Email-based cybercrime continues to thrive, but even the savviest users might fall for a clever scheme. Deb Shinder offers tips to help you and your users remain vigilant.
Use of the communications infrastructure for for illegal or fraudulent purposes has been a problem since the inception of such systems. The U.S. Congress passed legislation outlawing mail fraud in 1872. It was inevitable that, when an electronic substitute came along, criminals would take advantage of it to further their scams.
Phishing may seem like "old news," but the phishing emails continue to pour in. During the holiday season, they become more prevalent - and in some cases, more sophisticated. And even if you think you're too smart to be taken in, if you're really smart, you'll heed the seasonal advice that "You better watch out" and look closely before you click on links or attachments in any email messages, no matter who appears to have sent them.
Perhaps even more important, be sure to warn those in your organization or household, who may not be as tech-savvy as you, of the need to be particularly vigilant now. Don't assume that just because they've been warned before, they won't fall prey to the new tricks; busy people caught up in the spirit of the holidays tend to be more vulnerable.
Don't be provoked into a hasty reaction
Scammers have a whole arsenal of tactics they use to try to get you to react, from pulling on your heartstrings with tales of starving children or puppies about to be euthanized to scaring you half to death with "official notices" from the IRS or your credit card company. Even if you've seen it all, some messages can evoke a visceral reaction that could cause you to click before you think - and that's exactly what the criminals are going for.
My husband and I both experienced a moment of shock when we received copies of an email purporting to be from our wireless phone provider. It was formatted in the same way as the real messages we frequently get from the provider, but this time, instead of notifying us that our monthly statement was ready in the average amount we usually see, it announced that the bill was almost $2000!
It's not like this was completely impossible. My husband had just returned from a trip to Russia, where he had taken his phone. We had gotten a genuinely shocking bill in the amount of over $800 a few years ago when he went to Israel and didn't realize the ramifications of data roaming. And even though he had taken care to keep data turned off this time, my first thought was that he messed up and ran up another big bill.
But before I clicked on anything, I looked a little more closely. The return address appeared to be from verizonwireless.com, but wait a minute - the message was sent to one of my secondary email accounts, which is not the one that's on file with Verizon. Upon further examination, the language in one place wasn't quite right, either. An examination of the headers revealed the truth: the message originated from an address outside the country, and authentication results showed that the IP address did not match the VZW.com address shown.
Many computer users, however, undoubtedly react emotionally to the large amount of money they "owe" and click the link to get the details before checking out the message more thoroughly. And it's not as if current email software always makes it easy to even find the Internet headers. In Outlook 2010, for example, you have to open the message, go to the File tab, and click the Properties button. That's not particularly intuitive for someone who doesn't do it all the time.
Because people often run up larger bills during the holidays than at other times of the year, scammers will take advantage of your fear that the big bill might actually be legit to try to fool you into clicking a link that will take you to a malware-laden site or downloading an attachment that contains a malicious payload.
You can't necessarily trust "trusted" senders
We all have certain people whose messages we trust because we trust them. We know grandma isn't going to (intentionally) send us porn links or viruses, but if grandma is technically naïve, we also know that her computer might very well have gotten infected without her knowledge. Thus, even though we trust grandma herself explicitly, we may not consider her to be a trusted sender.
The real danger comes from those we believe to be too security-conscious or too expert to have to worry about. A sad fact that I learned back when I was a police officer was that firearms instructors - those who had the most knowledge and experience with guns - so often experienced "ADs" (accidental discharges). Likewise, it was the long-time traffic cops, the ones who had been doing stops for decades, who most often made the mistakes that led to them being shot when walking up to a vehicle. The reason for this is complacency - that sense that because you have experience and knowledge about something, you're immune to its dangers. It leads you to let your guard down, to be less cautious than you should. And IT security professionals are just as prone to it as experts in any other field.
In fact, those who are most "expert" in IT tend to be the very ones who are most likely to turn off protective measures, such as blocking of attachments with particular file extensions, or use workarounds to defeat measures that are intended to keep them safe from malware.
There are three primary vectors for attacks via email: attachments, HTML mail, and links in the body of email messages. Opening attachments can activate the installation of viruses, trojans or worms that are embedded in the files. Scripts can be hidden in HTML pages. Links can take users to malicious web sites that surreptitiously dump "drive-by downloads" onto the system, or to phishing sites that resemble legitimate sites and thus trick the user into providing personal information and/or financial account information. Cybercriminals use all of these techniques to attack systems, steal information, and commit other illegal acts.
Criminals can use email itself as the "weapon" in a denial of service attack. Email bombing is a term used to describe the sending of huge numbers of email messages to a victim in order to overload the email server or individual account. This can be done by subscribing the victim to a large number of high volume mailing lists, or by using tools for automating the bombing process that are made available through some black hat hacker sites.
Criminals often create "spoofed" email messages that appear to come from a source other than the actual sender. They may also use email anonymizer services to disguise the origin of their messages.
Email can, of course , be used for the same criminal purposes for which postal mail has been used. Threatening email messages may constitute the crime of terrorist threat, assault by threat, or other specific offenses (depending on the laws of the state or country where they're received). Email that doesn't rise to the level of physical threats may fall under cyberstalking or harassment statutes.
White collar crime (financial crimes such as embezzlement, insurance fraud, bank fraud, blackmail, bribery, credit card fraud, insider trading, and so forth) often involve the use of email. Both violent and non-violent criminals use email because it's convenient and leaves less physical evidence. Sending spam - unwanted commercial messages - maybe be considered a crime, too, under the U.S. federal CAN SPAM Act and various state laws.
Just as email can be the weapon in a cybercrime, email can also be the victim - that is, criminals may intercept others' email messages to harvest the addresses, personal information or company trade secrets.
Preventing and stopping email-related cybercrime
Victims of email-related crime often don't report the crimes to authorities because they believe there's little that can be done. It's certainly true that jurisdictional issues and the difficulty of identifying the perpetrators can make it difficult to prosecute these crimes, but a concerted effort by both individuals and businesses, in conjunction with law enforcement agencies, has brought down a number of criminal operations that used email to do their dirty deeds.
The partnering of large corporations with government to bring more resources to the effort to track down and disable cybercriminals can make a big difference, as well. Microsoft's Digital Crimes Unit's work on bringing down major botnets such as Rustock and Kelihos has helped reduce global spam levels. The DCU has also teamed up with Microsoft Research to use technology to track child sex trafficking. A group of private sector organizations called the International Cyber Security Protection Alliance, with members such as McAfee and TrendMicro, recently announced its intent to work with governments in fighting online crime.
The civil court system can be used against email abusers, in place of or in conjunction with criminal laws. Because the level of proof is lower in civil cases, it may be easier to win cases against cybercriminals there. Microsoft's lawsuits against the Rustock and Kelihos defendants were instrumental in the take-down of those bots. In a recent civil judgment, Yahoo won a $610 million award from scammers who tricked Yahoo Mail customers into providing personal information by running an email-based lottery scheme.
Of course, from the point of view of the victims, an ounce of crime prevention is worth a pound of prosecution. Companies and individuals can take steps to keep cybercriminals out of their email systems or to prevent the malicious code they send from doing damage. Firewalls, anti-virus, and anti-malware software is a given. All computer users should be educated on best email practices, including basics such as:
- not opening unexpected attachments
- not clicking hyperlinks
- setting mail clients to display mail in plain text instead of HTML
- protecting the privacy of your primary email account, and using a "throwaway" web mail account for purposes such as registering on websites and mailing lists, or giving your address to anyone who might use it for spamming or sell it to someone who does.
Companies can cut email risks by using web forms on their websites as a means for people to contact them, instead of publishing company email addresses.
Encryption can thwart the plans of thieves to harvest information from email messages, and it's also important to remember to completely destroy the email messages stored on a computer's hard drive if you give the computer to someone else or recycle it. The safest route is to physical destroy the drive; if that's not feasible, use a program that overwrites the data multiple times. Remember that simply deleting files or even formatting a drive does not erase the data on it.