The 'Check Failed Messages' email scam is a phishing campaign that impersonates legitimate messaging platforms or email service providers to trick recipients into revealing their login credentials. These fraudulent emails typically warn users about supposedly failed message deliveries or claim that important communications are being held in a queue, creating artificial urgency to bypass critical thinking. The scam primarily targets email credentials but may also harvest other personal information entered on convincing fake login pages.
Unlike malware that infects your computer directly, this threat operates through social engineering—manipulating human psychology rather than exploiting technical vulnerabilities. Victims who fall for the scam hand over their credentials voluntarily, believing they're logging into a legitimate service. Once attackers gain access to email accounts, they can use them for further phishing campaigns, identity theft, financial fraud, or accessing other accounts through password reset mechanisms.
Threat Profile
| Attribute | Details |
|---|---|
| Threat Type | Phishing scam, credential harvesting, social engineering attack |
| Aliases | Failed Messages phishing, Message Delivery scam, Pending Messages phish |
| Primary Target | Email account credentials (username and password) |
| Distribution Method | Spam email campaigns with spoofed sender addresses |
| Typical Sender Spoofing | Microsoft, Google, Yahoo, workplace IT departments, messaging platforms |
| Attack Vector | Embedded links to fake login pages designed to mimic legitimate services |
| Secondary Risks | Account takeover, identity theft, secondary phishing attacks, business email compromise |
| Technical Infection | None—operates through credential theft rather than system infection |
| Detection Difficulty | Moderate—emails may bypass spam filters if well-crafted; fake pages can appear convincing |
| Removal Complexity | N/A for system infection; requires password changes and account security review |
| Regional Focus | Global campaigns with variants targeting specific languages and regions |
| First Documented | This specific variant circa 2019-2020; general tactic used for decades |
How It Spreads
The 'Check Failed Messages' scam spreads exclusively through email, with attackers sending bulk spam campaigns to thousands or millions of addresses obtained from data breaches, web scraping, or purchased lists. The emails are carefully crafted to appear legitimate, often using logos, formatting, and language that mimics real notifications from Microsoft Outlook, Gmail, Yahoo Mail, or corporate email systems. The subject lines create urgency: "Action Required: Failed Message Delivery," "Your messages are pending," or "Undelivered mail—verify your account."
What makes these scams effective is their exploitation of routine email anxiety. Most people receive legitimate service notifications regularly, and the fear of missing important communications can override caution. The emails typically arrive during business hours when recipients are busy and more likely to click reflexively. Some variants even reference real contacts or recent activities, suggesting the attackers have partial information about their targets from previous data breaches.
Distribution vectors and characteristics include:
- Mass spam campaigns: Millions of generic emails sent to harvested address lists, hoping a small percentage will bite
- Targeted spear-phishing: More sophisticated versions that reference specific companies, projects, or contacts to increase credibility
- Spoofed sender addresses: The "From" field appears to show legitimate domains like microsoft.com or your own company's domain through email header manipulation
- Compromised email accounts: Previously-hacked accounts used to send scams to the victim's contact list, leveraging existing trust relationships
- Mobile-first targeting: Emails designed to look most convincing on smartphones where scrutiny is lower and address bars are less visible
- Domain typosquatting: Links that go to microsoftonline-login.com or similar domains that look legitimate at a glance
- Seasonal waves: Increased campaigns during busy periods (tax season, holidays, back-to-school) when people expect more communications
What It Does On Your Machine
The 'Check Failed Messages' scam doesn't actually install malware on your computer in the traditional sense—there's no virus file to find, no registry modifications, no persistent processes. Instead, it operates entirely through deception. When you click the link in the scam email, you're taken to a fake login page that looks nearly identical to a legitimate service. This page is designed for one purpose: to capture whatever credentials you type and send them to the attackers' server.
The fake login pages are often surprisingly sophisticated. They may include working dropdown menus, correct branding, SSL certificates (yes, that padlock icon doesn't guarantee legitimacy—it only means the connection is encrypted), and even error messages if you type the wrong password. Some will actually forward you to the real service after stealing your credentials so you don't realize anything happened. The page might be hosted on a compromised legitimate website, making the URL appear more trustworthy, or on a newly-registered domain that mimics the real service with subtle misspellings.
Once attackers have your email credentials, the damage extends far beyond that single account. Email is the master key to your digital life—most password reset functions send recovery links to your email address. Attackers immediately check for access to financial accounts, social media, work systems, and online shopping accounts. They search your email history for sensitive information like tax documents, bank statements, or conversations containing personally identifiable information. They may set up email forwarding rules to silently receive copies of all your future emails while you remain unaware of the breach.
From a technical forensics perspective, if you entered your credentials, you might observe these behavioral indicators:
Manual Removal — Step by Step
Since this is a phishing scam rather than traditional malware, "removal" means securing your accounts and preventing ongoing damage. Act quickly—every hour that passes gives attackers more time to exploit your credentials.
Change Your Email Password Immediately
Do this from a device you trust (not a public computer). Go directly to your email provider's website by typing the URL yourself—don't click any links. Choose a strong, unique password you've never used before. If you're locked out because attackers changed it, use the account recovery process immediately.
Enable Two-Factor Authentication
Add an extra security layer so passwords alone aren't enough for account access. Use an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) rather than SMS when possible, as text messages can be intercepted. This prevents attackers from accessing your account even if they have your password.
Review and Remove Email Forwarding Rules
Attackers often set up rules to forward copies of all your incoming mail to themselves. In your email settings, check for any forwarding addresses, filters, or rules you didn't create. Delete anything suspicious. Look for rules that auto-delete certain messages—attackers use these to hide security alerts.
Check Account Recovery Settings
Verify your recovery phone number and alternate email address are still correct. Attackers change these to maintain access even after you change your password. Remove any recovery options you don't recognize. Update your security questions if the service offers them.
Review Recent Account Activity
Most email services offer an activity log showing recent logins with IP addresses and locations. Look for access from unfamiliar locations or at times when you weren't online. If you see suspicious activity, your account was definitely compromised. Some services let you sign out all other sessions remotely.
Change Passwords on Related Accounts
If you used the same password anywhere else, change those immediately. Prioritize financial accounts, work accounts, and social media. Attackers specifically search compromised emails for password reset messages to identify other accounts. Use unique passwords for every important account.
Scan Your Computer for Malware
While the scam itself isn't malware, it's good practice to verify nothing else got installed. Run a full scan with Malwarebytes (free version is fine) or Windows Defender. Some phishing campaigns include actual malware downloads as a secondary payload, though the 'Check Failed Messages' variant typically doesn't.
Alert Your Contacts
If attackers accessed your account, they may have sent scam messages to your contact list. Send a brief warning that your account was compromised and that people should ignore any suspicious messages appearing to come from you. This helps prevent the scam from spreading through your trusted relationships.
Monitor Financial Accounts
Check bank statements, credit card transactions, and investment accounts for unauthorized activity. Attackers work quickly—fraudulent charges can appear within hours. Consider placing a fraud alert on your credit reports with the three major bureaus. This is especially critical if your email contained financial documents or account numbers.
Document Everything
Save copies of the phishing email (including full headers), take screenshots of the fake login page if it's still accessible, and note any suspicious account activity. This documentation helps if you need to file a police report or dispute fraudulent charges. It also helps law enforcement track these campaigns.
Prevention
- Inspect sender addresses carefully. The display name might say "Microsoft Team" but the actual address could be random@suspiciousdomain.com. Click or tap on the sender name to reveal the full address. Legitimate services send notifications from consistent, official domains.
- Never click email links for sensitive accounts. When you receive a security notification, open your browser and manually type the website address. Bookmark your frequently-used services and use those bookmarks rather than clicking email links. This simple habit defeats nearly all phishing attempts.
- Verify urgency claims independently. Scammers rely on panic to bypass skepticism. If an email says your account will close or messages are stuck, go directly to the service (not through the email link) and check your actual account. Real problems will be visible there too.
- Use a password manager. Tools like Bitwarden, 1Password, or LastPass generate unique passwords for every site and only auto-fill on legitimate domains. If your password manager doesn't recognize the site, that's a warning sign. This prevents using weak or repeated passwords that amplify damage when one account is compromised.
- Enable two-factor authentication everywhere possible. This single step prevents most account takeovers even if your password is stolen. Prioritize 2FA for email, banking, social media, and work accounts. Prefer authenticator apps over SMS when given the choice.
- Keep your computer and browser updated. Modern browsers include phishing detection that blocks known scam sites. Windows Defender SmartScreen, Google Safe Browsing, and similar features work only if you install updates. Enable automatic updates rather than postponing them.
- Watch for red flags in email content. Generic greetings ("Dear User" instead of your name), spelling errors, mismatched logos, and artificial urgency are classic warning signs. Legitimate companies include your name and account details you can verify. They never ask you to "confirm" credentials via email links.
- Use email filtering and anti-phishing tools. Enable your email provider's spam filters at their highest effective setting. Consider third-party security tools that analyze links before you click them. Many antivirus suites include browser protection that warns about phishing attempts.
Bring It In
If you've fallen victim to the 'Check Failed Messages' scam or any other phishing attack, the immediate password changes and account reviews are critical first steps you can do yourself. But comprehensive recovery goes deeper—checking for secondary infections, securing all related accounts, reviewing system logs for evidence of data theft, and implementing proper safeguards against future attacks. That's where professional help makes the difference between patching one hole and actually securing your digital life.
At Computer Repair Roswell, we've helped hundreds of Roswell-area residents and business owners recover from phishing attacks and secure their systems against future threats. We'll audit your accounts for signs of ongoing compromise, implement proper security measures including password management and 2FA, and educate you on recognizing threats before you click. Don't gamble with your financial accounts, business data, or personal information. Call us at (770) 428-9777 or stop by our Roswell shop today. Let's make sure this incident doesn't become a recurring nightmare.