I received email from a friend of several decades.
I knew it was bogus because he hasn’t touched a keyboard in years.
His wife might use that account with others, but she doesn’t send email to me.
They both used this one account, back in the days when that was a popular thing to do.

The email was an innocuous little fishing, from a recognized address.
It was “signed” by my friend.

I replied.

The next reply in the thread was from a slightly misspelled rendition of the name, now @aol.com instead of @verizon.net.

“My friend” is having trouble buying a Google Play Gift Card for his niece.

miserable cretins.

I don’t know if their email has actually been hacked, or if this is purely a spoof.
I let her know via Facebook.

Does anyone care about this sort of thing, or should I just carry on?

If the Sender or From address was forged, and if it was an aol or verizon or other big provider address, then our software should have found a missing digital signature in the headers and classified it as spam. If you have the time and motivation to send the complete email with headers to support‍@rahul.net, I can look for reasons why it was not flagged in some manner.

But this type of phishing is common, so catching it via automated means is the only good option.

Also if you forward it as an attachment to spamtrap‍@rahul.net it will help the system learn.

I think the account was actually hacked, so this isn’t a spoof.

Other Contacts in their list received the same email.
She said she logged in to her Verizon.net account and there were no contacts.
All incoming mail went directly to trash.

I will send two eml files to spamtrap.