Bytes and Beyond
You're about to be scammed
Online criminals are targeting hospitals, government agencies and companies with cruel extortion schemes. The attackers stealthily encrypt the files of their victims and demand large sums of money for returning a decryption key to recover the data.
Most of these schemes start with a scam e-mail. Current targeted spam e-mails can be fiendishly clever, inserting themselves into legitimate conversations and business transactions to cause maximum damage. To protect yourself against such scams, you have to stay one step ahead of the attackers' game.
Signs that you’re being scammed
Correspondence scams are far older than e-mail. There’s an old joke about a newspaper ad which read: "Be smart! Learn how to avoid financial scams! Just send 5 dollars to the following address: ..."
Spam e-mails are little more than a digital version of the same idea. Whether they suggest easy enrichment, gender-specific body enhancements or dubious health promises, or when they take the direct approach ("CLICK HERE!"), the underlying concept is always the same: Spammers aim for the recipients' curiosity, greed and insecurities and hope that the urge to click will override their natural caution.
More sophistication, same motive
Early spam deluges were fairly easy to detect, such as the famous Nigerian Prince scam which is literally older than the internet. It’s not as if this type of spam has disappeared altogether – "get rich quick" scams will remain in existence as long as there are gullible people on the planet.
The scammers' base motive has never changed: They want your money. It really is as simple as that. Modern ransomware may seem more complex, but in effect it is merely a more direct variation of the newspaper ad joke: Unless you want to say goodbye to your tax return form, the photos of your dear, late grandmother, and your collection depicting scantily clad human beings, send 5 bitcoins to the following address.
Instead of asking, the modern scammers' approach is to demand payment in what is essentially a protection racket. But before they can make their demands, scammers still have to trick users to let them cross their digital doorstep.
How to get you to click
Today’s e-mail scams often seem to originate from a known source – a friend, an acquaintance, a company you have done business with. These scams can be easy to detect if your contact is usually very erudite and the spam message is full of spelling errors. But they can also be fiendishly hard to detect if the purported sender is your well-meaning aunt who routinely sends you links without a single word of explanation.
Fake business e-mails try to grab you by your fears and insecurities. This is your last warning, we’ll cut off your DSL if you don’t pay this invoice! Your mailbox is full, click this link to regain access! Overdue notice: You owe us $473.92, click on the attached PDF to find out more!
None of these tricks is really new – what’s new is how well-targeted these messages have become. Scare e-mails address you by your proper name, sometimes they even include your postal address, your phone number and other details.
How do the scammers know these things? Probably through a data leak. Several e-commerce websites I use have been hacked over the past few years. According to the service "Have I Been Pwned," one of my e-mail addresses has been compromised no less than six times since 2013. By the way – be careful with this kind of service: Some of them are actually spam traps designed to capture your e-mail.
When you seem to receive spam from somebody you know, it’s probably because someone’s machine has fallen prey to malware which uploaded that person’s address book to the malefactor’s servers. Be careful before pointing fingers: The malware victim doesn’t have to be the purported sender of the e-mail; your and their address could both be listed in the address book of a third party.
Most malware currently enters a system through an infected attachment – i.e. a file attached to an e-mail. This e-mail usually is worded to prompt you to immediately open the attachment. Something like this: "Thank you for your order. Attached you will find your invoice over $473.92 which we have already deducted from your credit card" makes it very hard to resist the urge to double-click. You want to find out whether your credit card has been hacked ... and in the process, you get hacked.
Some attachments are Microsoft Office documents which contain macros that will download malicious software to your computer. That’s not a problem if you don’t have Microsoft Office on your machine, but poor aunt Edna got Word for free with her computer, so why should she not use it?
Other files pretend to be PDFs or other innocuous documents even though they actually are executable files. Windows usually hides file extensions from the user’s view, so if you save an attachment to your computer and it’s named "Invoice.pdf", that’s a good reason to become suspicious. In all likelihood, its actual name is "Invoice.pdf.exe" – but since Windows masks the second extension, all you see is the "pdf" part, and the icon has probably been doctored to match what you expect a PDF to look like.
What to do about suspicious attachments
If an attachment looks iffy – and at this point, every attachment should cause concern – there are a number of ways to keep yourself secure.
First off, stay calm. All scam e-mails are designed to get you to react impulsively. If you receive an extremely upsetting e-mail, but it seems a little too perfectly crafted to be real, it probably is a fake.
Prevention starts with setting up spam filters. Many e-mail providers provide server-side spam filters for free, but it frequently is up to users to activate them. If in doubt, check your provider’s knowledge base on whether they offer server-side spam protection and how to enable it.
The next step is to set up a client-side spam filter. Thunderbird features a good junk mail filter (it’s free), e-mail clients such as Outlook can be equipped with an add-in such as AntispamSniper (it costs money). Many commercial anti-virus suites also include an e-mail filter.
Always keep in mind that these measures will help, but they are not perfect. Once the server-side and client-side spam filters take out poorly-designed spam, the scam e-mails that pass the filters will be of a more sophisticated nature – after all, they were sophisticated enough to bypass your filters.
This means that you should always keep the following steps in mind:
- Don’t open an attachment until you are 100% sure it is legitimate. This could take a while, see below.
- Double-check the sender’s e-mail address. Often, the name looks correct, but the e-mail address is different.
- If the sender is a friend, acquaintance or active business partner, call them to find out whether they actually sent the attachment. Yes, call as in phone. Yes, you could send an e-mail back, but what if you receive a "reassurance" from the same hacker who sent the file?
- If you can’t contact the sender, save the file to your hard drive (save, don’t open!) and scan it with your anti-virus product. Even if the file is given a clean bill of health, don’t open it. Repeat the scan after an hour or two – its AV signatures may have been updated by then.
- If possible, upload the file to a free online malware scanning service such as VirusTotal or Jotti’s Malware Scan. If you’re handling business documents, you should keep in mind that by uploading your file, its content will become known to AV providers. If this could compromise confidential information, you should choose option 3 instead.
Things to keep in mind
Attacks will become more sophisticated the more interesting you are as a target. It is easy to think at this point "oh, then I have little to worry about – I don’t have any interesting data to steal or encrypt."
However, to become "interesting" as a hacking victim, you don’t have to be handling important information yourself – however, you might know somebody who does. This makes you, to put it bluntly, bait. Hackers may try to take over your computer to get to somebody else.
Thus, no matter how good your personal backup strategy may be, stay alert and don’t treat e-mail scams lightly. Hackers are counting on you to slip up: One false double-click can be enough to take you to computer hell.
What experiences do you have with e-mail scams? Do you know somebody who has fallen for such a scam? What do you personally do to prevent infection? Let us know in the comments.