Many cybercrime stories still start exactly the same way – someone opens an email, clicks an attachment, and unwittingly pulls the trigger.
Many of us have got wiser to email spams and scams – but cybercriminals are in the perfect position to “fine tune” their attacks. If one doesn’t work, they simply adapt, improve, and spam it out again.
Spear-phishing attacks – cleverly targeted emails aimed to penetrate corporate networks – are also on the rise this year, according to the FBI. These use personal information to convince people they are legitimate – and are far slicker and more convincing than the poorly spelt spam emails comedians used to laugh about.
Worried you’re being phished? Look closely at the bait
Take a look at who the email is from. It’s possible to fake any email address, but not all phishers are this clever – they may use a random email address that gives the game away. Check the link that you’re supposed to click by hovering your mouse over it to display a pop-up message with the real link in it. Look closely. Does the address make sense? Is it mispelt? If any alarm bells start to ring, don’t click.
Invoices, wedding invitations, tax returns – cybercriminals use them all
To a cyber criminal, nothing is sacred – wedding invitations, invoices, and tax returns are all commonly used tactics. Always think hard before opening ANY attachment – even ones that seem to come from friends. Is it surprising that someone is getting married – or that the IRS are suddenly demanding you refile your tax forms? Don’t click.
Be extra careful around shortened URLs
Services such as TinyURL are de rigeur on Twitter – but you should be cautious around them, especially in an email. If there isn’t a cap on the number of letters, why has someone shortened the link? ESET Senior Research Fellow David Harley says, “You cannot take it for granted that URL shortening services like bit.ly and TinyURL are redirecting you to trustworthy web sites. Indeed, spam tweets containing a short link to a spammy or unequivocally malicious site are all too common. LongURL [http://longurl.org/] lets you see the expanded version of a shortened URL before you go there. TinyURL will let you do this for tinyURLs.”
Telephone numbers aren’t a guarantee an email is real
Do not trust professional-looking emails where there is a phone contact number – this can be another cybercriminal trick. The number may well work, but you will be connected to a scammer instead of the company you’re hoping to speak to – and they will attempt to fool you into handing over further details.
Don’t publish your email address
Publishing your email address on the internet can be a bad idea – both for individuals and for companies. Earlier this year, electricity coompanies in the U.S. were targeted with a well-crafted “spear phishing” attack, which used information published on company websites. If there is any way to avoid publishing your email address, do so.
Don’t auto-load images
Leave your email settings so that images aren’t automatically downloaded – otherwise you could be sending a signal to spammers. Images are often stored on the spammer’s servers and can be unique to your email. By turning on pictures in an email your computer downloads the images from the spammers’ servers, proving your existence and showing that you exist.
Don’t spam yourself
Always be careful when filling out internet forms – especially around boxes saying, “I want to receive information.” Most reputable companies are safe, but customer lists can change hands – and your email address can end up being passed on. It’s also best to avoid receiving notifications from sites such as Twitter or Facebook – they clutter your inbox, and that “chaff” is useful to scammers and spammers.
Don’t store sensitive details in your “Sent” folder
For a cybercriminal, a personal email account is a treasure trove of information – much of which is useful for identity theft. Don’t leave information such as bank details, credit card numbers or passwords in your “Sent” folder – in fact, it’s safer never to send such details by email at all. Pick up a phone instead.
Don’t have an obvious recovery question
Questions such as your first school may be easy for a criminal to guess – especially if your social network profiles say where you’re from. Instead, make up your own question, and make it hard. That closes off a “back door” into your email account.
Changed job? Change your recovery email address
If the worst does happen, you need to be able to get back in – and if you no longer use your “recovery” email address, you may not be able to. Make sure yours is up to date.
Worried? Watch who’s logging in
Many email services have a function that allows you to see where you are logged in from – which can alert you if someone else is accessing your account, and log them out automatically. On Google Mail, for example, scroll down to the bottom right of the PC screen, and you can see a list of what devices and apps have accessed your account and when. If in doubt, log all of them out and change your password.
Author Rob Waugh /Rob Waugh, WeLiveSecurity/
Author Rob Waugh, We Live Security