Just this week, we received the most legitimate and scary phishing attempt yet, as the email included one of our personal user ID's and a password as "proof" that they hacked an individual computer.
Email, in fact, is likely the easiest method for cyber criminals to gain access to your computer or hijack for money. Due diligence must be used in discerning the legitimacy of emails, even if they appear to come from trusted sources.
The Current Climate
Email scamming, phishing and viruses are simply a fact of life these days. If you have an email account, you will absolutely receive some scam, phishing attempt or virus at some point. However, identifying these harmful emails may be tricky, and failure to do so may result in lost time, lost money and even an inability to use your computer or phone.
While the days of the "Ethiopian Prince" scams are likely behind us, hackers and criminals are using more advanced tactics to figure out ways to extort money from you, or take control of your computer for other purposes (such as spreading spam emails, phishing your contacts for money in your name, etc.).
How to Identify Malicious Email
Below are some recommended methods for protecting yourself from malicious email:
1. Google anything suspicious
Chances are any malicious email you receive has been used in a bulk email campaign, which means that many other people have received the same email. Start with Google and see if there is any reference to that email.
Specifically, copy a distinctive phrase or sentence and paste it into Google's search inside quotation marks. The quotation marks tell Google to look for an exact match of all words in the phrase in that same order, so you are likely to find the exact scam in the Google results quickly.
2. Check the email address of the sender
Many times the sending email address is not a familiar sender. If you do not recognize the sending email address, then likely the message is spam. However, there are instances where malicious email may be sent from a recognized email address.
3. Contact any friends or acquaintances who ask you for money
A friend or acquaintance whose computer was hacked may be unknowingly sending malicious spam to their contact list from their email address. Sometimes, these spams paint a picture of the friend in need, asking for your help in bailing them out (perhaps needing money for a tow truck or a hotel room, etc.). If you know that individual well enough to consider sending them money, then likely you have their phone number. A quick call will either confirm or deny the situation, and if it is a scam the individual can reach out and ask people to ignore the email.
4. Use common sense and reason
In the email received today, we were particularly concerned about being hacked since a user ID and password were sent to me. However, in looking more closely, we realized this was a user ID and password combination that had not been used in quite some time. We have been hearing in recent years how many large companies have experienced security breaches, with hackers stealing personal client information. As it turns out, personal information was stolen through one of these large company security breaches that occurred many years ago, and only now was that information being used. Noticing the age of the user ID and password posted -- along with Googling select phrases as suggested in step 1 -- allowed us to determine that this was indeed a scam email.
5. Be wary of emails with offers from common stores, financial institutions or "techy" senders and check URLs embedded in emails
While there are legitimate emails from Amazon, Walmart, Bank of America, etc., many phishing scams will send emails that look exactly like a legitimate email and include a link to receive an offer, log in to prevent a fraud attempt, or frighten you of a hack attempt. If these emails have a link, ALWAYS mouse over the link and examine the URL before clicking on it.
Valid URLs will always contain the company domain name in the last part of the URL (just prior to the .com, .net, or other extension). For example, a valid URL may be https://email.walmart.com.
Malicious URLs will often contain the company domain earlier in the URL structure, to try to fool you into thinking it is a legitimate email. An example of a potentially harmful URL would be http://walmart.com.clickbait.ru.
Similarly, most large companies will contain an SSL link in the URL as well (https instead of http). If you do happen to trust the URL and want added peace of mind when visiting the site, you may view the SSL certificate which will provide company information to you about the issued SSL certificate.
"Techy" emails are confusing, mostly because they will typically attempt to scare you into thinking an account has been breached or requires immediate action. Oftentimes they ask you to log into an account to change a password and will indicate they came from some important tech individual, such as a mail administrator or domain manager.
This leads to...
6. When in doubt, ask someone you trust
As Martin Communications clients, you are welcome to contact our web support team (email@example.com) for assistance in helping you discern the legitimacy of any email you receive, especially if you receive emails concerning your web site, domain name or email accounts.
How You Are Protected from Many Malicious Emails
Martin Communications email customers are protected by some of the strongest email spam, virus and phishing filters available. On average, 96% of all spam, viruses and phishing emails are blocked before they reach your inbox. While no system is 100% protected, our filters will prevent many of the exploits from even getting to your computer in the first place.
In the event your email is hacked and used to send out additional spamming, phishing or virus emails, our email system will automatically disable your email account temporarily and we will be notified. In turn, we will alert you to the issue and work with you to get your account re-activated.
As a best practice, we encourage you to regularly change passwords and use passwords that are at least 10 characters long, which combinations of uppercase and lowercase letters, numbers, and special characters (such as asterisks, percent signs, etc.).
If you have any questions, or need to confirm suspicious emails, please do not hesitate to contact us at firstname.lastname@example.org.