I'm noticing a big increase in fraudulent emails, and they look more convincing than ever. October is National Cyber Security Awareness Month (via Coretta Jackson), so let's talk about email safety. If you already know this stuff, maybe this is the time to talk to friends and family about it. Parents, this is you, too.
When was the last time you got one of these?
- The lottery you won without entering
- The relative of an African dictator or member of the US military who wants your help liberating millions in ill-gotten wealth
- The stock promoter with a hot tip
- The fake speeding ticket from New York
- The warning about your PayPal account
- The family member who is trapped in a foreign country and needs cash now
Fish in a barrel
The most common online scams target the most gullible people. Hey, fraud is a business, and when you're sending out millions of offers, you need to screen your leads well. According to a new study from Microsoft Research (PDF), that explains why so many emails are so obviously fraudulent: they're targeting people who are too gullible to notice the scam.
An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. It will be figured out by anyone savvy enough to use a search engine and follow up on the auto-complete suggestions… It won’t be pursued by anyone who consults sensible family or fiends, or who reads any of the advice banks and money transfer agencies make available. Those who remain are the scammers ideal targets.
—Cormac Herley, Microsoft Research (emphasis added)
So when you quietly delete that obviously scammy email, you validate the scammer's optimization method. But delete it, anyway.
Going after smarter targets
While the mass-market scammers are going for the easy marks, a different style of criminal is getting more aggressive about smarter targets. They're getting trickier, personalizing attacks on strategically selected targets and masquerading as services you probably use. You won't fall for the secret treasure of Idi Amin, but how about this private message reminder from LinkedIn? The email looks right—or almost right—so you click the link to go to your LinkedIn inbox… and end up installing botnet software on your computer. Ooops.
Your company won't believe it's won the European lottery, so these attackers mimic legitimate business services:
- The UPS invoice
- The payroll processing notice
- The fake complaint notice from the Better Business Bureau
- The Corporate eFax message
What does it do, exactly? I don't know, but nothing good. It probably has something to do with stealing a password or installing malware on my computer. We'll never know. <Delete>
Think before you act
Email-borne attacks are serious business. It's not some bored kid messing with your computer; it's hacktivists, criminal organizations, and even governments. As you're going through the daily slog in the inbox, take a few, simple precautions:
- If an offer is too good to be true, it's not true.
- If a need is unusually urgent, confirm that it's real before you commit resources.
- You don't win contests you haven't entered.
- Be careful about links in email, even from companies you trust. Look at the URL the link wants to send you to, before you click on it.
- Even better, type in the main URL of the trusted site, and use their navigation to find your inbox, or account, or password reset, or whatever you think needs attention.
- Be extra alert about attachments, especially ones you haven't requested.
- Don't open compressed (.zip) or executable files from unknown sources.
You're good with all this? Haven't been tricked in a long time? Excellent. Go share your wisdom with someone this month. Keep your family and friends from becoming victims.