E-mail Phishing, Scams and Hoaxes

Overview:

Since so many people around the world depend on e-mail, it has become one of the primary methods cyber criminals use to attack others. The most frequently used methods is by Phishing.

Phishing:

Phishing is one of the most commonly used e-mail based attacks.  It uses social engineering, a technique where cyber attackers attempt to fool you into taking an action. Phishing was a term originally used to describe an attack designed to steal your online banking login details. However, the term has evolved and now refers to almost any cyber attack sent by e-mail. A phishing attack begins with an e-mail pretending to be from someone or something you know or trust, such as your bank or your favorite online store. These e-mails then try to entice you into taking an action, such as clicking on a link, opening an attachment, or responding to a message. Cyber criminals craft these convincing e-mails and then send them out to thousands, if not millions, of people around the world. The criminals do not have a specific target in mind, nor do they know exactly who will fall victim. They simply know the more e-mails they send out, the more people they may be able to fool. Phishing attacks often have one of the following objectives:

  • Harvesting Information: The cyber attacker’s goal is to entice you into clicking on a link and taking you to a website that asks for your login and password or perhaps your favorite color or mother’s maiden name. These websites may appear legitimate with exactly the same look and feel of your online bank, but they are designed to steal information that could give them access to your online bank account.
  • Controlling your computer through malicious links: Once again, the cyber attacker’s goal is to have you to click on a link. However, instead of harvesting your information, the goal is to infect your computer. If you do so, you are directed to a website that silently launches an attack against your browser, and, if successful, these cyber criminals may be able to gain control over your computer.
  • Controlling your computer through malicious attachments: These are phishing e-mails that have infected attachments, such as infected PDF files or Microsoft Office documents. If you open these attachments, the embedded code attacks your computer, and if successful, gives complete control of your system to the attacker.

Scams:

Scams are nothing new; these are attempts by criminals to defraud you. Classic examples include notices that you’ve won the lottery, an iPad (even though you never entered it), or a dignitary needs to transfer millions of dollars into your country and would like to pay you to help with the transfer. The scammer then informs you that you have to pay a processing fee before you can get your money. After you pay these fees the criminals disappear, never to be heard from again.

Hoaxes:

Occasionally, deceitful individuals will circulate e-mail warnings about viruses that do not actually exist. Well-intentioned users may clog email systems by circulating the false reports among their peers. Even worse, hoaxes may create a "cry wolf syndrome." As users grow increasingly sceptical of hoaxes, they may ignore a legitimate warning.

A typical hoax can include such things as a warning message about a virus (or occasionally a Trojan) spreading on the Internet; a recommendation to protect yourself by deleting the so-called virus; a message all in CAPS with loads of exclamation marks; an urgent and repeated request to forward the message to everyone you know and; an attempt to seek credibility by citing some authoritative source as issuing the warning, as well as describing the virus in deceptive technical jargon.

Protecting Yourself:

In most cases simply opening an e-mail is safe. Most attacks work by getting you to do something after reading the e-mail, such as opening the attachment, clicking on the link, or responding to the request for information. If after reading an e-mail you think it is a phishing attack or scam, simply delete the message. Here are some indications if an e-mail is an attack.

  • Be suspicious of any e-mail that requires immediate action or creates a sense of urgency. This is a common method used to trick people.
  • Be suspicious of e-mails addressed to “Dear Customer” or some other generic salutation.
  • Be suspicious of grammar or spelling mistakes, most businesses proofread their messages very carefully.
  • If a link in an e-mail seems suspicious, place your mouse cursor over the link and do not click it. This will show you the true destination where you would go if you actually clicked it. The link that is written in the e-mail may be very different from the actual destination.
  • Do not click on links. Instead copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser. For example, if you get an email from UPS telling you your package is ready for delivery, do not click on the link. Instead, go to the UPS website and then copy and paste the tracking number.
  • Be suspicious of attachments; only open attachments that you were expecting.
  • Just because you got an e-mail from your friend does not mean they sent it. Your friend’s computer may have been infected or their account may have been compromised and malware is sending e-mail to all of your friend’s contacts. If you get a suspicious email from a trusted friend or colleague, call them to confirm that they sent it.

And remember “If something seems suspicious or too good to be true, it is most likely an attack. Simply delete the e-mail”.

Your simplest course of action is always to delete the offending email without opening links or attachments, or leave the website in question without navigating its content. IT Security begins with you and the choices you make.