I kind of just did this in real life. A corporate client found out that their deceased mother had lost track of some stock that had been abandoned to the state. I was asked to help the client go through the process to reclaim the abandoned property.

I started by going to the state's abandoned property website. For fun, I looked up my last name. I didn't find anything I lost, but someone with my last name had a whole web page full of abandoned stocks and dividends worth several thousand dollars. A quick web search showed that a relative with the same last name still lived at the owner's address (I think the owner passed away and the living relative is her husband). I didn't think it was right that they had unclaimed stock that they could get back just by filling out a form, so I sent him a letter telling him about the abandoned property. I told him who I was and how I stumbled onto the lost property, so I hope he really does retrieve it and doesn't think it was a scam.

The articles that I found also said that it was a very common scam for folks that deal with real estate and another was about high end yacht sales.

Nice, I've found a little (money) in the past, and my mom found some in my dad's name after he passed. Very nice of you to notify them.

And people wonder why I hate HTML formatted mail messages.

And aside from PP's known anti-gun stance and their willy nilly freezing of accounts and funds in them, they aren't a real bank and are not regulated as such and so I do not have an account with them.

When we closed on our place in FL, from NJ, the title company would only give wire transfer instructions over the phone to me, not in an e-mail.

I would be sure you are a scammer. I pretty much dont trust anybody anymore.

What is sad is that public/private key encryption and message signing has been possible for over 20 years but no one does it and none of the major providers support it directly.

This!

The key is: "How did your friend send wire instructions to the buyer? - Email!"

One of two things happened... (Most of the info has been posted earlier in this thread but I thought it was worth summarising)

1. [Most likely] Either your friends or the buyers email is hacked.
The scammers can connect and see either of the two email accounts - This is fairly common and people involved aren't even aware of someone looking at their email. This often happens in a work place were someone who has account information watches the email of a key person or decision maker. (usernames and passwords for individual accounts are often known by IT support people or can be reset on the email server.)

The best thing to do is change your passwords with complex ones and then depending on the situation disable and delete BOTH email accounts..

2. [Less likely] They are sending non encrypted email and someone intercepted their messages. (Most of the email being sent today is still not encrypted)

FYI: An experienced support engineer can easily find out what IP address an email was sent from.
If you have that IP address a 10 year old can find out what country you're in and what service provider you're using within that country.
Depending on *"who they are and their motivation", once they have the service provider they can find the "device" the email was sent from.

(*Law enforcement)

I say the seller's in it. Does the name sound Nigerian by any chance ?

Just right click the button, copy the link, paste it into a text editor.

It will tell you all you need to know.

That didn't work, it just pasted the text. But in text editor I clicked on the dropdown arrow when hovering and a link came up. Googling that link, it's been noted as a scam.

I am sure this is a very effective scam. While the vast majority of scams have nearly had red flashing lights saying SCAM SCAM SCAM, this one looks very legit. I wouldn't blame most people for clicking and logging in.

relatedly - the new Chrome browser just broke a big criminal site that sells hacks into people's online "fingerprints"

Half true, since there are 2 ways of sending encrypted messages, kinda.

The first, using the SSL wrappers around the SMTP protocol, most mail systems do. This prevents a man-in-the-middle from reading the messages, just like the HTTPS protocol. HOWEVER... any mail server the message passes through (ie, each MX record it transports through before destination) would be a de-encryption point and could in theory read the contents. If you use gmail it will let you know in the interface if a message you received was not sent using esmtp (ie, unencrypted over the wire)

The second way, you are correct - no one really does it. That is to use public/private key encryption (PGP or GPG). When you send a message, you sign it with your private key. This gives the message a unique finger print, and the recipient can use your public key to verify the signature. Nothing is encrypted, just protected against modification. I've used this to electronically agree to loan rates, etc. to lock in before I could get to a bank to sign in ink. You can also use the recipients public key to encrypt the message, and only their private key can decrypt it. This actually secures the message from anyone but the recipient from reading the contents OTHER than message header/routing information (to, from, what mail server sent, date/time, etc)

Unfortunately, none of the big providers or ISPs with webmail interfaces support PGP/GPG. Nothing needs doing on the server end, but the *client* software has to support it. Some desktop clients have plugins/extensions that will allow it, but then the problem becomes exchanging keys and there is no really good way to have a centralized public repo/address book/key record.

If you run a business that works closely with other businesses and need secure communications I'd recommend kicking your IT department and telling them to research how to best/easily integrate this into your mail system.

Thank you, I was trying to make me explanation relevant to the layman.

The point was to make sure your communications are secure but you'll never have any control over what the other end is doing.
And consequently: I don't put anything in an email I wouldn't be happy to broadcast publicly. (No sensitive financial/security or personal info ever.)