Social Engineering Email Attack?

Lately I’ve been getting email on one of my unpublished email addresses. It’s the kind of fun mail that we all love, with email attachments of a mysterious nature. But what’s really mysterious is how this email address got “out in the open” to begin with.

This is the address that’s used by my contact form AND for comments out on the internet. They used to be separate, but I merged them by accident a few months ago and never switched them back. Doh. Wish I had.

  1. It’s possible this address was harvested from someone I wrote back to who hasn’t scrubbed their computer free of viruses and other malware. This is a good reminder; I should be careful of which email addresses I use for public contact. I might even use an entirely-different email account and email program for this now, but it’s probably inevitable that someone using an unsecured computer is going to have an accident.

  2. It’s possible that this address was harvested from a blog comment, if somehow that information was exposed on the back-end.

  3. Maybe there’s a security hole in my WordPress setup. The email address, though, is stored in a database which theoretically is secure, unless some kind of traffic intercept occured between me and the database. It’s not otherwise stored in any static files on my webserver.

  4. This is the most alarming thought: I may have replied to a contact email to answer what I thought was a genuine question, but it was actually a social engineering attack to harvest a return email. I just looked through the past emails I’ve received through the contact form that are the “fishiest”, and one in particular triggers several alarms. Hindsight is 20:20. It’s written as an innoculous inquiry about what I charge for design work. It could actually be a real inquiry, but as the sender hasn’t replied to my email I’m now a little suspicious. In the future I’m going to be much more discerning between what looks like a serious inquiry versus one that may not be (or something worse).


p>A marketing person I used to work once told me that a certain number of sales calls are just fishing attempts from other agencies, recruiters, other sales people, or builders of commercial databases. When someone is dangling the possibility of work on the other end of the line, we’re much more willing to extend the trust of providing our contact information. I may modify this policy and ask for the prospect to send me their contact information first, and schedule a callback if the circumstances seem a little odd.

This sucks, but at least the damage is relatively contained. It does mean, though, that I may have to retire an email address.