When an innocent looking email is a
scam
You receive an email that looks like it
came from FedEx. It is attempting to notify you that your package was shipped
to the wrong address. The subject line reads something like "FedEx tracking"
or "FedEx item number." All you need to do to reroute the package is
open an attached file (purportedly a shipping form) so you can print it out.
This email, however, was not from FedEx, and the attached file was actually
malware. It was one of many, sent to entice users into opening the malware laced
file that would compromise their computers.
The FedEx scam serves as a real life
example of common large scale attacks whereby data thieves and malware script
writers "go phishing" or use other ploys to trick users into opening
a file attachment or clicking a Web link in an email in order to deliver their
malware. For the data thief who wants to steal information such as credit card
numbers and other personal info, email scams represent an easy way to gain
access to PCs and even networks with a low barrier of entry.
All
you need to do to reroute the package is open an attached file (purportedly a
shipping form) so you can print it out.
Most users know by now to promptly
identify messages as spam (click a Spam button, move the message to a spam
folder, or take a similar action) when they are obvious scams, such as
solicitations to claim money from a Nigerian bank or offers to run free
diagnostics tests on their computer. However, attackers are getting craftier
and are using more subtle ploys to trick users. Here are some ways to determine
the difference between ordinary email and a con job, especially when attackers
do their dirty business in not-so-obvious ways.
Enter your credit card number here
Another scam, similar to the FedEx scam,
informed recipients via email that fees must be paid in order to receive a
parcel. All the user had to do was enter a credit card number to pay a small
fee in order to resolve the matter.
All
the user had to do was enter a credit card number to pay a small fee in order
to resolve the matter.
"With the likes of logistics companies,
the message will ask for a parcel number and will then generally state that
customs duties or excess postage is required," says Clive Longbottom, an
analyst for Quocirca (www.quocirca.com). "It then asks for credit card details
or some such thing."
One rule to take away is to never pay for
something on a website that is accessed through a link in an unsolicited
email, at least not without checking first. "Either phone the company from
a number obtained from their website, not the email or if you know that this
sort of payment can be done through their website, go there on your own steam
by typing the address into your browser and looking for your consignment
details there," Longbottom says.
Don’t trust that sender address
After hijacking an email account, attackers
will often use the victim's email address to spam contacts and solicit them to
click a link or download a file. The scam is crafty since users understandably
think they are receiving an email from someone they know or a co-worker who has
a company account.
When this happens, a lack of personalization
in the body of the email should raise flags. If the email text begins with
"Hi" from a friend or "Dear colleague" from a work address,
then it is very likely fake. There are other signs to look for that indicate
the message was sent from a compromised email account. "If the email
looks as if it is personalized but does not have your name in the 'To' field,
then it is bogus. If there are no contact details (a proper name along with a
matching email and a telephone number), it is possibly bogus," Longbottom
says. "If there is a telephone number provided, dial it; don't say who you
are or why you are calling if someone answers, but ask them who they are and
who they are representing. If they stumble over responses or cannot answer, the
email was bogus."
Many users continue to fall for the
"your IT department has identified a problem with your machine" message,
especially when the sender appears to be from within the company, Longbottom
says. "These email messages are always scams of some sort. You often
download a virus and then have to phone the company concerned and pay to get it
removed."
English usage alerts
Unfortunately, the use of poor grammar is
becoming more prevalent and accepted in business communications. However, there
is a big difference between poorly drafted messages and one written in broken
English, which often serves as a flag for an illegitimate message, says Joe
Malec, a fellow at the ISSA (Information Systems Security Association;
www.issa.org).
"Messages that contain spelling errors,
missing words, and logical gaps in reasoning should be treated suspiciously,"
Malec says.
Messages that are designed to look as
though they come from a U.S. source, for example, but use British spellings
(such as "center" instead of "center," or
"defense" instead of "defense") or vice versa should be viewed
as suspect. "Check for the obvious: If the email purports to come from the
UK, but has words [with spellings] like 'specialize,' 'color,' and so on, then
it's [probably] bogus," Longbottom says.
Report spam, don’t unsubscribe
Annoying messages that somehow make their
way past the spam filter often claim to offer the recipient the option to
unsubscribe from the list by clicking a link. But as tempting as it might be to
follow the instructions instead of copying the message to the spam folder,
users should take heed.
"Links, such as the 'Unsubscribe'
link, are a popular way for spammers to validate your email address as well as
deliver malware to your system," says Malec.
Gmail
has one of the best spam-blocking features of any mail provider.
Check them out
Whenever a user has any inkling of a doubt
about an email's origin, tests exist that can quickly and accurately make sure
the sender's address is legitimate. This can be done by checking the sender's
.com domain. For a link embedded in an email, verification systems such as CentralOps.net
can verify the authenticity of a website, says Brad Kowal, a director of data
centers for Shands HealthCare in Florida.
"The basics for how you verify if a
FedEx message or other email is legitimate are the same," Kowal says.
Greed is not good
It is common sense for most to ignore
certain types of messages, but many users still need to be reminded not to
click links or file attachments in email messages that claim to offer the
lucky recipient the chance to win a prize or other too good to be true offers.
