Section IV: Email Joys and Pitfalls

Email and Attachments

Ah, e-mail - what did we do before e-mail? Many of us read hundreds of e-mail messages each week. We are even more dependent on e-mail than we are on the Internet itself. Like the Internet, e-mail has its dangers. This section will describe a few pitfalls and provide hints for avoiding them.

Don't open an email attachment, even if it looks like it's from a friend or coworker unless you are expecting it or know what it contains. If you send an email with an attached file, include a text message explaining what it is.

Almost any type of file can be attached to an email message. Viruses or other Malware may "hitch a ride" on any type of file: pictures, PDF files, Microsoft Office documents, program files, scripts, etc. You need to be suspicious of any attachment, even if the message comes from someone you know. The best defense is to be sure to keep your software applications, including anti-virus signatures up-to-date. Malware writers take advantage of vulnerabilities!

Email Phishing, Spam and Scams

Dangers do not always hide in the attachment but can be hidden within the e-mail itself.

Phishers create e-mail messages that appear to come from a financial organization and that refer the recipient to a Web page that also appears to be associated with the targeted organization. They use social engineering to try to make you believe this is a valid request for information and they often use "features" of your e-mail client and web browser to try to hide traces of their invalid site and make you believe you are viewing the real Web site for the targeted organization.

Another lesser use of phishing is to get some sort of software installed onto your computer (often a keylogger or a Trojan horse) by getting you to visit a site where they have staged the software.

Phishing attacks generally are intended to try to obtain personal identification data (i.e.: Social Security number, mother's maiden name) or financial account information (i.e.: bank account and routing numbers, credit card account numbers and verification codes). The primary goal of phishers is to get enough critical information from you so that they can submit an automatic debit against your bank account or charge a purchase to your credit card. If they don't use the information themselves, they may trade or sell it to others (basically using your personal information as currency in the cracker-world).

Not all phishing attacks occur via email. They can be made over the phone, in the mail, through social networks like Facebook and Twitter, or a combination of all of these. Read on for an example of a real life phishing scam on Twitter. This phishing scam aims to steal users' log-in credentials and then forward scam messages to all their friends in the hope of tricking them too. The scam begins with a direct message - one sent directly between two Twitter users - and appears to link to a video site. When the victim clicks on the link, however, they are sent to a fake Twitter page and asked to log in. The scammers use that log-in information to automatically message the victim's contacts with the same direct message.

It can be difficult to tell if a spammer has installed hidden software on your computer, but there are some warning signs. You may receive emails accusing you of sending spam; you may find email messages in your "outbox" that you didn't send, or your computer suddenly may operate more slowly or sluggishly.

Some hints to help you avoid becoming a victim:

• Delete without opening email from people or organizations you do not know
• If you receive an unexpected attachment in a message from someone you know, verify by calling the person that they did indeed attach a file.
• Do not click on links sent in an email if you don't have a reasonable expectation that the link is valid.
• Do not provide personal information without verifying the legitimacy of the request. For example, call your bank or system administrator and confirm they need the information.
• Never provide your password to anyone for any reason.
• Remember, there are no "free" offers. Spammers are in it for the money, usually your money!
• Be wary of email with a generic sender address like "Tech Support" or "Webmail Administrator"
• If you open an email and find the salutation says "Dear Friend" or "Dear Sir or Madam" it is probably spam and needs to be deleted.
• Be extra suspicious of email soliciting funds after a disaster or trying to get you to click on a link to read more about the disaster.
• For your home computer, get an anti-spyware program from a vendor you know and trust. Set it to scan on a regular basis (e.g., at least once a week) and every time you start your computer.
• Consider deleting any software programs the anti-spyware program detects on your computer.

How do I tell where this email message is really from?

Email addresses can easily be spoofed, the identity of the real sender masked. By examining the full headers of a message, you can see where it originated and the paths it took to reach your email inbox. These headers are usually hidden since they are only a log of the route taken by the message and not part of the actual message. Although you can gain a lot of information by looking at the headers, each email client has unique ways of displaying the full or expanded headers. Some email clients refer to these as the Internet headers. You will have to check your email client help files or ask your local support staff. Beware that some email configurations, especially in Windows environments, may allow the execution of arbitrary code upon opening and viewing a malicious e-mail message. If the suspicious e-mail includes a file attachment, it is safer to simply delete it.

The best rule of thumb, if it looks like spam, delete it and don't worry where it came from!

One final word on email: email is more like a postcard than a first-class letter sealed in an envelope. Unless you are using encryption (such as Entrust or PGP) there should be no expectation of privacy!

Phishing Attack Video