The ‘black hat’ brigade increasingly employ a multitude of sophisticated techniques to take advantage of us and our computers for their nefarious purposes. In this piece I’ll focus on email, as it’s currently the foremost means of intrusion, briefly outlining the villains’ main aims (mostly commercial gain these days) and modes of attack.
You’re welcome to bypass the details and explanations on this page and jump to the checklist, but I would advise reading it all, of course, it’s worth the effort!
Most of us receive unsolicited email, otherwise known as ‘spam’, some of which ‘junk’ may be undesirable perhaps (much as the advertising letters and donation requests in your post), where the senders obtain email addresses legitimately and the mail can be deemed entirely genuine.
The remainder fall into three categories:
1. Fraudsters attempt to sell products or services by encouraging – usually by deceit – the recipient to click on a ‘hyperlink’ (link) within the email. Such emails’ Subject and link text are rarely related to the links’ true destination (eg. online shops based in China), but titled in a manner intended to entice or fool the recipient.
2. Cybercriminals attempt to infect your machine with a virus, worm, or suchlike. I won’t delve into definitions of these terms here, but suffice to say they can seriously compromise your computer, the data it holds, and your online activities. Such emails will contain a link or attachment (image, document etc) which, when opened, will then deliver and install the bad stuff. You may have heard of ‘trojans’, a form of ‘malware’ (malicious software) packaged with apparently useful and safe applications or utilities (which often function as expected, but deliver the additional, unwanted payload when installed). Malware is most commonly acquired from insecure, fake or disreputable websites, however these sites are frequently the accidental destination of such an email link. Again, perpetrators employ ‘spoofing’ tactics to convince the recipient that the sender and email are authentic: by appropriating genuine email addresses, or creating ones that are almost identical to ones belonging to legitimate companies (so can be remarkably difficult to identify).
Some examples of these include notifications of social media (eg. Facebook, and LinkedIn) messages, Court Orders, tax refunds, incoming faxes, files shared through Dropbox, and links to free stuff. Spammers frequently use subjects which imply an ongoing dialogue, eg. “Re. your quotation”, giving the impression that there have been previous messages. Is “Your invoice” really due? Are you expecting a DHL delivery? If exceptional urgency is being emphasised, for example a special offer “ending now”, or the need for you to “take immediate action to keep your account open” then it’s potentially a scam. Please be aware that the appearance of these emails tends to be highly professional.
It’s critical that I explicitly mention mail received from known personal senders (rather than organisations), and by that I mean, someone (friend, family, colleague etc) whose online connections are not generally known, and could only be discovered by accessing their email address book. Most of us have received mail which on inspection are – usually pretty obviously – not from the purported sender, and contain a suspicious link or attachment. If you receive anything which you know that the sender is not likely to have deliberately distributed, let them know ASAP, so they can take remedial action, as it’s often an indication that their email account has been ‘hacked’. If you find that you’ve apparently distributed spam mail in this fashion, immediately change your email password (preferably to one that’s long and complex), and call us.
3. ‘Phishing’ emails, attempt to obtain personal information, specifically account details and credentials (usernames and passwords), by purporting to be from a bank, HMRC, online service provider etc, which eg. “needs you validate your account”, or login to the account to retrieve some information. Again, the criminals employ apparently genuine sending addresses, but also imitate the content and design (logos etc) of the alleged bank or whoever. In fact, in these cases, the entire email may well be copied from a legitimate source, so, apart from the link the recipient is being requested to click on, the remainder could be entirely ‘genuine’. Clever, huh? Should one click on the link (don’t!), the destination will generally be a similarly faked website, requiring the visitor to enter their account credentials, which, once submitted, will be abused rapidly. Phishing mails are often poorly executed, with incorrect and/or mixed typefaces, shoddy graphics, misspellings and so forth, but the ‘better’ examples can be very hard to spot indeed. The most obvious ‘flaw’ in the scheme being the recipient not actually holding an account with the purported sender!
The primary clue to all these being scams is that the mails are rarely personalised correctly, that is, use the recipients’ proper or full name. They are usually addressed to “Dear account holder”, “Dear Customer” or “Dear <email address>”, and more recently we’ve seen mail without any greeting at all (obfuscating the scammers lack of information!). Furthermore, any genuine mail from banks etc should also contain additional forms of identification, such as a valid username, or account number (or part of). No longer should any competent organisation be sending anything without sufficient proof of legitimacy, nor ever ask you to submit any personal information via email.
Finally, as you may be aware, ‘ransomware’ attacks, are becoming more prevalent. Ransomware is a particularly pernicious form of infection, which encrypts users’ computer files rendering them inaccessible (another example of a valid and vital security tool being deployed for malign purposes), and displays a message on screen demanding that the victim pay a not-insubstantial fee (otherwise, if not forthcoming, the files will be destroyed or permanently locked). Payment for the decryption ‘key’ will be via a legitimate but concealed cyber-currency called Bitcoin. Victims have been targeted predominantly via email, in the manner described above, and have included many large organisations such as the NHS, with many hospitals being taken offline, rail services etc all around the world. Should you become a victim of a ransomware attack, DO NOT PAY (in the first instance), there are ‘fake’ infections going around (where the warning message is displayed, but the users’ files are not actually encrypted, rather they’re hidden in some other undo-able way)!
All of these scams exploit our human foibles (impatience, misguided trust, naiveté… an endless list sadly!) by employing recognised ‘social engineering’ tactics (precisely as do advertisers). So, how to prevent falling prey? Simply by being aware of the cons, being vigilant and taking some essential precautions before opening – and when reading – your emails…
Here’s our email safety checklist to help keep you safe:
Prior to opening email:
• is the sender known?
• is the subject recognisable and probable?
• check for any irregularities in the senders address;
• check for correct and adequate personalisation and identification;
• hover (with your mouse/cursor) over the target links to reveal the destination address, and look for anything irregular or suspicious;
• rather than trust a link, enter the known website address directly into your browser, or find it via a search engine (eg. Google);
• do not open any attachments in emails of unknown origin, or that you feel to be suspicious: contact the sender (not by reply, but in a new mail once you’ve verified their address) to ask if the mail was genuine;
• do not divulge personal information, account credentials etc via email;
• do not click on any Unsubscribe links in spam mail, you will only be validating your address (and increase
its value to spammers)!
Should you click through a link to a website, particularly one involving any financial transactions:
• check there’s a padlock symbol in the address bar in the browser window (the padlock must not be on the webpage itself: if it is and not in the address bar this would indicate that it’s a potentially fraudulent site;
• check the web address of the payment gateway begins with ‘https://’ (the ‘s’ denoting ‘secure’);
If you’re concerned that something untoward may have occurred:
• disconnect from the internet,
• run multiple deep security scans, and
• call us!
I should point out that it’s rare that no more than simply opening an email invokes an infection. It’s generally the subsequent action/s that determine the significance of the outcome.
By the way, if you use a web browser to access your email account (or any other websites storing confidential information), always remember to log out of the accounts before closing the browser. We also recommend not permitting your browser to save passwords, as they are easily discovered; use a password manager utility such as LastPass to store your passwords securely.
Deploy up-to-date security measures on all your devices (mobiles and tablets are also increasingly under attack):
1. it is vital to ensure that you are running reputable security software (antivirus, malware etc); and
2. ensure the ‘firewall’ is enabled; and
3. we would recommend adding (if not included in 1) an email security application, which actively scans incoming mail for viruses and malware; and
4. we would also suggest adding (if not included in 2 or 3) an anti-spam utility, which actively scans incoming mail for viruses and malware.
Security applications, however, can only offer so much protection: if the data – especially irreplaceable documents, photos, and email – held on your computer is valuable to you, and not stored elsewhere, it must be backed up. Otherwise there will always be a considerable risk of all being lost. Backing up will be discussed in a future piece, but if you want to know more before then, please call us.
How can we help you?
IT News & Advice
What we think you should know
12/02/18 Some helpful advice for email users Find out More