Be Careful with that Email

Intuit scam emailI'm noticing a big increase in fraudulent emails, and they look more convincing than ever. October is National Cyber Security Awareness Month (via Coretta Jackson), so let's talk about email safety. If you already know this stuff, maybe this is the time to talk to friends and family about it. Parents, this is you, too.

When was the last time you got one of these?

Within the last hour? I don't even count how many of these I get every day. But you already know that none of those is what it claims to be.

Fish in a barrel
The most common online scams target the most gullible people. Hey, fraud is a business, and when you're sending out millions of offers, you need to screen your leads well. According to a new study from Microsoft Research (PDF), that explains why so many emails are so obviously fraudulent: they're targeting people who are too gullible to notice the scam.

An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. It will be figured out by anyone savvy enough to use a search engine and follow up on the auto-complete suggestions… It won’t be pursued by anyone who consults sensible family or fiends, or who reads any of the advice banks and money transfer agencies make available. Those who remain are the scammers ideal targets.

—Cormac Herley, Microsoft Research (emphasis added)

So when you quietly delete that obviously scammy email, you validate the scammer's optimization method. But delete it, anyway.

Going after smarter targets
While the mass-market scammers are going for the easy marks, a different style of criminal is getting more aggressive about smarter targets. They're getting trickier, personalizing attacks on strategically selected targets and masquerading as services you probably use. You won't fall for the secret treasure of Idi Amin, but how about this private message reminder from LinkedIn? The email looks right—or almost right—so you click the link to go to your LinkedIn inbox… and end up installing botnet software on your computer. Ooops.

Your company won't believe it's won the European lottery, so these attackers mimic legitimate business services:

The image at the top of this post is one of two fakes I got on Friday, sent to separate addresses. It presents as approval for some payment system at Intuit, but by now, you know that Intuit had nothing to do with that message.

What does it do, exactly? I don't know, but nothing good. It probably has something to do with stealing a password or installing malware on my computer. We'll never know. <Delete>

Think before you act
Email-borne attacks are serious business. It's not some bored kid messing with your computer; it's hacktivists, criminal organizations, and even governments. As you're going through the daily slog in the inbox, take a few, simple precautions:

  1. If an offer is too good to be true, it's not true.
  2. If a need is unusually urgent, confirm that it's real before you commit resources.
  3. You don't win contests you haven't entered.
  4. Be careful about links in email, even from companies you trust. Look at the URL the link wants to send you to, before you click on it.
  5. Even better, type in the main URL of the trusted site, and use their navigation to find your inbox, or account, or password reset, or whatever you think needs attention.
  6. Be extra alert about attachments, especially ones you haven't requested.
  7. Don't open compressed (.zip) or executable files from unknown sources.
Finally, if there's any doubt about something you get in email, stop and think before you do anything. Type the main keywords and "scam" into Google, and see if the results tell you something important. Look it up on Snopes, which has been investigating rumors and scams for years. Email can wait for a little due diligence, but it's hard to unfall for the trap once you start clicking on things. You have so much investigative power as close as the nearest web browser, why not use it?

You're good with all this? Haven't been tricked in a long time? Excellent. Go share your wisdom with someone this month. Keep your family and friends from becoming victims.


About Nathan Gilliatt

  • ng.jpg
  • Voracious learner and explorer. Analyst tracking technologies and markets in intelligence, analytics and social media. Studying complexity and futures.
  • Principal, Social Target

Subscribe

  • Subscribe by email