs create a fake or proxy IP address to mask your internet identity.

5. Delete the email and move on with your day

Once you’re confident that the message is a phishing scam, flag it as spam to your email provider.  After this, there’s nothing left to do but delete it and move on with your day.

Want to know more about how to protect your business from phishing scams? Check out CyberSmart Learn, our cybersecurity-focused learning management system.