by ·Comments Off on Phishing & Other Email Scams
beware of email scams

Several years ago, the most common email scam was the lure of the Nigerian Prince who needed help in moving millions of dollars from his account to a safer account outside his country. And all he needed was a kind-hearted soul who was willing to provide him their bank information to make the transfer. In return, the good samaritan would get a percentage of that money.

What is the aim of these email scams? Money. It is always about money. For the Nigerian prince, once your bank account is compromised, the hacker behind the facade, can siphon off whatever balance you may have in your bank account.

Email Trends

I heard in a conference I attended several months ago, that a white hat hacker put an end to the Nigerian email scam years ago, and that’s why you and everyone else isn’t hearing much from the prince. However, there are a new breed for email scams out there, and they fall into these general categories:

  • phishing
  • impersonation
  • extortion

Like the Nigerian prince scam, these email scam trends are all about money–stealing your money or money you have access to.

Phishing

Phishing’s goal is to steal your account information. It is done through a simple but official looking email from a trusted organization–except it is really bogus. The email might say something to the effect that you need to verify your account at your bank in order to ensure security. To do this, all you need to do is click on a link which takes you to a nice looking web page that looks like the bank’s web page. But it isn’t. It asks you for your account name and password, and after you submit it, it may say something like page can’t be found, something went wrong, redirect you to the actual bank web site, or something else. Regardless, once you click submit, they got your account. That is pure phishing.

If it was your email account that was compromised, then the result of this phishing hack could result in more phishing hacks on your contacts or other folks in your organization if the email account if for work.

Phishing is really the entry point for a hacker’s ability to monetize their efforts.

Impersonation

Anyone can impersonate anybody else on the Internet through email. How? Because anyone can create an email account with almost anyone’s name–provided the account isn’t already taken. And even then, anyone can use anyone’s name as their email display name; that is, if my email address is xyz123@gmail.com, I can use, for example “Prince Charles” as the display name. And if I was in anyway associated with or related to the actual Prince Charles, I may think that the email actually came the the prince.

Impersonation can be monetized in many ways. Two of the most common ways are:

  • asking for a favor by requesting gift cards
  • asking for a list of employee information

For the case of the gift cards, the way the perpetrator gets money is by pretending to be a person’s manager or some high ranking official in an organization. The hacker scouts out an organization’s web site and figures out the organizational structure and finds names of managers and direct reports. Once they find this, they are all set.

They simply create an email account on gmail, yahoo, or many other email sources, and sets the display name to the name of the manager whom an employee reports to. The email is sent in a very simple form–asking if the employee is in the office. If the employee responds, the ploy begins with the hacker posing as the manager and that the manager is in a meeting and needs some gift cards. And so the impersonator asks the employee for a favor to purchase one or more gift cards with a promise to get paid immediately after the manager gets out of the meeting.

If the employee agrees to help out, the impersonator asks the employee to simply take pictures of the gift cards and email the pictures back. Once the employee does this, the money is gone and the employee is out a few dollars.

This scenario is playing out everyday across the country. And it is happening non-stop because it works!

Extortion

This one is a little different, and it plays into people’s fears of the ability of hackers to capture people’s activities online. A typical extortion email in this class of scam comes in with the FROM address of the email matching the target’s email address. The claim is that the hacker hacked the target’s email account, and that on top of that, the hacker has videos and pictures of the target’s Internet activities. The hacker claims that they will expose these potentially reputation-killing information to the Internet should the target not pay up. All they need to begin this is your email address.

To pay up, the target would need to buy bitcoin click a link in the email and paste a real long string key into that web page. Once the target pays up, they are safe.

Believe it or not, some people fall for this. And it doesn’t take much success rate for the hacker to make money. They make money, and that is why they do this.

A more destructive type of extortion is the type that infects and encrypts files on your computer. These ones preys on people without any computer anti-virus or anti-malware solutions.

These can come in as an email that looks official claiming that there is an invoice you must pay or your credit will be ruined, or some other threatening reason. In the email is an attachment that looks like an invoice, but when you open it, it installs and runs malware on your computer which encrypts all your pictures, videos, and other documents. You won’t know about it until after a few days when it pops open a page saying that you must pay up to decrypt your files.

In this situation, they too ask that you buy bitcoin to pay for this. After you pay, they will give you a string key to decrypt your files.

Now, I don’t know if this is true, but the hackers seem to keep their word. People’s files are restored after they pay up, but I woudn’t really bet on it. Anyway, if you don’t want to fall prey to this, don’t open any attachments you receive via email unless you know what it is.

Conclusion

If you don’t get anything from this article, get at least this:

You cannot trust anything you get via email. If in doubt don’t open attachments or click links. If the email looks like it is coming from someone you know, call them to verify.

—forlanda.net–