Blog

Scammers, Spammers, and Outright Digital Thieves

by ETG Blog | Mar 02, 2021

Scammers, Spammers, and Outright Digital Thieves

In a perfect world, every email we receive would be safe. Email is one of the fastest and most effective ways of engaging a person with information. While the good outweighs the bad in most cases, it is very easy for email to be used for malicious purposes. Consider an example: If you were walking down the street and someone walked up and said they were from your bank and needed you to confirm some personal information. You would instinctively know that was a bad idea. When they drop into your inbox though with an email that looks just like the others you get from your bank it's a lot easier to slip up and believe it actually is from your bank. This is a psychological trick that has been used since email went mainstream and it has become a lot easier over time to exploit in a believable manner. This article will address some of the things that go into trying to steal your information and keeping you from knowing.

Keeping the Pressure On

The number one way that scammers, spammers, and outright digital thieves engage you is with pressure. They send you an email with something like "Your bank account has been compromised by a fraudulent money withdrawal. Click here to reset your password and start the fraud claim process immediately." This is how many of them pull you in. If they can get you to react quickly enough you'll click on something they never could have persuaded you to click. What comes next is based on their intent. Sometimes it's to validate your email address so it can be sold in bulk to other scam/spam locations, other times it's much more malicious. In some cases, scams involve both an email intended to get you to react without thinking it through, followed with a copycat page that looks just like your bank or other institution. Something that looks real and safe but asks you something like "enter your password to start the reset process" can do immense harm to your life, from draining your bank account to identity theft. When in doubt, skip the email links and go straight to the source. If you believe your bank account password has been stolen, go straight to your bank's website and start the process there. When you are using the bank's legitimate process for safely resetting your passwords or providing sensitive information you can ensure you aren't being scammed by a copycat website. Remember, when you see an item in your inbox you should only trust it if you are expecting it and it's from someone you trust. Unsolicited emails that require you to do something fast are usually unsafe.

Another example of this tactic are emails about domain registration or renewals. You might see an email saying "Your domain is about to expire. Click here to renew it before you lose access to your website." In the wrong moment when you are busy or distracted, you might be tempted to click the link and "renew" your domain registration. In most cases, this fraudulent email is an attempt to have you reactively pay for a fake renewal. This can cost you much more than this ill-gotten charge when your credit card information becomes saved in their system. In most cases, fraud doesn't occur the minute you make a mistake. It will happen later down the road after things seem safe.

This is an article about email safety, however, if you fall prey to one of these emails and do enter information like passwords or credit card numbers you should have those passwords reset or your card reissued as stolen to be safe. It's not worth a panic, but correcting this early can save you time and money later trying to correct fraudulent use of your information.

Tip: Anytime you receive an email you aren't expecting, take a moment to ask yourself if it is trying to pressure you to do something quickly. In most cases, emails doing that are an attempt to persuade you to follow a risky process without stopping to think about the validity of the process.

Masked Invaders

Another way that malicious emails attempt to engage you is by literally impersonating someone. Sometimes this is by using an email address that looks similar at a glance, like "do-not-reply@somebank.web.com". Other times, it's by a trick called "spoofing" where they send an email using someone's real email address but using a few tricks to send that email to you without being filtered. There are several ways that companies try to prevent this, but the most common is using records that tell the internet which mail servers can legitimately send mail to you. With enough ingenuity though, and finding a site that doesn't cover certain situations, they can send you an email disguised as being from pretty much anyone. This is yet another way of trying to get you to believe the content without thinking about what the content really is. Consider a situation where you receive an email from a close friend that you weren't expecting. It's something innocuous sounding, maybe about a product they found or about some amazing deal they found. Most of these you can tell right away are fake, but the dangerous ones are those that sound safe or catch you at a busy moment where you click without thinking. At that point you've dropped into whatever they are trying to draw you into. It could be something as small as validating your email address to sell later, to asking you for sensitive information as a sign up. Getting information from you like "what street did you grow up on" or "what was your first pet's name" sound pretty innocent on a site you don't recognize but once collected can start to form a profile about you that can be used to try guessing your security questions.

Tip: Even if you know the person or organization that is sending you the email, if you aren't expecting it, take a few moments to be sure it's legitimate. It's better to approach an unexpected email from a friend with caution than to act with trust and find out it was a mistake.

Link Traps

This has been covered a bit above, but once the email is in your inbox, from a relatively believable sender and with enough pressure to get you to do something, the next step is getting you to click. In most cases these links are trusting that you won't pay too much attention to them and could be anything from https://www.scammer.domain.com but sometimes they take the time to craft the link carefully and it is something that looks very similar to a site you trust. This generally comes in the form of a long link containing a lot of familiar things but ending with a suspicious domain or extension. For example, something as simple as https://resetpassword.yourbank.us can look very close to the .com or .net you usually see but it's never a good idea to use an email you aren't expecting to do anything with your personal or banking information. If you didn't ask for a password reset, proceed carefully. If in doubt, go directly to the organization related to the password reset instead of using the link.

Sometimes link traps are a bit more involved. A fraudulent hyperlink would contain both the (seemingly) correct text value and the destination, but would send you to another website when clicked. Before you click, hover over the link with your mouse cursor and you'll see a little tooltip popup that will show you the link that is actually inside the hyperlink text.

Also, be very careful of email "short-links," which are links used to redirect you to another site by using a link generator URL with a set of numbers and letters at the end. A link that is based on a shortener like https://goo.gl (googles short link generator) or https://bit.ly (a third party link generator) should always be treated as high-risk. You may receive several links based on those sites that are completely legitimate but since they hide the true destination you are heading to, they are always a risk when you click on them if you aren't expecting the email and link.

Tip: Before you click, take a moment to hover over the link and look at the actual destination behind the link. As above, if you aren't expecting it you are generally better off not clicking on anything.

Dangerous Payload

This is becoming less of an issue with virus scanning software being extremely common on mail servers in-transit, but there is still a risk of a malicious attachment containing malware or viruses. Never open an attachment you aren't expecting. If you aren't expecting it, delete the email without clicking on anything. It's easier to have a friend or colleague resend a file to you that is legitimate than to open something that can affect you significantly. Sometimes it's an outright virus or malware app in the attachment but is just as likely that it's a legitimate application that is configured in a way that allows an attacker to collect data or control your computer. You should always have an up-to-date antivirus application on your computer to be safe, although that is not a replacement for being safe and cautious. If you genuinely believe an attachment is legitimate but aren't totally sure, save it to your desktop first, then right click on it and look for the option to have your antivirus software scan the attachment. If antivirus software scans it and says it's safe, you are probably ok to open. However, in situations like this that could be an attempt to use a more visually involved file that will try to get you to click a link or download another application.

Tip: Anytime you aren't expecting an attachment, don't click on it. Delete the email or contact the person by phone to be sure it's legitimate.

Obvious Emails

Don't trust that just because it's obvious you can read it safely. If you aren't expecting an email and it looks suspicious, just delete it without opening it. Just like you wouldn't pick up a soiled rag on the ground to look at it, in the same way don't open soiled emails when you know they aren't legitimate. There have been many exploits that involved using an email or attachment to fire off a malicious process without any interaction on your part. These types of attack are more rare than the others, but it's also why we continuously have Operating System (OS) and software updates. When exploits are found there is a process followed to identify the exploit, create a patch for it, let the community know it has been found, and finally to process the update so you can install it on your computer. There is always a lead time however where this can be exploited prior to you installing updates. Your up-to-date software and antivirus solution are critical, but don't trust that so much that you engage in risky email practices.

Tip: It's not worth wasting time and safety on suspicious emails. Delete it immediately without opening the email or attachments to avoid any risks involved.

Summary

This isn't an exhaustive list of ways you can be scammed, but hopefully this gives you a better idea of how easy it can be to trick or pressure someone into dangerous email practices. If you aren't expecting an email, the safest thing to do is immediately contact the source or delete it. Never use a link to reset a password or log into a website if you aren't expecting it. If the email doesn't look right, just delete it without opening it to avoid viruses and exploits.

Additional Reading:

https://www.nortonlifelockpartner.com/security-center/best-email-security-practices.html

https://www.microsoft.com/security/blog/2019/10/16/top-6-email-security-best-practices-to-protect-against-phishing-attacks-and-business-email-compromise/

https://en.wikipedia.org/wiki/Email_spoofing

request a quote

We would love to hear from you? Contact us online or get an online quote started.