Malicious Email Rules Steal Your Inbox

by Carrie Kerskie

Email rules are used to help manage an inbox. But they can also be used to have your incoming mail copied and sent to a third party. All without you even knowing what’s happening.

Email rules are found in the settings of your email provider. They work using the if then principle. If this happens, then do this. For example, if you could create an email rule that says to move incoming emails from a specific contact into a specific folder. However, criminals are inserting email rules that instruct your email provider to send a copy of all of your incoming email to them, or a third-party.

How does this happen? Typically, it begins by you receiving a phishing email from someone you know. In the email is a link or an attachment. When you click on either one it triggers a fake email login screen to appear. When you enter your login credentials that enables the criminal to install the new email rule or rules.

Often, there is a second rule that says to move all mail from the contact, the person that supposedly sent you the email, to the archive folder. This is done to prevent you from seeing any email from this contact. This lessens the chance that contact can warn you about the scam.

Your best defense is to never click on a link or open an attachment in an unsolicited, or unexpected email. If you should receive an email with a link or attachment, contact the sender, preferably by phone, and confirm that person sent the email. If you are unable to call the person, forward the email to him or her. Do NOT reply to the email as you could be replying to the criminal.

When in doubt, do not click. Simply delete the email.

To see if you’ve already been infected, check for email rules in the settings for your email provider. If you see any that you, or your IT department, didn’t set up, delete them. It’s a good idea to periodically check the settings as this malicious phishing scam is impossible to detect otherwise.

If you have questions or would like assistance, contact Kerskie Group at 239-435-9111 or

Carrie Kerskie is a professional speaker on cyber awareness culture and identity fraud. She’s the president of Kerskie Group, providing white-glove identity fraud restoration and risk management for high-net-worth families and individuals. Carrie is also a member of the Collier Identity Fraud Awareness Community Task Force.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.