I'm not naturally a paranoid person. In fact, I'm very gullible. Just ask those who've played practical jokes on me. I like trusting people. Generally, I find myself rewarded for doing so.
However, when it comes to email, I'm not. Unfortunately, there is good reason for that. Using email is about the least safe thing you can do. And after reading the great blog post Five messages to never trust in your e-mail box, I realized that one should be even more cautious than sjvn suggested.
That doesn't mean you can't send emails to friends and colleagues or read those that they send you. In most cases, those will be safe. However, even sometimes reading those is risky, and I will expand on that in a bit.
The problem is that email has no security. You have no idea whether the person sending you an email is who they say they are or not. This includes email that looks like it is coming from your friends and co-workers. The problem is that there are people who take advantage of that and are getting quite sophisticated at abusing the system to steal things from you via email.
Now, this stealing can be relatively benign, as in spam, where the sender is simply sending you an unwanted advertisement that you can ignore and the only thing stolen is the effort it takes to wade through the mounds of spam you receive everyday. Moreover, the email services do weed out some of the spam, so that you can one-click dispose of much of it.
And perhaps, you actually like reading certain kinds of advertisements--I actually watch certain ads on TV from time to time because they are worth watching. However, with email I advise you not to. The reason again, is that the sender and/or message can be forged. On TV, (or radio) someone has to pay good money to get the message on the air, so it isn't cost effective to attempt to do a forgery.
However, email forgery is essentially zero-cost. A criminal can use computers infected with certain viruses (called bots) to send out as much email as desired with no cost, except for the small risk of getting caught. That means it is worthwhile to try and con people by impersonating someone they would normally read. That means if you read an advertisement in email, even if it looks like someone you would normally deal with, it may be fake.
Let's use an example to make it more clear. Once I took an Alaskan cruise and allowed the cruise line to add me to their email mailing list. Now, I regularly receive messages that report to be about low cost cruises that they are offering. I'm sure most of those offers are real. However, if just 1 is a fake and includes a link to a site that seems to be the cruise line's site and I follow that link thinking I'm about to get a good deal, I could be clicking on a link that loads a virus onto my computer which then captures my credit card information, as it passes the information on to the real site and registers me for the real cruise deal. Since, I get to go on the cruise, I'm none the wiser that someone has stolen my credit card information, until sometime later when charges I've never authorized start appearing. And, yes the criminals who are doing these misdeeds are getting that good.
So, if the situation is that bad what does one do.
1) Never click on any link (or call any "commercial" phone number) in any email message. If for some reason, you want to respond to the email message, contact the relevant party by another means.
For example, I once received what appeared to be a phishing message suggesting one of my accounts had been hacked. I did not click on the web address in the message nor call the number listed. Instead, I f0und the company phone number from a separate reliable source (e.g. by calling information at the telephone company) and got in touch with the company's fraud department that way. It turns out, the original link and phone numbers were both fraudulent and had I not been cautious, I would certainly have been scammed.
I had a similar experience when I received a message that suggested an account I had had been granted a special offer, but it wasn't one I regularly dealt with. Again, I got a separate number to the company and contacted them that way. The company was able to identify the special promotion that was being offered and make it available to me. The company was not able to identify the phone number that was in the offer though. So, who knows who I would have reached if I had called it.
2) Know that your bank or other company is never going to contact you about legal matters through email, unless you are already in an ongoing email dialog with them.
The closest you will get to that is "privacy notices" stating general policies or alerts you have specifically requested. However, if something happens to y0our account, email is unlikely to be the banks first choice for contacting you. It tends not to protect their legal rights, so it isn't in their best interest to do so.
If you have alerts set up, say for a credit card balance, again remember to check the information using a separate method of contacting the company. Don't click on the link in the alert. With a credit card, you can login to the web site (the one that you know because you've used it before and written down the web address) or call the number on the back of your credit card to check your balance.
3) Even if the messge appears to be from a friend, don't click on the link unless this si someone who regularly sends you such links.
Another way that is becoming increasingly popular is called spear fishing. In this case, the miscreant finds a way to get someones email address book and forges emails from the person to the addresses in the book. Those messages can look more liegitimate than ones from a bank. Such messages could contain viruses (or links to viruses). So, unless you and your friend regularly exchange information via links, assume that the link in the email is not actually from your friend but an imposter. This is particularly. true if the link appears to be to some "good deal" web site that you just must see to believe.
3) Don't reply to emails or forward chain-mails.
While some of them may be legitimate, that doesn't mean they can't be intercepted for misuse. A chain-mail can have hundreds of real email addresses on it, email addresses of people who typically will forward chain mails. Once, one of those gets into the hands of a criminal, the criminal has a whole list of easy marks to target, marks who will further spread the message to other unsuspecting people.
Unfortunately, this also includes many charity requests. Sadly, you don't know if the person sending the request really does have a child with cancer or not. Any money you send might actually be going to a criminal. Even if the message appears to be from a friend, criminals still could be diverting the money into fradulaent accounts.
Again, if you really want to do something, find a way to contact the person through another reliable channel and then mail the person the money. If you really want to give to a charity, validate that your money is really going to the charity--all charities have real addresses where you can send them a check in a letter. Almost all of them have phone numbers listed with the phone company and will happily take money that way too.
Finally, these hints apply to unsolicited phone calls, to people going door-to-door, to people communicating by twitter or facebook, to any place where you don't know the person. You can still generally buy cookies and candy safely from the kids coming to your door, but beyond that everyone you don't know is suspect. And therein lies the real lesson, the internet may have made the world a smaller place and made it easier for people with bad intent to try to scam us, but the basic techniques have been known by con-men for ages, and they will keep reworking them and making them more sophisticated to try and steal from us.
However, a little paranoia can stop you from being an easy victim. It has saved me and I would normally be an easy mark. And if you aren't an easy victim, perhaps you won't be a victim at all.
Disclaimer, I work as a security researcher at Intel, but my job has nothing to do with this advice. I don't work in fraud prevention or in securing Intel's email or web sites. All information in this posting is based solely upon my experiences and opinions.
Sunday, October 11, 2009
Subscribe to:
Posts (Atom)