This morning I saw this e-mail from Wish (firstname.lastname@example.org):
I checked the email headers on this message and this message is really from Wish. So the email message itself seems legit. But the contents of this message is really doubtfull, I’ll explain.
Let’s be clear, I do have an account at Wish. But the account mentioned at from with the .com, is not my email address for this account. This message is sent to one of my email adresses, but it is not the email address I use for my own Wish account.
So what I’ve done is doing exactly what this message said at the bottom, report that I did not request an email change.
But I keep wondering, what is the goal of the person behind this action?
- So someone makes an account with an email address, we call this the original email address
- Tries to change it to someone else’s email address, we call this the victim’s email address
- According to the message the person behind this only has to confirm this email change on his original email address.
- When I search on these cases via Google, I find that the support of Wish is slow or not responding. If that is true, the person will get away with changing a Wish account to one of my email adresses. Nothing I can do myself to stop this.
Now what would be the next step for the person behind this? I’m a bit lost on it, so this may unfold in the near future.
If I take a stab at this, I think the person is hoping I have a Wish account on the email address he wants to change it to. In the hopes he/she can take over my Wish account, with some payment provider details in it so he/she can use these for further phishing attempts?
Or just orders stuff on Wish, and the purchase will be charged on me by Wish?
I’m really curious what will happen.
01-11-2020: nothing happened yet. Also no reply from Wish.