E-mail Safety and Security (Part 2)
Jeff Jones, Research Fellow
This month’s article continues the series on computer and network security I started back before the a la mode Convention. This is Part 2 in a two part series focusing on e-mail best practices. Whereas in Part 1 (click here for Part 1) we discussed the proper handling of e-mail attachments and reducing spam, today I want to talk about other threats including “Pfishing” and “loaded” e-mails.
Like many terms related to computing and technology, “pfishing” is a made up word. A few years ago it didn’t exist. As with the terms “e-mail” and “Internet”, we’ve grown accustomed to these new words being added to our vocabulary on a regular basis and pfishing is one of the newest. Obviously, it’s a play on the word “fishing” and it defines a particular class of malicious e-mails that, as a rule, try to either steal your personal information or extract money and/or other items of value.
We’ve all seen those e-mails that claim to be from a representative of a foreign government (often Nigeria) who has some money in their possession that is rightfully yours or better yet needs help “dispersing” the funds after which you will receive a percentage. Another hook is the legitimate looking e-mail that appears to be from your bank or an online retailer telling you your account has been compromised and “locked” for your security. The message goes on to suggest you click a convenient link to be taken to their web site in order to clear things up. Of course along the way you are asked for your user name and password or possibly even more confidential personal information. These are only two examples and there are endless variations but you get the idea. It’s interesting to me that although these are now almost passé, it’s surprising how many people still fall for this type of scam.
The good news is it’s really easy to protect yourself from all of them. There is only one rule you need to remember. Just as with e-mail attachments, NEVER reply to or click an e-mail link UNLESS you know who it’s from and know where the link is taking you. Knowing who it’s from is simple... either you do or you don’t. If you don’t, delete it.
Even if you do know the sender, that’s great but not good enough. Here’s a tip: Take your mouse and hold it over the link (the blue highlighted text in the e-mail). Don’t click anything. Just hold it there. A text box should pop up and tell you exactly where the link is pointing. Read it from left to right and pay particular attention to the first *****.com, *****.net, etc. you come to. It should point to the domain that you are being directed to.
For example:
If the link reads: https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run
Holding your mouse over it should read:
https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run
This link is relatively safe.
However... IF the link reads: https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run
BUT holding your mouse over it reads something like:
http://65.35.92.193/.us/index.php?MfcISAPICommand=SignInFPP
This link is NOT safe. It does not point to paypal.com. DO NOT click it.
So how easy is it to create one of these messages with misdirected links? As an example, let me show you how easy it is to create a bogus logo that looks like it came from bankofamerica.com...
There. All I did was copy and paste from their website. It’s just as easy to create an entire e-mail that looks just like it came from BOA. With some basic web and photo editing software and a little practice, anyone can do it. Now it would be just a matter of me changing the links in the e-mail to point to my servers instead of the bank's, and just like that, I have your personal banking info. Now I can go shopping.
There is an alternative, even more foolproof way of following links. That is to not click the link at all but rather delete the e-mail and browse to the web site manually.
Here’s what I mean:
Let’s say you receive an e-mail from your bank, for example bankofamerica.com. Remember, no reputable online merchant, vendor or financial institution will EVER ask you to provide them with information they already have (i.e. credit card info, passwords, addresses, etc.). They may however ask that you update certain information such as credit card expiration dates and you may receive that request in the form of an e-mail. A best practice is to simply delete the message then open your web browser and manually type www.bankofamerica.com. Log in and update your information. This way you eliminate clicking on the link altogether and you can be sure the site you are viewing is the one you intended to visit.
Pfishing is one of those scams that no one should fall for but yet it happens every day and sometimes it catches even the most savvy computer users. Never let your guard down when it comes to e-mails received from online venders and third parties whom you may or may not be familiar with. Investigate the link BEFORE you click it or, better yet, delete the e-mail and resolve yourself to the fact that the exiled President of Nigeria really doesn’t have any money for you.
Now let’s talk about something even more malicious than Pfishing e-mails: ”loaded” e-mails. These insidious little creatures don’t seek to steal your information or money but rather to infect your system with a worm, virus, Trojan or the like. They are much like e-mail attachments but much more covert.
Whereas e-mail attachments (see Part 1 of this article) must be opened in order to release their malicious cargo, loaded e-mails must simply be viewed or have an embedded link clicked in order to carry out their mission of infecting your machine. These messages contain malicious code that is capable of executing itself and can be very difficult to defend against. The good news is, at least for now, they are rare and the ones I personally have seen have been quite crude but the concept is frightening. Imagine only viewing an e-mail and having a nasty virus infect your computer or network.
Again, apply the rule. Is the message from someone you know and can you trace the link. Another step you might consider taking to defend yourself against this type of threat is to turn off the “Preview” pane in your e-mail client (Outlook, Outlook Express, Microsoft Mail, etc). This way you will not accidentally view one of these messages before you can screen it.
So what’s the bottom line on e-mail security? Taking into consideration the recommendations I made in Part 1 related to Spam and e-mail attachments as well as what we discussed today, here’s a summary:
- Protect your business e-mail address by only giving it to colleagues and business associates.
- Establish e-mail addresses for both personal and “junk” and use them. Give extra scrutiny to the messages sent to those addresses and delete any that are the least bit suspicious.
- Never hesitate to delete an e-mail sent to your personal or junk addresses. They are not that important.
- Avoid corresponding with users who consistently send you jokes, videos and other messages that typically contain links and/or attachments (There, I said it)
- Never reply to a spam message requesting to be “removed from their list”.
- Apply the two questions to EVERY e-mail attachment before you open it…Do I know who it’s from? Do I know what it is? If the answer to both is not “Yes”, delete the e-mail.
- Before clicking on a link in any e-mail, attempt to trace it. If that doesn’t work or you cannot be sure of its origin, delete the message and browse to the site manually.
- Turn off the preview pane in your e-mail client software.
- Never hesitate to either e-mail or pick up the phone and call the sender if you receive something that looks suspicious. Never assume.
- Never rely on your security software to tell you something is safe.
- Develop clear, enforceable office policy regarding the use of e-mail (both business and personal) while on company time.
- Web-based mail (gmail.com, etc.) is no safer than using your mail client.
- If in doubt…DELETE.
