Email Scams

Email Scams and Phishing

In today’s world, cyber threats are everywhere. There are websites where you can see in real time the thousands of attacks happening at every moment. If a casino can be attacked through a vulnerability in the lobby’s fish tank thermometer, then an attack can come from almost anywhere. How can we prevent attackers from getting our sensitive information when it seems we live in a world where nobody is safe? We can start by learning about some of the most basic, yet effective tools in any hacker’s toolbox. Email scams.

One buzzword you may be hearing a lot recently is phishing. Phishing (pronounced like fishing) is an attempt to gain access to your personal information through tricking you into giving credit card numbers, passwords, or other information. For example, say you get an email from an email address you don’t recognize claiming to be from IT asking for your computer password so they can remove malware. This is a very common scenario that can cause major data breaches. Whaling or spear phishing is a targeted phishing attack on a business or person which is more detailed to look more legitimate. An example of this would could be if everyone in your office receives an email that looks like it is from their boss, but is sent from an email address made to look like their boss’ (ex. Legitimate – dave@yourcompany.com Fraudulent – dave77732@gmail.com).

According to a 2017 Verizon Data Breach Investigation report, 60% of malware is installed through malicious email attachments. According to the same report, 90% of incidents and breaches involved phishing. Luckily, Mailprotector does a great job of filtering out spam, viruses, and other unwanted emails. However, when an email appears to be legitimate, it is almost impossible for any spam filter to detect every single threat. This is why we have to stay vigilant and be skeptical of every email. If you receive an email you’re not sure about, don’t open it, don’t forward it, and DO NOT open any attachments. Delete the email immediately. If it is someone who is legitimate, they will reach out to you another way.

Common email scams:

  • International Lottery – We hate to break it to you, but unfortunately you didn’t win the Yugoslavian lottery.
  • International Shipping – Doing business internationally can be tricky, but if a potential client is insisting on using their own shipping company they may not be legitimate.
  • Surveys – If you get a request to take a survey, do not take it unless you have specifically requested to be on the mailing list of whatever company or whoever sent you the survey. This can be a scheme to get your sensitive information.
  • Blackmail – Scammers may send you an email claiming they have sensitive photos or screenshots. In these scams, they may threaten to send these sensitive things to all of your contacts if you don’t pay or do something else for them.
  • Vague Requests – Sometimes an illegitimate email may ask you for help or for you to complete. Don’t fall for it. They will probably ask for you to go buy gift cards and email them the codes.
  • Nigerian Fortune – You’re not going to get rich quick by helping a Nigerian Prince recover a bunch of cash. The only thing that will happen is your bank account will be emptied.

Clues an email may be fraudulent:

Email Address

Free email domains
Watch out for emails about business coming from free domains like Google or Yahoo. Most people from legitimate businesses will have a company domain.

Email addresses that have domains similar to a real one
Ex. PayPal only sends emails ending in @paypal.com so if you see an email address that is along the lines of security-paypal-center@int.paypal.uk.org, that is certainly fraudulent.

The Greeting

If a legitimate person or business is sending you an email, they will know your name. If it has a vague greeting (Ex. Dear valued customer, Dear sir/madam, etc.) then the person sending the email may be sending the same email to hundreds of people.

Links

Hover your cursor over hyperlinks sent in emails to see if it will take you to a legitimate, safe website. If it is suspicious or you can’t tell if it is legitimate, DO NOT CLICK ON THE LINK.

Downloads

Do NOT under any circumstances download ANY attachments on an email which you are not 100% sure is legitimate.

General

  • If there are a lot of spelling and grammar errors, it is less likely to be legitimate.
  • Banks and other businesses with your sensitive information will not ask you for passwords, PINs, or credit card information over email. Never send this information over email, even if it is to someone who you know is safe.
  • If you’re taken to a login screen you’re not sure is legitimate, first of all look at the link. If the link looks different, do not proceed. If the page looks legitimate, but you’re still not sure then type in an incorrect password. Non-legitimate websites will often accept an incorrect password.

Links for further reading and resources:

What if you think you have fallen victim to a scam or phishing attack?

  • Change your information – Luckily, a lot of information that can be given away can be changed. If an account has been compromised, you can change the password. If your credit card info is stolen, you can cancel your credit card and request a new one.
  • Help! I gave away information that can’t be changed – You can’t change your social security number or have your mom change her maiden name. If you accidently give away information that can’t be changed, you can freeze your credit and place a fraud alert. You can also file a police report. If you feel it is necessary, you can look into an identity theft monitoring service.
  • I accidentally gave away company information – Report it to whoever in your company handles information policies.
  • I think I may be the victim of identity theft – Go to identitytheft.gov where you can get help creating a recovery plan.

No matter how much building or cyber security you have, it is always possible for hackers to find a way through. The best way to prevent cyber-attacks is through awareness and education. Make sure every single person in your company is familiar with information policies and security procedures.