I received a cleverly spoofed email reply asking for tax information: How do I diagnose and solve the issue?

I believe my email or device was hacked: how can I verify and how can I resolve it?

Here is what happened:  

My wife sent  an email to my accountant which contained a few minor bits of information and I got a response that read (with bad grammar):

"please email me your Drivers license and 1040 from last year. I did a system update and lost many informations. thank you"

and below that was included a copy of the email text I sent to my accountant.

First, it is obvious that this is a spoof due to the bad grammar

But, my questions are

(1) How could a hacker manage to send me a faux reply that contained my exact original message?
(2) This email was sent from an IPAD, does that suggest my wife's email is compromised. the IPAD is compromised or both?

Christopher ScheneSystem Engineer/Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Martin MillerCTOCommented:
Call your accountant on the phone to confirm email was or was not from him.

It is also possible your account's email is compromised, thus the exact reply message.
Russ SuterSenior Software DeveloperCommented:
Email is inherently insecure and can fairly easily be intercepted at any point along the line. This is probably the result of a man-in-the-middle attack. There's no reason to believe that your wife's iPad or email account is necessarily compromised. It's more likely that the compromise is on the other end where there's a much higher likelihood of catching a phish. This theory would be supported by evidence (or lack thereof) of similar spoofs from other locations.

Here are some precautions you should take:

* You should call your accountant and notify him/her.
* You should stop emailing personal info to your accountant. Actually, in general, unless you have encrypted it, you should avoid emailing personal info to anyone. As mentioned above, email is inherently insecure.
* You should change your email account password just in case
* You might want to think about changing your WiFi password as well. This is unlikely an issue but if you're really concerned then it's a simple step to take.
* While also unlikely, taking your iPad to an Apple store and having it checked for malware couldn't hurt.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
If the mail server did not have any flagging on spoofed mail then highly the chance the email is faux to extend that the account is most likely compromised. Check and do trun on SPF and DKIM for the mail server.

Consider the use of 2FA access to the mail servwr if supported for a long term basis but meanwhile ask both to scan their machine or device for any sighting of anomalous activities and change to a strong passphrase.

Ask if both has received similar other phishing emails prior to this exchanges and if they noticed there are any signs of anomaly like surfing website asking to download and they followed through, ised other unonown USB drives or open up any attachments etc.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Mal OsborneAlpha GeekCommented:
Yep, looks to me like your accountant's email was hacked, not your wife's.

I would guess your accountant was fooled by a phishing attack into giving thier credentials to a third party. Said third party has been trolling through the accountant's emails figuring who they can rip off. I would expect that your accountant's email system now has a mysterious rule, redirecting all of thier email to a criminal somewhere.

There is a lot of this happening at this point in  time.
you first need to look at the system from which the original was email.
Look the full message headers of the one you received, view source of the message this depends in where you are looking at the message.
 The other possibility is the party to whom it was emailed is infected or your own system is infected and the bot used a sent message of yours as a phishing ploy to gain trust, obtain information.

another option is to double check the sent message did not go to the wrong entity.
Test send another message to the same recipient, with a slightly different message and see if you similarly get a reply.

The full message headers and the interesting part are the Received: line.
Received: (from the server that delivered this message to your inbox)



Received: (The closest received line to From is the one reflecting the origin of the message, i.e. IP from which it was received by the server that added this line.

Commonly received lines convey the information that the server that appends this line identified the server/ip submitting the message

Received: from somehost ([x.x.x.x])
    by server1.somedomain.com date in GMT

If you can post the raw top portion until the first empty line from the message source, masquerading as needed the From: To: Return-Path: <if matches the From:>
This is to avoid puting your email address into the public or that of your accountat if From: and return-path: reflects their email address.

Calling your accountant to advise of this might be a good idea, i.e. not to panic them, you should say that you received a response to an email the wife sent, that appears to be fishy, can they confirm whether they saw the email, and replied. Busy season for Tax preparers may have lead to an inadvertent typo. Perhps the response was to remind that that information is needed when you come for the appointment to finalize the return...
Christopher ScheneSystem Engineer/Software EngineerAuthor Commented:
Thanks so much Experts. I did notify my accountant
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.