I got one too—to verify my email. Except, it was sent to an email account that isn’t associated with NCSoft in any way, so my initial thought was phishing.
The links do appear to be legit, so perhaps someone is trying to create an NCsoft account with this email account? If that is the case, NCSoft should specify that an account was created, and give a way to contact someone to cancel. As is, the option is to provide the email and name as a way of verification on the next log in—other information that could be harvested.
It looks extremely dubious to me. The only way to tell for sure would be to look at the e-mail source and see where the links actually go (or hover your mouse over that link and see where it goes, and I can almost guarantee it won’t be where it claims it does).
Edit: The only time you should get an e-mail asking to verify an e-mail address is if you are on a webpage that says it has just sent you an e-mail to verify your e-mail address and I assume that isn’t the case here.
Why make sense, when it’s so much more fun to make nonsense?
That looks extremely fake to me. In fact, I’ve gotten one similar for a non existent Chase bank account recently. It said, if I didn’t do what they requested in 24 hours, my bank account would be required to renter my information when I next accessed it.
They have already said that they don’t contact you first. If they do contact you first about something, such as information they’re sending you, it doesn’t have links.
Passwords changed, scans were done immediately on getting the email.
The source and links do appear legitimate. The root domains, etc. are all from NCSoft. One “flag” for me is the email referenced the “UK” version of the site, and I’m in the US.
Yes, no requests were made that would have triggered an email verification. Oh well, I’ll chalk it up to some random confluence of the right characters, and just watch things.
I got one too a few hours after you, seems fully legit also, but not enough to make me click.
Edit When I logged onto ncsoft manually, they required an email verify. The GW2 site did not require this.
Delivered-To: xxx@xxx.com
Received: by 10.202.202.135 with SMTP id a129csp94001oig;
Sun, 10 Aug 2014 15:26:44 -0700 (PDT)
X-Received: by 10.224.55.131 with SMTP id u3mr57644479qag.98.1407709604561;
Sun, 10 Aug 2014 15:26:44 -0700 (PDT)
Return-Path: <support@ncsoft.com>
Received: from ncwedge99.us.ncsoft.com (ncwedge99.us.ncsoft.com. [64.25.34.37])
by mx.google.com with ESMTP id h65si18954235qgf.82.2014.08.10.15.26.44
for <xxx@xxx.com>;
Sun, 10 Aug 2014 15:26:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of support@ncsoft.com designates 64.25.34.37 as permitted sender) client-ip=64.25.34.37;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of support@ncsoft.com designates 64.25.34.37 as permitted sender) smtp.mail=support@ncsoft.com
Received: from ikgpcxxxlbe001v.serv.pci.idc (pcibacklive.serv.pci.idc [172.30.206.138])
by ncwedge99.us.ncsoft.com (Postfix) with ESMTP id 84ED116B8AE
for <xxx@xxx.com>; Sun, 10 Aug 2014 22:16:47 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by ikgpcxxxlbe001v.serv.pci.idc (Postfix) with ESMTP id 711354886CB
for <xxx@xxx.com>; Sun, 10 Aug 2014 22:16:47 +0000 (UTC)
To: xxx@xxx.com
From: NCSOFT Support <support@ncsoft.com>
Subject: =?iso-8859-1?q?Verify=20Your=20Email=20Address?=
Date: Sun, 10 Aug 2014 22:16:47 +0000
X-Mailer: Perl script “mailer.pl”
using Mail::Sender 0.8.10 by Jenda Krynicky, Czechlands
running on localhost.localdomain (127.0.0.1)
under account ""
Message-ID: <20140810_221647_018019.support@ncsoft.com>
MIME-Version: 1.0
Content-type: multipart/mixed;
boundary="--NC-EMAIL-BOUNDARY—"
Received: from ncwedge99.us.ncsoft.com (ncwedge99.us.ncsoft.com. [64.25.34.37])
by mx.google.com with ESMTP id h65si18954235qgf.82.2014.08.10.15.26.44
for <xxx@xxx.com>;
I think best practices is to never, never, never click on a link in an email that asks for your password, your game id, or your email address if you didn’t specifically ask for it (like asking for a password reset). If you didn’t ask for it, it can’t be that important. However, if you do get one, change your game password, and your email password, because it means that you might be compromised.
Also, to be honest, and I dunno if it’s the compression for the image, but the ncsoft logo looks really blurry in the email. That’s sometimes a clue that the email’s faked.
Having checked on this, unscrupulous individuals are triggering these e-mails. If you did not attempt to create an account in the exact timeframe in which you received such a mail, do not click the link.
We do not feel that this is a security risk, as it’s just somebody poking around to see if he/she can find a vulnerability. But deleting the mail is the best course, and submitting a ticket to ask or posting here to ask is never a bad idea!
I just wanted to post to say that I also received one of these emails a few hours ago so this is still happening. I would like to suggest that it might be good practice to put the reason for these emails in the email itself. Since they are official emails that have just been ‘nefariously’ triggered, I think it would be good to have something in the email to explain that if you didn’t do X to trigger it, then don’t click.
To add a datum, I too received a mail like this today. Here are the headers:
Delivered-To: xxxxx@xxxxx.com
Received: by 10.112.199.199 with SMTP id jm7csp67346lbc;
Tue, 12 Aug 2014 19:58:45 -0700 (PDT)
X-Received: by 10.224.136.200 with SMTP id s8mr2581009qat.44.1407898724853;
Tue, 12 Aug 2014 19:58:44 -0700 (PDT)
Return-Path: <support@ncsoft.com>
Received: from ncwedge99.us.ncsoft.com (ncwedge99.us.ncsoft.com. [64.25.41.52])
by mx.google.com with ESMTP id u64si637615qga.50.2014.08.12.19.58.43
for <xxxxx@xxxxx.com>;
Tue, 12 Aug 2014 19:58:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of support@ncsoft.com designates 64.25.41.52 as permitted sender) client-ip=64.25.41.52;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of support@ncsoft.com designates 64.25.41.52 as permitted sender) smtp.mail=support@ncsoft.com
Received: from ikgpcxxxlbe001v.serv.pci.idc (pcibacklive.serv.pci.idc [172.30.206.138])
by ncwedge99.us.ncsoft.com (Postfix) with ESMTP id 8478E24F90C
for <xxxxx@xxxxx.com>; Wed, 13 Aug 2014 02:58:43 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by ikgpcxxxlbe001v.serv.pci.idc (Postfix) with ESMTP id 77F69488380
for <xxxxx@xxxxx.com>; Wed, 13 Aug 2014 02:58:43 +0000 (UTC)
To: xxxxxx@gmail.com
From: NCSOFT Support <support@ncsoft.com>
Subject: =?iso-8859-1?q?Verify=20Your=20Email=20Address?=
Date: Wed, 13 Aug 2014 02:58:43 +0000
X-Mailer: Perl script "mailer.pl"
using Mail::Sender 0.8.10 by Jenda Krynicky, Czechlands
running on localhost.localdomain (127.0.0.1)
under account ""
Message-ID: <20140813_025843_021045.support@ncsoft.com>
MIME-Version: 1.0
Content-type: multipart/mixed;
boundary="--NC-EMAIL-BOUNDARY--"
I’m glad I found this thread before clicking on anything. I agree with Animal – there’s nothing in this mail to say “This is why you’ve received this mail, if you didn’t ask for it, ignore it…” which would have gone a long way to alleviating my concerns.
After checking, it appears the email IS a valid email from NCSoft. However, it is for an account I did NOT authorize.
There should be a statement in these generated emails that explains what it is for (what triggered the email). Something along the lines of:
“Before we can finish creating your new NCSoft account, we need to verify your email address. If you did not authorize the creation of this account, please report this incident… blah blah blah.”
The current email is very non-descriptive and “verifying an email” can be used for multiple things, not just account creation. I know ANet is not directly responsible for NCSoft emails, but I think forwarding some recommendations such as this to them would help security for both companies by reducing customer human error.
