Don’t Fall for This Craigslist Email Recovery Scam!
While Craigslist is a popular destination for buying and selling used goods in your area, it’s also prone to a lot of scams. Since Craigslist is an open platform that doesn’t have any kind of verification, people regularly use it to rip others off.
One Craigslist scam involves an attacker trying to break into your Gmail (or other email) account. Here’s how this scam works, how to spot it, and ways you can stay safe.
How Craigslist Handles Email Addresses
By default, Craigslist uses email obfuscation to protect you and the people you contact on the service. When you click on the response button in a listing, Craigslist provides you with an address like the following:
When you send a message to this address, it goes to the actual email inbox of the person who posted the listing. They see a similar address when they respond to your message. This means you can communicate without either person having their actual address exposed.
However, this doesn’t protect anything in the body of your email address, such as the contents of your signature. Many people have their email address, social media links, phone number, or other personal information in their email signatures. As a result, you could end up giving the other person more information than you intended when you respond to a Craigslist listing.
For an honest person, this isn’t a problem. But for someone who wants to take advantage of you, this could let them attack one of your accounts.
How Craigslist Scammers Try to Break Into Your Email
With your email address, phone number, and possibly your name (provided by your email client), the scammer has enough info to try to reset your password. If they know your email address from your signature, they can use it on the account recovery page for your email provider.
While our example focuses on your email account, scammers could act out a similar attack on one of your social accounts, or whatever else is in your signature.
Since they don’t have your password, they’ll try to reset it. Depending on the security options you’ve set up and the recovery options on your account, the scammer will choose the option to send a recovery code to the phone number you provided in your signature, or perhaps a secondary email address.
Depending on where the scammers are located, this message may contain text in a foreign language, too. This is a telltale sign of a scam.
Now, this is where the crux of the scam comes in. After you’ve expressed interest in whatever item the person is selling, they will get back to you, claiming that they want to make sure they’re dealing with a real person because there are a lot of scammers on Craigslist.
To prove you’re real, they ask you to tell them the code that “they” sent you. If you do this, you’ve fallen for the scam. Using this code, the scammers can then reset your email password to whatever they want, locking you out of it.
If You Fall for the Craigslist Scam
In case you fall for this trick, you’ll have to contact Google support (or the support for whatever email provider you use) and attempt to get your account back. But the scammer can do a lot of damage while they’re in your email account, such as resetting the password for other accounts, contacting your friends with fake requests for money, and similar.
You should thus let people know if this happens to you, and contact account support immediately. See our guide on recovering a hacked Gmail account for advice.
How to Protect Against Craigslist Email Scams
After reading through the above scenario, you should be aware of a few ways to keep yourself safe from schemes like this.
First, you should always examine a Craigslist listing before responding to it. Look for signs that it might not be legitimate, such as poor grammar or vague statements. It’s also a good idea to do a reverse image search to see if the images were taken from somewhere else on the internet—a strong sign it’s phony. Legitimate sellers will not use someone else’s pictures in their listing.
However, in our instance, the listed image didn’t appear in a reverse image search. It’s possible that the scammers either broke into a legitimate Craigslist account and took over the listing, or just copied the contents from another post.
Second, you should remove personal information from your email signature. To stay even safer, consider setting up a separate email address that you only use for Craigslist communications. That way, if someone tries to break into it, they won’t have access to the email account you use for everything else.
Also, keep in mind that you should never, ever provide automated recovery codes to someone who asks for them. Anyone who wants you to provide a code like this is trying to steal access to your account.
If you get a recovery code that you did not specifically ask for, someone is most likely trying to break into your account (even if they aren’t actively communicating with you, like in this situation). You should change your password for that account and keep an eye out for further alerts.
It’s a good idea to make sure you have recovery options updated for your most important accounts. If you do end up losing access, having additional trusted email addresses or phone numbers will give you more options to get it back.
Finally, you should also enable two-factor authentication (2FA) on all your accounts. This makes it harder for an unauthorized user to reset your password. Prefer a method like an authenticator app when you set up 2FA, as those are less susceptible to hijacking or social engineering than SMS or email recovery codes.
Avoid Craigslist Scams and Protect Your Email Accounts
We’ve looked at one type of Craigslist email scam that you must watch out for. Giving attackers too much info about yourself, combined with handing over an important recovery code, will lead to thieves taking over your email account. Always exercise caution when dealing with Craigslist listings, and don’t hand over sensitive account info like recovery codes to people who ask for it.
Unfortunately, these aren’t the only online scams you need to watch for, though.
Image Credit: Jarretera/Shutterstock