This article is part of a series that aims to shed light on critical privacy issues for our clients. Our goal is to offer straightforward guidance on how you can protect yourself and your family in this age of proliferating cybercrime. You can find our previous articles on protecting your physical assets, social media, and simplifying complex passwords.
By David Koch
This article on safe emailing discusses what cyber crooks are looking for, how they attempt to get it, and how to protect yourself.
Email is ubiquitous. You can get financing and buy an income property in Kansas completely on the internet, sight-unseen, from the luxury of your couch in Huntington Beach. I know because a friend of mine recently did it. There are risks involved with the house, of course, but there are significant risks with the transaction, too. A great deal of highly sensitive information was moved back and forth via email, and if not done properly this process could have exposed my friend to serious problems.
Spam, Phishing, Spoofing, and Spyware—I’ll explain all of these. Once you understand what these tactics are attempting to achieve, you can take precautions to protect yourself. I’ll also explain simple best practices for sending and receiving emails.
Spam is the malignant workhorse of digital criminal acts. Not a crime in itself in the U.S. (although it is punishable in the UK), spam is the engine that drives many other illegal activities. It’s a game of numbers. If only 1 in 1,000,000 people click on your Viagra ad and buy from you, all you need to do is send 100,000,000 emails per day to make 36,500 Viagra sales per year.
We’re all familiar with spam, but it is still one of the most effective ways crooks take advantage of people in this digital age. When it comes to email, be suspicious! Don’t just click on links or open attachments because your best friend sent them to you. Maybe they did—but maybe they didn’t.
If the message looks odd, instead of clicking on it, compose a new message to the sender (not a reply) and simply ask, “Did you send me an email about this?”
Which leads us to the next terms on our list.
Spoofing and Phishing
Phishing is the activity of retrieving information by posing as a legitimate person or company. Spoofing is considered more of a method of delivery of malicious software, otherwise known as malware.
Both occur when the sender of an email isn’t who they appear to be. This can be done in a few different ways. In one, your friend’s contact list could have been stolen. Without his or her email actually being hacked into, the hacker can send emails that appear to be from that person you know. How similar do the emails email@example.com and firstname.lastname@example.org appear? One is spelled “LIN” and the other “LLN”—and in lowercase they’re nearly indistinguishable.
Here’s another example. You may receive an email from what appears to be your bank. The hacker may have stolen the logo and otherwise replicated what a real email from that bank looks like. The email will ask you to follow some instructions to verify your information and provide a link for you to click on.
Using another, more common, tactic, a criminal creates an email that appears to be from a company, most often a financial institution like a bank. This person will use the bank’s logos; the email can be quite sophisticated-looking. The story goes something like, “We need you to login to verify your credentials.” There will be a link that takes you to a website that looks like the trusted institution’s. The email will ask you to type in your username and password to “authenticate” your account. Once you do, now they have it, too.
Don’t click on the links. Go to your address bar and type in the bank’s web address yourself. Or call them. One other quick vetting process to try (and it may not be perfect): Hover your cursor over the link provided so you can read it. A link might have 100 characters in it, but if it is from, for example, Chase.com, the .com will be immediately after Chase. On the other hand, Chase.hacker.com is a link to hacker.com, not to Chase.com. If you’re not comfortable with this tip, you can either call the institution or type in its web address manually.
While one intent of spoofing may be to cannily coax people into revealing their login information to a specific website, like their bank, another more malicious intent might be to install spyware on these users’ computers.
Spyware is software that gathers information from an unsuspecting user’s computer and transmits that back to another entity. It acts like a mole. Spyware is a broad term that encompasses many different types of software. Some are less terrible than others. At least one, Loverspy, was specifically marketed to monitor lovers’ partners. There are several spyware packages in use by law enforcement.
On the other end of the spectrum is spyware that may capture everything a user types. Called a keylogger, this type of spyware can give criminals access to all of a user’s banking and credit card information, and website login names and passwords if left undetected long enough. The 2016 Identity Fraud Study, released by Javelin Strategy & Research, found that $15 billion was stolen from 13.1 million U.S. consumers in 2015.
How do you avoid spyware? First, don’t install software unless you’re absolutely sure that you know and trust the developer. Second, make sure you are using a modern internet browser. Google’s Chrome, Mozilla’s Firefox, and the latest iteration of Microsoft’s Internet Explorer (11) have elements that can make your online experience more secure.
If you suspect anything, or don’t actively use antivirus software, you can also download and run specific anti-spyware software. Avast, Lavasoft’s Ad-Aware, AVG, and even Microsoft’s built-in Windows Defender (if you’re using a PC) are all good (and free) options.
Best Practices for Email
The best advice? Think of emails as postcards.
Anyone who really wants to, can, with a little effort, just reach into your mailbox and read your email. Never send confidential, sensitive, or personal information through regular email. If you receive something sensitive via email, get what you need out of your inbox and delete the email—then delete it from your deleted folder.
We all likely have sensitive information in our sent folder too. I have nearly 5,000 emails in my personal email’s sent folder. If I ever sent an account number or social security number, it is likely still in there. Crooks know to look in there too.
There are, however, several ways to securely send and receive this type of information digitally. Here at HH, we use a service called ShareFile in which we can limit the number of downloads and, like in Mission Impossible, preset a timeframe in which the message will self-destruct.
There are also several ways you can securely send or receive sensitive information or files for free. Dropbox.com is one. In this digital age, there’s simply no need to expose yourself. Cyber criminals make use of sophisticated tools in attempting to invade your privacy. But you, too, can take advantage of state-of-the-art tools and safeguards to defend yourself from them.
RISKS AND DISCLOSURES
The views contained herein are not to be taken as an advice or recommendation to buy or sell any investment. Any forecasts, figures, opinions or investment techniques and strategies set out are for information purposes only, based on certain assumptions and current market conditions and are subject to change without previous notice.
All information presented herein is considered to be accurate at the time of writing, but no warranty of accuracy is given and no liability in respect of any error or omission is accepted.
This material should not be relied upon by you in evaluating the merits of investing in any securities or products mentioned herein. In addition, the Investor should make an independent assessment of the legal, regulatory, tax, credit, and accounting and determine, together with their own professional advisers if any of the investments mentioned herein are suitable to their personal goals. Investors should ensure that they obtain all available relevant information before making any investment.
It should be noted that the value of investments and the income from them may fluctuate in accordance with market conditions and taxation agreements and investors may not get back the full amount invested. Both past performance and yield may not be a reliable guide to future performance.