Account Security - Two Phishing Emails

Have now twice received troubling emails ostensibly from WYZE regarding payment for “Person Detection Monthly” ending 6/12 displaying “failed” credit digits for a card I do not have. More troubling, it was sent to an email address that is an alias I set up in 2018 with my first of many WYZE purchases. My support contact reply after logging in asked me to confirm I am a WYZE owner / member which leads me to assume their support is outsourced since it would have taken a second to verify me from the email which I have ONLY used with WYZE, period. I am not coder but have saved original html and am waiting for my mail-only ISP to investigate the message first. MFA? Of course along with VPN.

Welcome to the forums! Thanks for the report. Can I get your support ticket number so I can send it up some channels to make sure they are aware of this report?

Last time I was in a “forum” was a BBS 30 years ago. For now, Tony, I want to see how this plays out with support and the wonks at my mail-only ISP. I have relied on email aliases for three decades, way before MFA, Authenticator or Yubi Keys. The only place my email could be found is at WYZE. Ciao!

Using the only phone line in the house to call up BBS’s back in the day made me the man I am today. The “beeeedoooochhhhhh” is engrained in my head for eternity. Please do update the thread here with anything that is found out! Thanks in advance!

2 Likes

As I read the original message, it sounds like this was a straight phishing attempt. Unfortunately the bots that are originating most of those are quite good at making it look legit… As far as your belief that the only way it could have gotten your E-Mail address alias being used was from Wyze - WRONG! There are lots of ways that addresses can be found. On the simple end is simple brute force. I have run my own mail server for many years. It’s sometimes entertaining to look at error reports and logs from the server of brute force attempts. I have watched hundreds or thousands of attempts to send E-Mail to semi-random account names. Brute force is just one of may ways that E-Mail addresses are found.

The more concerning part of the original message is that it sounds like you either replied to this message or clicked on a link in the message and logged in - providing the bot with your log on credentials. NEVER EVER respond to an E-Mail that wants you to log on to some website to verify information, or even respond to an E-Mail confirming information unless it is totally expected. For example, if you are creating an account that links to your E-Mail address and the account creation page tells you that it is going to send an E-Mail to the address to verify the address - and ten seconds later you get an E-Mail from the entity, asking to confirm receipt, it’s likely legit. But if let’s say you are a Bank of America customer and you get an E-Mail that appears to be from BofA asking you to click some link - DON’T! Instead, bring up your browser and manually go to Bandkofamerica.com (or use a saved bookmark).

If you did click a link and provide your log in credentials, immediately go to wyzecam.com and change your password. Yes, it’s a pain in the backside, but do it.

1 Like

Thanks for taking the time to reply. I believe I am in the top percentile of personal email users when it comes to security and best practices and have been for a couple of decades. Of course I did not open/click the link but did display the entire raw message in html (I only read or send email as plain text) and could not in my limited ken see whether it came from WYZE or from one other entities (dotcoms) I saw in it that might or might not have been spoofed. The last sending IP (which I don’t think can be spoofed) showed it coming from 167.89.104.142 which is Twilio.com and Sendgrid. Are they WYZE’s email provider? I have no idea why they are. Above the IP I see bounces going to an entity named, “recursive.com.” Even if someone tried to brute forcing my WYZE account after 10, or 500 tries would WYZE not have gotten wise and warned me? And even if I were dumb enough to click through on a phishing email the scammer would not get much. I use unique email aliases tied to unique passwords, in addition to MFA, and virtual credit cards tied only to that one online entity. Until I hear from WYZE support (which I so far find lacking) and also my mail-only ISP with their forensic analysis of the message I continue to worry that the account data was purloined. Maybe only my email went out the door? So far I have not been pawned but was I WYZED – or just brute forced but, if, so, where?

You understand of course that there are many people who blindly click links in E-Mails - hence my warnings.

This was ironic because of the presumably accidental typo in the URL.

I suspect the OP’s messages were legitimate. There have been past reports of Wyze mistakenly using older credentials / addresses for accounts and subscriptions. It is rather unlikely that a single use address on a personal domain (e.g., wyzeaccount@mydomain.example.com) would be properly phished.

Since 2018 the email alias I created to use with WYZE has not changed. I too doubt it has been phished. I assume the password has been regularly changed. If phishers had it I would not have gotten the emails but they would have gotten nothing except an email login and a password usable only on WYZE You’ve underscored my curiosity. Hope someone looks at the IP address I posted, entities mentioned, to see if any of this can be figured out and if WYZE customer data has been compromised, at least in my case. BTW, what is, “OP” in your, "OP’s messages were legitimate?

“Original Poster”.

1 Like

You probably signed up for name your price person detection and they’ve been billing an old card you had on file from when you first started dealing with Wyze. If you still have the cameras it would make no sense for anyone else to be buying person detection on your account. I’m pretty sure this is an innocent billing mistake.

2 Likes

I told you my last forum was a BBS. Thanks.

FULL STOP! SOLVED and you are right. When I use virtual credit cards the issuer’s database does not retain, in my account, a list of cards used and “cancelled.” Additionally, the ExtHDD I use for Time Machine with my MacPro had a problem and needed to spend 18 hours rebuilding a brand new database two weeks, so I had no access to dated lists I keep with virtual cards on it, otherwise I would have known the email is legit. I must have seen the initial “pay what you want,” thought it was goofy and only applied a virtual card for it in October and then, just never wanted to use it and I let the card expire.
Now my only complaint is…their customer service is lacking. Someone could have replied the day after my inquiry that this was the case. Stand down everyone and thanks for the input.

5 Likes

Great. You can mark my or your post as “Solution”.

3 Likes

wowsers. glad you got this figured out.