Do not give out sensitive information to others unless you are 100% positive they are who they claim they are and they need the information they’re asking for. When in doubt, don’t give out.
Email provides us a convenient and powerful communications tool. Unfortunately, it also provides scammers and other malicious individuals an easy means for luring potential victims. The scams they attempt run from old-fashioned bait-and-switch operations to phishing schemes using a combination of email and bogus web sites to trick victims into divulging sensitive information. To protect yourself from these scams, you should understand what they are, what they look like, how they work, and what you can do to avoid them. The following recommendations can minimize your chances of falling victim to an email scam:
- Filter spam.
- Don’t trust unsolicited email.
- Treat email attachments with caution.
- Don’t click links in email messages.
- Install antivirus software and keep it up to date.
- Install a personal firewall and keep it up to date.
- Configure your email client for security.
Recognizing Email Scams
Scammers only need to fool a small percentage of the tens of thousands of people they email for their ruse to pay off. For tips on reducing spam in your email in-box, see US-CERT Cyber Security Tip ST04-007, “Reducing Spam”: http://www.uscert.gov/cas/tips/ST04-007.html
Some common email scams include:
“Old-Fashioned” Fraud Schemes
These are fairly easy to recognize and make up the bulk of our junk email folders today, but every once in a while one will make it into your inbox. The best course of action is to delete it.
- Bogus business opportunities
- Chain Letters
- Work-at-home schemes
- Health and diet scams
- Easy money
- Free goods
- Investment opportunities
- Bulk email schemes
- Guaranteed loans or credit offers
As with most things in life, if it sounds too good to be true, it probably is!
Social Engineering/Phishing Email
Social engineering is a strategy for obtaining information people wouldn’t normally divulge, or prompting an action people normally wouldn’t perform, by preying on their natural curiosity and/or willingness to trust. Perpetrators of scams and other malicious individuals combine social engineering with email in a number of ways.
Phishing emails are crafted to look as if they’ve been sent from a legitimate organization or person. These emails attempt to fool you into visiting a bogus web site to either download malware (viruses and other software intended to compromise your computer) or reveal sensitive personal information. The perpetrators of phishing scams carefully craft the bogus web site to look like the real thing.
For instance, an email can be crafted to look like it is from a major bank. It might have an alarming subject line, such as “Problem with Your Account.” The body of the message will claim there is a problem with your bank account and that, in order to validate your account, you must click a link included in the email and complete an online form.
If the email is sent and viewed as HTML, the visible link may be the URL of the institution, but the actual link information coded in the HTML will take the user to the bogus site.
visible link: http://www.yourbank.com/accounts/
actual link to bogus site: http://itcare.co.kr/data/yourbank/index.html
The bogus site will look astonishingly like the real thing, and will present an online form asking for information like your account number, your address, your online banking username and password—all the information an attacker needs to steal your identity and raid your bank account.
What to Look For
Bogus communications purporting to be from banks, credit card companies, and other financial institutions have been widely employed in phishing scams, as have emails from online auction and retail services. Carefully examine any email from your banks and other financial institutions. Most have instituted policies against asking for personal or account information in emails, so you should regard any email making such a request with extreme skepticism.
Phishing emails have also been disguised in a number of other ways. Some of the most common phishing emails include the following:
- fake communications from online payment and auction services, or from internet service providers – These emails claim there is a “problem” with your account and request that you access a (bogus) web page to provide personal and account information.
- fake accusation of violating Patriot Act – This email purports to be from the Federal Deposit Insurance Corporation (FDIC). It says that the FDIC is refusing to ensure your account because of “suspected violations of the USA Patriot Act.” It requests you provide information through an online form to “verify your identity.” It’s really an attempt to steal your identity.
- fake communications from an IT Department – These emails will attempt to ferret passwords and other information phishers can use to penetrate your organization’s networks and computers.
- low-tech versions of any of the above asking you to fax back information on a printed form you can download from a (bogus) web site.
The Anti-Phishing Working Group maintains a helpful phishing archive. The archive catalogues reported phishing scams and presents not only the content of the phishing email, but also screen captures of the bogus web sites and URLs used in the scams.
Other Types of Email Scams
A couple other common types of malicious emails include:
- Trojan Horse Emails
- Emails with a malware attachment that, when opened, silently installs a Trojan virus on your computer which can then be used by the cybercriminals to do anything from stealing key strokes to launching more attacks to anyone in your contact list
- Virus-Generated Emails
- Usually generated by a Trojan running on a friend’s compromised computer, these emails are spread by searching for all email addresses on an infected computer and then sending themselves to those addresses.
- This type of email will have a familiar, and legitimate “From” address but will probably ask you to do something not authorized by the individual. Always verify in person or over the phone when a “friends” is asking for something over email.
What You Can Do to Avoid Becoming a Victim
Because most email scams begin with unsolicited commercial email, you should take measures to prevent spam from getting into your mailbox. Most email applications and web mail services include spam-filtering features, or ways in which you can configure your email applications to filter spam. Consult the help file for your email application or service to find out what you must do to filter spam.
You may not be able to eliminate all spam, but filtering will keep a great deal of it from reaching your mailbox. You should be aware that spammers monitor spam filtering tools and software and take measures to elude them. For instance, spammers may use subtle spelling mistakes to subvert spam filters, changing “Potency Pills” to “Potençy Pills.”
Regard Unsolicited Email with Suspicion
Don’t automatically trust any email sent to you by an unknown individual or organization. Never open an attachment to unsolicited email. Most importantly, never click on a link sent to you in an email. Cleverly crafted links can take you to forged web sites set up to trick you into divulging private information or downloading viruses, spyware, and other malicious software.
Spammers may also use a technique in which they send unique links in each individual spam email. Victim 1 may receive an email with the link <http://dfnasdunf.example.org/>, and victim 2 may receive the same spam email with the link <http://vnbnnasd.exaple.org/>. By watching which links are requested on their web servers, spammers can figure out which email addresses are valid and more precisely target victims for repeat spam attempts.
Remember that even email sent from a familiar address may create problems: Many viruses spread themselves by scanning the victim computer for email addresses and sending themselves to these addresses in the guise of an email from the owner of the infected computer.
Treat Email Attachments with Caution
Email attachments are commonly used by online scammers to sneak a virus onto your computer. These viruses can help the scammer steal important information from your computer, compromise your computer so that it is open to further attack and abuse, and convert your computer into a ‘bot’ for use in denial-of-service attacks and other online crimes. As noted above, a familiar “from” address is no guarantee of safety because some viruses spread by first searching for all email addresses on an infected computer and then sending itself to these addresses. It could be your friend’s computer is infected with just such a virus.
Use Common Sense
When email arrives in your mailbox promising you big money for little effort, accusing you of violating the Patriot Act, or inviting you to join a plot to grab unclaimed funds involving persons you don’t know in a country on the other side of the world, take a moment to consider the likelihood that the email is legitimate.
Install Antivirus Software and Keep it Up to Date
If you haven’t done so by now, you should install antivirus software on your computer. If possible, you should install an antivirus program that has an automatic update feature. This will help ensure you always have the most up-to-date protection possible against viruses. In addition, you should make sure the antivirus software you choose includes an email scanning feature. This will help keep your computer free of email-borne viruses.
Install a Personal Firewall and Keep it Up to Date
A firewall will not prevent scam email from making its way into your mailbox. However, it may help protect you should you inadvertently open a virus-bearing attachment or otherwise introduce malware to your computer by following the instructions in the email. The firewall, among other things, will help prevent outbound traffic from your computer to the attacker. When your personal firewall detects suspicious outbound communications from your computer, it could be a sign you have inadvertently installed malicious programs on your computer.
Learn the Email Policies of the Organizations You Do Business With
Most organizations doing business online now have clear policies about how they communicate with their customers in email. Many, for instance, will not ask you to provide account or personal information via email. Understanding the policies of the organizations you do business with can help you spot and avoid phishing and other scams. Do note, however, that it’s never a good idea to send sensitive information via unencrypted email.
Source: [ https://www.us-cert.gov]