- A TechNote on Information Security
- Dirk Racey, Private Security Investigator/Observer
In my last dispatch, I described some of the ways that hackers use social networking try to trick us into helping them violate our own computers and identity. Today, we'll unmask another of their favorite social-engineering tools: your email inbox.
Amazingly, decades after we first saw the "Nigerian Email Scam," people still fall for it. Its common incarnations ask that you keep the message confidential and then claim something along the lines of:
These scams work because of folks' desire to get something for nothing. I receive at least two such messages a week, and when I kill them, it's my small way of defeating the people who spew them from Internet cafés across the globe.
Inbox Landmines
Still other dangers lurk, but you can dodge 'em:
Corporate America Wakes Up
Corporate America is also getting tougher. Last January, Google, Facebook, LinkedIn, Bank of America, Comcast and others opened a "Domain-based Message Authentication, Reporting, and Conformance" (DMARC) service that they've been using for months. By signing up, a firm that sends/receives emails or provides email services will help carriers automatically stop spoofed messages and, as a result, will reduce our exposure to them. This is done by including DMARC sender-verification data in valid emails from member organizations and by stopping spoofed emails that do not pass DMARC checks. We should all encourage our business partners to sign up.
But until the Web widely embraces tools like DMARC, your most effective weapon against social-engineering email attacks will remain hyper paranoia. Don't be a hacker's puppet. Don't play the patsy. Rather, follow in the footsteps of bumbling but beloved Inspector Jacques Clouseau and "...suspect no one... and everyone."
Amazingly, decades after we first saw the "Nigerian Email Scam," people still fall for it. Its common incarnations ask that you keep the message confidential and then claim something along the lines of:
- You've won a windfall in a foreign lottery.
- A relative you've never heard of has left you a pile of dough.
- An overseas corporation, government or barrister needs to transfer a fortune into a U.S. account, and if you let them use yours, you'll get a cut.
These scams work because of folks' desire to get something for nothing. I receive at least two such messages a week, and when I kill them, it's my small way of defeating the people who spew them from Internet cafés across the globe.
Inbox Landmines
Still other dangers lurk, but you can dodge 'em:
Don't trust all messages from relatives, friends or organizations that you'd normally trust. "From" fields are easily spoofed. Today, I heard from "Norton Antivirus" and "PayPal," both of which I use. And though the messages were highly "anonymized," when I traced them, one seemed to come from a building down by the river in lower Chi-town and the other from beautiful downtown Bolton, England (see photo).
These emails are especially dangerous if they seem to be from real business partners like eBay, PayPal, Amazon, your banks or even the IRS. But their subject lines can be tip-offs. Be wary if the subject lines are blank, say only "Re:," begin with strange strings like "!*#", or have misspellings, bad grammar or lousy "business English."
An example of the latter is this recent alert: "You have $250,000 lodged in Western Union to be transferred to you." If legitimate business contacts want to discuss your accounts, they'll use your account pages on their own sites. And the IRS will send a letter. So if suspicious messages arrive, axe them and then check your own private account pages rather than clicking bogus links in emails from nefarious ne'er-do-wells.
- Shred everything - including envelopes and printed emails - that shows your name and address, even if it lacks financial data. The reason is simple. Any dumpster-diving crud worth a grain of salt can parlay your name, address and a business partner's name (or logo) into full-fledged identity theft. Social Security Numbers, account numbers, user IDs and passwords are not needed to weasel information out of you or your business contacts.
- Snitch on the bastards! Many firms have Web pages for reporting emails that claim to come from them. I always do for bogus communiqués from eBay, PayPal, Amazon, the IRS and the FBI. When reporting, provide both the message and its "full tracking header" or "message source." You'll have to fish around a bit to find it. For example, in Lycos mail, select the message, click "More Detail" and then click "Message Source." But in Yahoo email, select the message, click the "More Actions" (gear) icon at the top of the page, and select "View Full Header." You can then copy and paste the header into the form where you report the message.
Corporate America Wakes Up
Corporate America is also getting tougher. Last January, Google, Facebook, LinkedIn, Bank of America, Comcast and others opened a "Domain-based Message Authentication, Reporting, and Conformance" (DMARC) service that they've been using for months. By signing up, a firm that sends/receives emails or provides email services will help carriers automatically stop spoofed messages and, as a result, will reduce our exposure to them. This is done by including DMARC sender-verification data in valid emails from member organizations and by stopping spoofed emails that do not pass DMARC checks. We should all encourage our business partners to sign up.
But until the Web widely embraces tools like DMARC, your most effective weapon against social-engineering email attacks will remain hyper paranoia. Don't be a hacker's puppet. Don't play the patsy. Rather, follow in the footsteps of bumbling but beloved Inspector Jacques Clouseau and "...suspect no one... and everyone."
