Phishing is a cyberattack in which the target is contacted by a threat actor impersonating a trusted individual or entity. There are several types of these attacks, but email phishing is by far the most common one.

In a typical email phishing attempt, you receive a message from what appears to be a legitimate entity urging you to take action; for example, to change your password or sign into an account. If you fall for the scam, the attacker obtains your personal information. One such scam has been targeting Yahoo Mail users.

What Is the Yahoo Mail Service Scam?

In this phishing scam, the threat actor contacts a victim, claiming to represent the Yahoo Service Team. The email says that all "old versions" of Yahoo Mail accounts will be closed soon, and urges the victim to click the Sign-in to Yahoo button and log into their account as to avoid "service interruption." Unless they do this, they will be "locked out permanently," the message stresses.

To really understand what the scammer is trying to accomplish here, let's break down the email and parse the language. For a start, the threat actor is repeatedly creating a sense of urgency in order to convince the target to click the link. Nobody wants to lose access to their email, so this social engineering technique makes perfect sense, as rudimentary as it may seem.

The "protect by Yahoo!" logo, as well the login button look rather convincing—there's hardly any difference between the images this scammer used and the company's real logo. The color scheme is the same, the font very similar, and Protect by Yahoo is an actual service Yahoo offers to its customers.

Screenshot of a Yahoo phishing email

Also note that the threat actor is not using a naked URL, because that would make it obvious that the link does not lead to an official Yahoo page. Instead, they are disguising the phishing URL with a fake sign-in button.

What's more, Yahoo does actually issue similar notices on occasion. The company often reminds users that it closes inactive accounts, or email accounts that haven't been used for more than 12 months. Clearly, this particular threat actor is aware of the practice and counts on the target being familiar with it to carry out the attack.

So, where exactly does this link lead to? It redirects the victim to a page closely resembling the standard Yahoo Mail sign-in site. If you were to enter your email and password there, the threat actor would steal your information and use it to log in to your account.

After gaining access to your email, the threat actor could do any number of things, including compromising connected accounts and stealing your personal information. They could also blackmail you, or simply use your address to launch other phishing and malware attacks. The possibilities are endless.

So, the scammer wrote an email free of grammatical and spelling errors, created a sense of urgency using vaguely threatening language, referenced services Yahoo actually offers, and included company imagery in their message, which was short and straight to the point. But they also made some missteps.

How Does the Yahoo Mail Phishing Attack Work?

To a tech-savvy person, this email probably screams "phishing", but it's easy to imagine someone older, who is not that great with technology, clicking the link. Besides, a person who knows what to look for would immediately notice that the email came not from Yahoo, but from a random AOL email address.

Googling the email address the scammer used, "avakiener@aol.com", produces only a couple of results. However, testing the email with Have I Been Pwned? shows that it was "pwned" in 18 data breaches. This strongly suggests that the phishing email did not come from whoever the original owner of that email account is or was, but from a threat actor who obtained access to it after one of those 18 breaches.

Screenshot of a have I been pwned result seen on purple background

We can only speculate as to how the cybercriminal might have gained access to this email, if that is indeed what happened. For example, it is possible that they purchased the credentials on a dark web marketplace, or simply broke into the account somehow because the original owner failed to use a secure password.

Still, in many ways, the scam was well-executed. For example, several online tools that analyze links and check if they're safe found no issues with it. However, Virus Total did: two security vendors, Avira and Webroot, flagged the link as malicious and described it as a phishing scam.

Virus Total is very useful in these situations, since it inspects links with more than 70 scanners. Using this tool, you can also check if a file you downloaded is safe, instead of launching it and finding out yourself—and you should never do this unless you are 100 percent confident the file came from a trusted source.

Virus Total screenshot seen on purple background

There are other ways to check where a link leads to without clicking it. For example, you can use a tool called Screenshot Machine. As the name suggests, Screenshot Machine takes screenshots of web pages, so all you need to do is copy and paste a suspicious link, and then press Enter.

If you're on a computer, another simple way to check out a link is to simply hover over it with the mouse pointer. This way, you will find out where the link actually goes without clicking it. If you were to do that with the link this threat actor emailed, you would quickly realize that it does not actually lead to Yahoo's sign-in page.

How to Report the Yahoo Mail Upgrade Scam

If you receive an email claiming you need to update your Yahoo account, you can safely assume you're not the only person the scammers are targeting. In fact, it's more than likely thousands of people have received the same fake Yahoo Mail upgrade notice, which is why you should consider filing a report. Here's how to do that.

If the scam email came from a Yahoo Mail address, you can report the perpetrator to Yahoo. To do that, visit the Yahoo Help Central, and navigate to "report it to Yahoo directly." Once you click the hyperlinked text, a new page will load, displaying a short form. Fill this out, describe the scam, and make sure you provide the Yahoo ID of the person or account you're reporting (the ID is the part before "@" in their email address).

In case the fake Yahoo Mail upgrade warning came from an address associated with a different provider (e.g. Gmail, Outlook), you can report it by marking it as spam. The "Spam" button will be located right above the message itself, so you should have no issue spotting it. Once the pop-up appears, click the "Report as Spam" button.

stop getting spammer emails in your inbox

And if you have a few spare moments, consider reporting the scammer's website as well. Obviously, you should not visit the page, but you can copy the link and submit a report to a relevant authority; be it a government agency, a hosting provider, or a consumer protection organization.

You should also keep in mind that other email providers, and not just Yahoo, are being targeted with fake upgrade scams. As PC Risk reported in March 2023, these scams have become particularly prevalent in recent years. However, they are all alike, so if you learn how to spot one, you'll probably be able to recognize them all.

Protect Yourself Against Phishing

Phishing attacks may be common, but there are ways to protect yourself from them.

Never click on suspicious links, inspect every link from an unknown email address, always check where an email came from, use two-factor authentication, and have strong anti-malware protection installed on every device you use.

Yahoo Mail is one of the most popular email services out there, and it is relatively safe, just like Gmail, Outlook, and others. Still, if you care about cybersecurity and privacy, you should strongly consider switching to an encrypted email provider.