What is phishing?
A phishing attack is when a scammer sends you an email claiming to be from Pobox (or another company you may have a relationship with). The emails are designed to look legitimate, and they attempt to trick you into sharing your login details or installing malware on your computer.
A common phishing tactic is to warn that your "account will be closed" unless you click a link in the email. The link then takes you to a site that may look like the Pobox website, but is not the real Pobox website. If you try to log in at this link, your password is now known to the attacker.
Genuine mail from Pobox is sent from email@example.com or firstname.lastname@example.org. We will never send an email asking you for your password.
Recognizing a phishing email
There are a number of traits you can look for to help recognize phishing emails:
Links to login pages. If you click a link in an email and it takes you to a login page, stop! Carefully check that the URL in the address bar of your browser is what you expect it to be, even if the page itself looks identical to the normal website. It is very easy for an attacker to replicate the look and contents of a website.
If you click a link and it looks like you're at the Pobox login page, stop and look at the URL. Does it show a padlock and start with
https://www.pobox.com/login? If not, you are about to send your password to an attacker. Close the tab or window, then report the email as phishing (see the section How do I report phishing emails? for details).
Spelling and bad grammar. Messages from reputable companies, including Pobox, generally will be carefully checked by copy editors to ensure the message is professional and error-free. Be wary of emails with excessive spelling mistakes or grammatical errors.
Pending messages or urgent warnings. Beware of urgent warnings such as "your account will be closed" or "pending messages". If in doubt, contact the supposed sender of the message through another channel to verify the message's authenticity. If you are unsure whether a message claiming to be from Pobox is legitimate, you can submit a ticket to our support team for confirmation.
Pobox Basic and Plus accounts: If you receive a phishing message, please report it by sending it as an attachment to email@example.com.
Mailstore accounts: You can report phishing messages directly in the webmail interface or in the Fastmail app. You can do this by clicking the Actions drop down menu in the corner of the message, then clicking Report Phishing.
If enough users report an email as phishing, this will help prevent other users from receiving messages from the attacker.
What happens if I am victim to a phishing scam?
If you're concerned that your account may have been compromised, please reset your password by going to www.pobox.com/login/nopw.
If you are victim to a phishing scam without realizing, it is likely that the attacker will start using your account to send spam. In most cases, we will detect this and revoke your account’s sending rights (SMTP). If this happens, you will get a message telling you that your SMTP has been revoked. You will need to update your password and submit a ticket to our support team in order for us to restore your SMTP access.
What else can I do to stay secure?
Set up two-step verification. We recommend enabling two-step verification (2FA) as an added layer of account security, if you haven't done so already. For instructions on how to configure 2FA, please go to our instructions for setting up Two-Step Verification.
Use a password manager. A password manager saves your password so you don't have to remember it, which makes it easier to use a different password for every site. This is helpful because password reuse is the second most common way attackers manage to steal credentials to a Pobox account. The password manager can even generate a complicated password for you so it's completely unguessable. Most importantly, a password manager will not be fooled by a website pretending to be Pobox or any other site. If the URL is different, it will not fill in the password. We recommend 1Password, LastPass or KeePass.
Double check the site address before typing your password. Try to get into the habit of always looking at the address bar before you type in your password. If it doesn't start with
https://www.pobox.com/login, you're not at a Pobox login page, and you should close the browser window immediately.