How To Protect Yourself, Family and Friends…
Dangerous emails are a fact of modern life. (Note: this version contains additional material added 6/12/2019 – thank you, Charles South!)
Almost every day you receive obviously suspicious email messages. Some pronounce you the winner of a lottery you have never heard of and did not enter. Some have a long letter from a wealthy widow wanting to give you her money. And some merely promise you a message or a package intended for you that has gone astray. Many include misspellings or the awkward use of words.
For most people, these are not dangerous emails. They are obvious, “too good to be true,” and too common to tempt us. But today your mail may also contain something else: a truly dangerous email. An email so subtle that you believe it’s genuine and before you can catch yourself, you click on a link that it contains.
No one is immune. The Hillary Clinton campaign had tight cybersecurity, and trained their staff to recognize and ignore phishing emails. However, the Russians sent carefully composed phish emails to a hundred of these staffers. Twenty of them clicked dangerous links in the messages!
Today’s blog is a cram course in defense against dangerous emails. We’ll cover the following topics:
- The Spammer’s Business Model – how he or she pays the rent.
- The 9 Dangerous Emails – the names of the beast, ranked from most to least hazardous.
- Email Triage – a safe way to sort your incoming email.
- Prophylaxis – how you can block the spammers!
- Appendix 1 – how to decode a web address to find the domain.
- Appendix 2 – all about safe and unsafe attachments.
The Spammer’s Business Model
At this point I apologize to any female hackers or would-be hackers in the audience. To streamline the text I will hereafter refer to spammers and hackers with male pronouns.
Most spammers are in business. They may be anarchists or disruptors by nature, but usually they are motivated by money. Some receive a regular paycheck for hacking, others are free-lance. However, in general they carry out their hacking in order to pay their rent.
The spammer’s business model is generally some variation of the following:
- To get us to send him money directly. Sometimes the spammer will send us a valid-looking check, then ask us to refund part of the money. Weeks or months later their check bounces and our bank debits us for that amount!
- To gain personal information that can be used to steal money from our bank accounts, or use our credit to incur debts.
- Often, to gain access to our friends through social media or email, so as to make money off their personal information.
- To recruit us to participate in an illegal activity such as money laundering or trans-shipping of drugs.
- To gain control of our computer or accounts with which to do any or all of the above. “Ransomware” is a particularly nasty possible product of this control.
The spammer sends dangerous emails that aim at two goals:
- The email gains our attention to read its message. The email does this with an attention getting headline or with a return address that implies authority.
- It activates an emotional reaction that makes us act before we have time to apply any logical thought process. The spammer creates emotion with a threat, a promise of money or a statement of urgency.
The 9 Dangerous Emails
Red Alert: Seriously Dangerous Emails
1. Phishing: Instructions From Someone In Authority
These emails seem to come from someone we are obliged to pay attention to. They are described as “phishing” because the spammer considers us a big unwary fish and is trying to hook us.
The apparent sender may be:
- The boss, CFO or IT head of our employer.
- A government agency such as the IRS or FBI.
- Or a business that we regularly deal with.
Of these, the very most dangerous emails reference our employer. Not only do they demand our attention, but they also show that the spammer has researched us. He has crafted an attack specifically aimed at us and our company, and may make many attempts to penetrate our defenses.
Are you and I vulnerable? Absolutely, yes! As previously mentioned, many Clinton campaign employees who had been trained to detect phishing, nevertheless clicked links in hacker phish messages. The campaign’s own website was well-protected, but its employees were phished through their personal email addresses, where they were less vigilant.
Later we’ll discuss how to dissect a message to understand its risk. For the moment, remember these points:
- If the sender’s address is not exactly as you expect it to look, forward the message to your IT department as a phish, then delete it.
- If the sender’s address is exactly right, it may still be spoofed. Therefore, you must take no action within the message. That is, do not click on any links nor download any attachments. Use a non-email means to verify the legitimacy of the request. For example, phone or text the supposed sender. Only if the sender verifies the contents should you cautiously proceed. And even so, don’t click on any link that appears in an email – type the intended address into your browser instead.
2. Someone Wants To Be My Friend
This is yet another class of dangerous emails. Dangerous because accepting a friend with hostile motivation can harm us and our friends. And email because this request may come via email from our social media account.
Here are some things that actually happen:
- A hacker may create an account under the name of one of your friends. Then they ask you to “friend” that account. If you agree, instantly the hacker has access to much information about you and also about all of your friends.
- A hacker may collect photos of some very attractive person and invent an account with those photos. They are hoping that you will think, “well, I don’t know this person but they look pretty hot, so why don’t I say yes?”
- Some people try to collect as many social media friends as they possibly can. If they have a large network of friends – we’re talking 5,000 and up – there are ways they can earn money by selling their access to those people.
Protection from Scum
How can we protect from obviously unworthy people like these, while still accepting valid and worthwhile friend requests?
There’s no perfect answer, but I’ll tell you what I do when I receive a friend request:
- If I think I have already friended that person, I search my list of friends to confirm it. If the new request is a duplicate, I report the request to the social media admin and refuse the request. I may also send a message to my actual friend saying, hey, someone is impersonating you!
- If I don’t recognize the name of the requester, I go to their home page. Sometimes they have a very thin profile – just a few photos, little or no background, and all the information posted within the last day or two. I will probably report them as fictitious and refuse the request.
- Sometimes the requester has a large number of friends already, meaning many hundreds on up of people I don’t know. I peg this person as a “friend-collector” and refuse their request.
- Sometimes the requester looks like a real person. Perhaps a distant relative, perhaps a relative of a friend, perhaps an interesting person. So I may send them a message, something like this: “Thanks for asking to friend me. I’m always happy to make new friends, but could you please tell me why you are interested in friending me?” Through the years, I have sent such a message a half-dozen times. Exactly once, the requester responded and explained that a blog I had written was personally relevant to his own family. So I accepted the friend request.
3. My Friend Is In Trouble
These dangerous emails are rare, but are serious trouble when they arrive.
The theme is: one of our friends or relatives is in trouble and needs money. Naturally, our instinctive response is to call the friend on the phone, or report the problem to law enforcement. But the email tells a complicated story that tries to discourage us from taking those actions. This conflicting information creates a problem deciding on the appropriate response.
Another problem is that the mere arrival of this email means that someone, somewhere has invested time and trouble to learn about our friend’s personal affairs. Because only with a lot of knowledge could the hacker compose an email convincing enough to ring true. Anyone who knows that much about us or our friends spells danger. And besides, it creeps us out!
All I can advise here is to gather information by every possible means that does not include responding to the email. Try to phone and text your friend. Contact your friend’s family or close friends to ask whether your friend is or is not in trouble.
Once you learn what you can, law enforcement is usually your next stop. If there’s truly an emergency situation, law enforcement can advise the best response. On the other hand, if the email plea for help turns out to be a fraud, you need to report it to law enforcement anyway.
Orange Alert: Dangerous Emails For Most People
4. My Friend Sent A Link or Attachment
Another one of the common dangerous emails shows the name of one of our friends as its sender.
Most messages from friends are just text, and pose no risk. However, sometimes the message will also contain an internet link or an attachment. That requires us to look at it more closely.
First we look at the e-mail address of the sender. Often, our friend’s name shows an email address that is not the one we expect. In this case, we’ll also note that the message is a “nothing” message without any personal information. The most it may say is, “I thought you’d be interested in this,” with an internet link or attachment. The spammer has probably hacked a file of names and addresses, perhaps at a business your friend has dealt with. Simply delete the email.
But what if the friend’s address looks like the correct one? That doesn’t mean that the message is safe. Someone could have hacked our friend’s e-mail account. Or more likely, someone forged our friend’s name and address as sender of the email.
So we need to read the message and size it up. Does it address us by name? Does it look like something our friend would say and send? If the answer to these questions is “no” then delete the message.
But I’m Just Not Sure
Sometimes you can’t be sure. Or you believe the message is authentic but want to be cautious. In that case, here’s how to proceed:
- First, make sure that your browser shows true addresses (see the third bullet under Prophylaxis below). If the email contains one or more links, examine them, as in Appendix 1 below. Do you recognize the domain as legitimate (e.g. cnn.com, fortune.com, youtube.com, …)? Then you may click it. Immediately examine the address line in your browser to confirm that the address still looks legitimate. If it doesn’t, close the browser window.
- If the email contains an attachment, then make sure you treat it safely. See Appendix 2 below.
5. They Froze My Account
This class of dangerous emails appears to come from a company or a government agency. It typically informs you that your account has been or will be frozen. They instruct you to take some action such as to reset your password or authenticate your account, by clicking an enclosed link.
Spammers send this type of message to a large number of random email addresses. They hope that the recipient will accept the message as legitimate, either because we happen to do business with the spoofed company, or because we are naïve enough to believe that a government agency will send us email about any important matter. (Guess what: they won’t!)
This type of email contains links, usually several of them. When we examine them we often find that all of them go to exactly the same address – even the links labeled Unsubscribe and Update Profile, which logically should go to different places.
If reading the email makes you want to verify what’s going on with your account, by no means click a link in the email. That would take you to a counterfeit login page, or a page that tries to install malware on your computer. Instead, open a browser and type in the correct web address for the company where you have your account. You will generally find that there is no problem with your account.
6. Something For Nothing
The sixth type of dangerous emails promises us something for nothing. It informs us that we have won a lottery that we may never have heard of. Or that we are the big winner in one of the Publishers Clearing House sweepstakes.
Common sense tells us that this is spam. When major prizes are awarded, the grantors personally contact the winners by phone, mail or in person, asking for them by name. We can safely discard all emails of this type.
But What About Amazon?
However, sometimes the “something for nothing” is small enough that it just might be true. There are Amazon sellers who will send us free merchandise, or refund the price if we purchase their product. We are either required or encouraged to post a review of the product at Amazon.com.
These offers used to come directly from Amazon. However, Amazon felt that companies were basically “buying” favorable reviews by giving away free or discounted products. Therefore, in the last few years Amazon has stopped sending most offers. For that reason, sellers are contacting the public directly, working outside the Amazon system.
If we really want to take advantage of such an offer, we must make sure that the product link goes to a genuine Amazon listing (use Appendix 1 to ensure that the address is amazon.com). Then fulfill the requirements of the offer, keeping a copy of all emails concerning the product and our anticipated refund. That way, if the refund never arrives we can complain to Amazon that one of their sellers is not fulfilling their promises. Amazon won’t make good on it of course, since they were not the ones making the offer. However, they will undoubtedly give the seller a hard time for trying to undercut their relationship with us, the customer. The fear of being dropped from the Amazon catalog makes most sellers treat buyers honestly.
Yellow Alert: Dangerous Emails Only For the Naïve
7. My Rich Nigerian Uncle
This category of dangerous emails used to claim to come from Nigeria. For that reason, they are often referred to as Nigerian spam. Today, however, they often claim to come from UK or another English-speaking land.
The theme of the email is that someone has a large sum of money in a bank account, or in a package, or in a storage locker somewhere. They want us to participate in some scheme involving the money, and in return they will give us most or all of it. The email asks for our name, address and bank account numbers. If we respond to the sender they will often ask us to send money to pay certain fees required to release the goods.
8. Porn Spy
These dangerous emails claim to have videotaped us watching porn. They threaten to embarrass us by releasing the information to our friends and employer unless we pay money as ransom. In another variation, they claim to have installed malware on our computer which will erase the drive unless we pay them money.
The hacker sends this spam email to many random recipients. He hopes that some of them have done something they would like to keep private, and are gullible enough to believe that they actually have some personal risk.
Apparently enough people bite the bait to make this a profitable business. Fortune reports that scammers have collected about $1 million in this type of porn blackmail.
To the recycling bin with it…
9. Mystery Delivery For Me
This is an email stating that they have something addressed to us that could not be delivered. It may be a message, a photo, a package or whatever. They want us to click a link and correct or verify the correct address. As with other dangerous emails, if we study the links in the message we will usually see that they all go to the exact same address – a sure indication of a hack.
In practice, we don’t have to give a name each of the dangerous emails. What we need is a quick and safe way to sort incoming mail.
Some people simply trash every suspicious email. And in this modern day, when many folks won’t even answer the phone, that’s an acceptable strategy. However, if we do that, every so often we’ll junk a message that we really want to read.
Some folks, like my friend Charles South, set up rules in the Mail application. (In Apple Mail, go to Mail – Preferences – Rules.) Charles sorts to a BlackList, a WhiteList and a “Suspect” folder. (These are emails that need further examination). If you can clearly describe the spam that most annoys you, and have the patience to write rules for it, this approach might save you a lot of trouble.
However, if you don’t want to have such a deep relationship with your mail program, I’ll give you an alternative. What follows is a suggested approach to triage suspicious emails into 3 categories: safe, unsafe and possibly unsafe.
Step through the email line by line:
Is the email from a person or business we already know? If not, possibly unsafe.
If the sender is a friend, study the sender’s address (use the pulldown menu to see the entire address). Is it our friend’s genuine address with no typos? If not, unsafe.
What if the sender is a business? If it’s a business that takes your money (financial institution or retailer) the address should begin https://, showing that it’s a secure website. But that itself is no guarantee of a legitimate web address, since some malicious websites also use https://. So you need to look further.
Look at the sender’s address to find the domain (the part after the @ sign and before a single slash “/”). If the domain doesn’t match the business, or if it’s a non-business domain (e.g. gmail or yahoo), consider it unsafe. Note that even if the domain seems to match, the address could be spoofed, so you can’t be sure the company actually sent it.
The final letters in the domain offer additional guidance:
- If the domain ends with a two-letter country code and you don’t regularly correspond with that country, consider it unsafe. Here are some country codes that are found in many dangerous e-mails: .cm (Cameroon), .cn (China), .ru (Russia), .tr (Turkey).
- Some top level domains sell addresses in high volumes to spammers. As of today, these are the worst offenders as a source of dangerous spam: .cloud, .fit, .ryukyu, .work, .gdn, .biz, .okinawa, .asia, .world and .ooo.
Does the subject make sense considering who it’s from? If not, consider it possibly unsafe. For example, a message from a person or business we know should have a specific subject, not a vague one.
This brings us to the body, the content of the email. Is there a salutation that calls us by name? If not, goes to possibly unsafe.
Does the text have obvious mistakes in spelling or grammar? Unless it’s from a friend who is a prankster or who is challenged in these areas, consider it unsafe.
Does the text contain any website links? Then look at each one as described in Appendix 1 below.
If all links, including specialized ones such as “unsubscribe,” go to exactly the same address, the email is unsafe. If any links go to an abbreviated address with the domain bit.ly, bitly.com, j.mp or tinyurl.com the email is unsafe. There’s no reason for a friend or a business to hide the destination of a link they send us. Is the anchor text (the word labeling the link) consistent with where the link leads? If, for example, the destination is a different website than the sender’s, consider the email unsafe.
At this point, the emails you have labeled unsafe should be deleted. Those labeled possibly unsafe may be kept, but you should probably not click on any links. If you want to look at the attachments you should follow the instructions of Appendix 2 below. The remaining emails are probably safe, but you should still be alert for anything that doesn’t look quite right.
Prophylaxis – Block the Spammers!
You may wonder, can we inoculate ourselves against at least some of the dangerous emails? Of course, we could use a mail program that automatically blocks emails not sent from names in our address book. But since return addresses can be spoofed, that is not sure-fire protection.
However, there are valuable things we can do. We can set up our computer to make the spammer’s job more difficult. Moreover, we can adjust the computer to display the hidden data behind which spammers hide. Knowledge is power, and we want our computer to tell us all that it knows about incoming email and its dangerous web links.
Here are recommended steps to take. And you only need to take them once:
1. Block Your Camera
Put a post-it or piece of duct tape over your computer’s camera. If you wish to be more stylish, use a sliding cover or decorative dot.
How this protects you: If you receive any email that claims to have been spying on you through your camera, you can automatically trash it!
2. Display All File Extensions
How this protects you: Spammers sometimes send executable programs such as Windows apps with the file extension .exe. They make the program look like an innocent document by adding a bogus file extension in front of the true extension. Thus they rename BadProgram.exe as BadProgram.jpg.exe. If your computer displays file names without the file extension, this file will look like BadProgram.jpg, a harmless image. By seeing the true file extension, you are immediately warned that the mystery file is not at all harmless!
3. Display True Web Addresses
Make sure that your browser displays the true web address. Test your browser by copying “xn--80ak6aa92e.com” into your browser address line. (This is a harmless page which demonstrates that an innocent-looking address may in fact not go where you expect it to.)
If the address displays as “apple.com”, your browser is being fooled by “punycode” which translates a foreign alphabet into English characters. Update your browser to the latest version and that should make it show the true “xn--…” address. However, if you are using a Firefox browser, you may need to adjust its settings.
How making this change protects you: Spammers may register websites in non-English alphabets such as Cyrillic. For compatibility with the English language web, the Internet translates these names into “punycode.” Older browsers translate these addresses into English characters for the convenience of the user. However, that allows a spammer to register a Cyrillic domain name whose English translation looks just like a familiar English-language website such as apple.com, microsoft.com and so forth. Even an expert cannot distinguish the fake website from the true web address just by looking at the English display. Thus a spammer can put links into dangerous emails, links which look legitimate but which go to fake websites.
However, if your browser is set to display the true punycode address, rather than Anglicizing it, when you examine the link or put it into your browser you can immediately see that it is a spurious website, not an honest one.
4. Use the “HTTPS Everywhere” Extension
Add the “HTTPS Everywhere” extension to your internet browser. Here’s what it does: if you give your browser a nonsecure HTTP internet address, the browser will try to send you to the corresponding secure HTTPS address.
If you use a Safari browser, unfortunately you are out of luck. Due to Safari’s different design, it is the one major browser type for which this extension does not work. However, if your browser is Google Chrome, Firefox, Opera or Brave, the HTTPS Everywhere extension is available, and free. The extension isn’t perfect: sometimes it cannot reach a site that you want, perhaps because the site has not been properly registered.
How does this extension protect you? One of the most dangerous weapons the spammer has is to present you with a fake website with an “almost” right web address. For example, instead of your bank’s website chase.com, the spammer might present you with a link to the website chasé.com. See the difference?
Your bank’s real website is secure, with the designator HTTPS. However, many spammers do not bother to get a security certificate for their fake websites. Therefore, a fake web address will frequently begin with HTTP, not HTTPS.
Your bank’s website address will look like this: https://chase.com. And with HTTPS Everywhere, even if you type in chase.com, the browser will correctly go to the https address. However, the spammer’s fake address will look like this: http://chasé.com. The lack of the “s” in “https” (and the absence of the padlock symbol in the address line) is a giveaway. If you had not previously noticed the difference in the addresses, the lack of security may now alert you that you are on a spoofed page and should close it immediately.
5. Take the Quiz
You can protect yourself in another important way. Test your “phishing awareness” by taking the phishing test offered by Google. If you pass this test you are safer than most people already.
6. Inoculate Those Who Depend On You
If you’re in a position of authority – a manager or IT person – there are folks who need and want your guidance. Teach them that any message that appears to come from you or your bosses should be viewed with suspicion as a phish. They should never click on a link or send sensitive information in response to such a message without independently checking with the apparent sender by some other means (not email). Is training necessary? Definitely! Phishing messages trap many people. Even trained recipients sometimes fall victim.
7. Protect Your Identity
In addition, please take sensible steps to protect your own identity:
- Never enter your true birthdate on a website, including social media.
- Use hardware or a service to back up your digital devices.
- Freeze your credit reports!
- Follow the advice “How To Protect Your Identity From Hackers” in my earlier blog.
I hope this blog has given you protection against the many dangerous emails that we all receive. Your comments and further suggestions are always welcome!
Image Credits: (all from pixabay.com)
– email marketing and phishing by Tumisu
– ecstatic alarmed, scam card and multi-tasking email by mohamed_hassan
– email envelopes by 200degrees
– axe murderer by Clker-Free-Vector-Images
Appendix 1: How To Decode a URL (Web Address) To Find the Domain
When you see a link in an email, you can determine its target URL by rolling your computer cursor over it (without clicking it!). If you’re using a mobile device such as smartphone or tablet you can press your finger steadily on the link (don’t release the pressure!) until a menu opens. The menu will show you the URL and also give you an option to cancel the command.
When a spammer sends you dangerous emails, they sometimes contain very long URLs in an attempt to hide the true address. Here is a fictitious but possible URL that imitates an AT&T web address:
As previously noted, legitimate business addresses often begin with the secure designation https://. On the other hand, fake addresses often begin with http://. However, there are so many exceptions that you need to study the address further to know whether it’s safe.
If a spammer included a link to this address and you examined the link, your display might show only the first part of the URL. But you cannot see where the link goes unless you take apart the URL to find the domain address.
Decoding, Step By Step
This is how you dissect the URL above, with the results shown in italics:
- Don’t click on the link! If you can’t see it all to examine it, then copy it onto a safe place, such as a new TextEdit window.
- Starting after the double slash //, go through the URL until you reach a single slash “/”, if there is one. Discard the single slash and everything that follows it.
- At this point, at the very end there may be a colon followed by a number, designating a port. If so, discard the colon and everything after it.
- Back up from the end until you encounter a period “.”. Examine the characters after the period, which constitute the top level domain.
- If there are two characters after the period that is a country-code, such as .uk for United Kingdom. Sometimes you will see a generic commercial code just before it, such as .com or .co, both meaning “company.”
(not applicable in this case)
- If there are more than two characters after the period, that is a generic top-level domain. Common examples are .com, .net, .org and so forth, but there are many, many more!
top level domain = “.com”
- Back up before the top level domain (and any commercial code) until you encounter a non-alphanumerical character. The characters you have just passed over are the subdomain.
subdomain = “drqq”
- The web address of the URL is the subdomain followed by a period followed by the top level domain.
web address = drqq.com
And The Result Is…
After you go through this tedious process, the link in the example above is revealed to go to the web address drqq.com. Everything before those characters is junk intended to distract you. If the link truly went to att.com, that address would appear just before the single slash “/”.
Do not click any link supposedly from a business or government agency that contains bit.ly, bitly.com, j.mp or tinyurl.com. There’s no reason a business should have to use a shortened link address in an email. (If you really want to know where an address bit.ly/XXX goes, Wikipedia tells us that you can go to that address with a plus sign added (bit.ly/XXX+) to find out where it leads.)
Charles South points out to me that if your friend clicks a link to share a news article, sometimes the news site will send you such a shortened link to the article. OK, so perhaps this kind of link is safe if you know the person who sent it. But I would still advise caution, such as finding out where the address leads before you go there
Appendix 2: Safe and Unsafe Attachments
In general, it is not safe to open an email attachment unless you know and trust its source. However, if you really want to press forward and see the attachment, here is a suggested way to proceed:
1. Show File Extensions
As noted above, you must adjust your computer to show the extensions of all files. That is the portion of the filename that comes after the very last period. If your computer suppresses the file extension, someone could send you a file with malware with multiple extensions, such as .jpg.exe. Your computer would only show the .jpg portion and hide the fact that the file is an executable program. Therefore, you must set your computer to show you all file extensions. And once you have done this, do not attempt to open any file type except a document (not an executable program).
2. Scan For Malware
Scan the attachment with an antivirus program. These programs are not 100% accurate in identifying all malware. If the program flags it as having a virus, delete it! If the program says it appears to be clean, then you have less risk of pushing forward.
3. View the Attachment
How to proceed depends on your computer’s operating system:
- In a Windows system, follow Microsoft guidance. Make sure that the attachment’s file extension appears on the list of low risk file types. View the attachment using only Notepad or Microsoft Windows Picture and Fax Viewer.
- In a Mac system, follow Apple guidance. Determine the apparent file type from its file extension and make sure it appears on Apple’s list of document types. Use the Get Info command in Finder to see the file’s “Kind.” If the Kind does not match the file extension type, delete the file. However, if it matches, go ahead and take a look:
- Charles South advises that on a Mac, you can select the file and click the space bar on the keyboard. Then the QuickLook app will show you the contents of many kinds of documents.
- You can also use the Preview app to view many types of documents safely.
- If it’s a .txt document, it’s safe to view it with the TextEdit program, but don’t open it with Office or another general-purpose program.