There is a high probability that you receive spam, phishing, or unsolicited emails in your mailbox occasionally . . . if not daily.
If you don’t have an email account, you can go back to living your life happily under a rock. For those of us who depend on that medium of communication with the world, sending and receiving emails is an essential part of our day.
Some of us even have multiple email accounts to keep our personal and work lives separate and multiple work emails to keep communications organized.
The more email accounts you have, the more time you spend trying to decipher what is a legitimate communique and what is spam or phishing. Spammers send unsolicited promotional emails and want your attention to encourage you to buy their products or services; they can be annoying.
Threat actors, on the other hand, are the technology-savvy bad people who use spam emails to penetrate a device or an organization’s defence structure by sending viruses and malware in the forms of links or attachments. Those types of attacks are called phishing.
Threat actors not only try to steal company data, they try to gain access to your personal bank information, steal credit card information, or try to steal your identity.
According to Canadian Anti-Fraud Centre (CAFC), in 2021, more than 43 thousand people have fallen victim to losing more that $360 million. That whopping value keeps increasing as Internet scammers get craftier every day.
Before we begin going into how you can protect yourself from receiving spam or phishing emails in the first place, it is important to outline the different forms of spam and phishing emails.
Where did we get the term Spam?
The name Spam was adapted from a Monty Python sketch in which the canned pork product called SPAM is featured in every breakfast menu item in the sketch. The word Spam began to be used to refer to junk emails flooding the Internet in the 1980s. The repetitive, unsolicited, and sheer volume of spam emails can set back your day and divert your attention from being productive.
Threat actors use similar techniques to send malicious emails to access your contacts, read your emails, or access your data. A few different techniques can be used by Threat actors or spammers in a phishing attack.
Those types of attacks start with a well-crafted “fake” email. Threat actors send emails with an infected attachment or malicious link. By opening that attachment or clicking on the link, you give authorization to the Threat actors who gain access to your computer or infect your device.
Those approaches are modified and made better over time, to entice you to open an attachment or click on a link. The attacks have various names—spearing, whaling, smishing, vishing, etc. Every month thousands of new phishing attacks are launched. Phishing attacks typically work 1 out of 10 times. The phishing emails may appear to be from a trusted partner or provider that is your bank or other familiar businesses.
The subject line may start with “RE:” to indicate it is an ongoing thread. Other deceptive ways are used to persuade you to open the email. As you click on the link or open the attachment in the phishing email, it may self-install a malicious program to gain access to your computer or company network. That is when the scammers get to work monitoring your emails, studying your communication habits, and reviewing your emails to your frequently emailed contact list—including your personal or company private and privileged information.
Unlike a general phishing attack where a Threat actor sends a malicious email to many people, a spearing phishing attack is more targeted. The attacker has some prior knowledge of who you are through social media or previously captured information from another contact, etc. Those types of email attacks are more convincing as they may bypass your default visual verification, where on the surface the email does not appear to be a phishing email.
Like a spearing email attack, a whaling attack is designed to target senior management. The context of a sophisticated email is designed for a busy executive or CEO. Sometimes, employees may receive an email with an urgent request that looks like it is from their CEO or an executive team member.
Smishing and Vishing
Threat actors not only rely on sending malicious emails, they send a similar message through text message or Short Message Service (SMS), Teams Chat, WhatsApp, or other messaging platforms. The text typically comes from an unknown or unrecognized number with some urgency, requiring you to click on a link or to perform an action.
Social media is another domain for sending malicious links designed to lure you into opening the link or redirect you to cloned websites or posts.
Threat actors use a Quick Response (QR) code to direct or redirect someone to a website that is hosting malicious codes. By scanning the QR code and opening that website, they can run those malicious codes on your device to infect and gain remote access to your device.
That type of phishing uses Domain Name Service (DNS) “cache poisoning.” DNS is typically provided by your Internet Service Provider. It is a service that translates a website address or Uniform Resource Locator (URL) to an IP address where the website is hosted. Threat actors attempt to redirect the request to a malicious IP address.
You may receive an email claiming that a hacker has gained control of your computer and webcam and has embarrassing videos of you. This is becoming increasingly widespread. The attacker sends an email from an email account that may appear to be yours. They are fake emails with spoofed email addresses. The Threat actor then demands money in the form of bitcoin with a deadline, or else they will release the embarrassing video to all your contacts.
For those types of spam emails, check the email properties to see the source of the email. There is a high probability the email did not originate from your computer and the Threat actor hasn’t really gained access to your computer.
How to Protect Yourself
Phishing attacks continuously evolve as Threat actors refine their antics. Unsafe email practices are the single biggest threat to online security. For a phishing attack to be successful, the victim user needs to click on a link or open an attachment. Those links may look very convincing to open. As soon as you open the link, you may be directed to a well-crafted website that looks like a Microsoft SharePoint, OneDrive, Google Drive, Dropbox, or other online file storage provider. That page is designed to capture your credentials.
To avoid that, you need to stay up-to-date on this topic and provide continuous education programs to your staff to refresh their memory and keep email security at the forefront.
Here are some tips and tricks to avoid clicking on spam email links or opening malicious attachments.
- Use your work email to conduct work-related communication. Avoid using your personal email for work.
- Use email encryption to convert the message in your email from readable plain text into encrypted or scrambled text when possible. This process works using a public key and corresponding private key. The sender encrypts the email using the public key and only the recipient with the private key can unencrypt the text.
- Aside from having a good antivirus program, it is essential to have a spam filtering program that checks the emails and attachments and also checks and validates the links in an email.
- Be on the lookout and check the sender’s email address. The sender’s email address may not show when you check your emails from your mobile device. It is a good practice to click on the name to verify the email address. Using the same name as one of your contacts but a different email address is an attack-vector of choice in a spearing or whaling attack.
- Look for spelling errors and grammatical mistakes in an email. Lately, the spammers and Threat actors have gotten better. The emails could be well-written and formatted. You can, however, sense the tone of the emails as not being consistent with that of your contact.
- Some email providers like Microsoft365 give you the ability to add a subject line tag to a line in the subject line or body of the email identifying when an email has originated from outside your organization. That is a good visual reminder to use caution when opening an attachment or clicking on a link.
- Using Multifactor Authentication (MFA) is a must. MFA is another authentication challenge to an ID and a password challenge when checking your emails through a web browser. You can use an app like Google or Microsoft Authenticator or use SMS to receive a code. The code in the Authenticator app changes every 30 seconds to ensure your login access remains secure. Using MFA is a strong deterrent in preventing remote access to your email account.
- If you are concerned about an email, contact the sender through a different means to validate the request. That is a useful process especially when there is a financial transaction, such as when receiving wire-transfer instructions is involved. Threat actors on a compromised computer can change the wire transfer instructions to redirect the funds to another account.
- Be sure to backup your emails regularly. Threat actors can easily encrypt a compromised email account to extort money. It is important to know that it is your responsibility to keep your data backed up. Many email service providers do not backup your email account. Some may allow you to restore deleted emails but will not be able to restore an encrypted email account.
Other considerations to keep your device and login safe
- Login to websites that use HTTPS. You can identify those sites with a padlock on the left of the https://. You can go one step further and check the Secure Socket Layer (SSL) certificate of the website by clicking on the padlock to the left of the URL to ensure the site URL and SSL certificate are valid and they match. Avoid browsing websites if you get a certificate error.
- Limit access to your company Wi-Fi to your guests who are not employees. Provide a separate Wi-Fi access to your clients and your staff’s personal devices. Use Virtual Private Network (VPN) when using a public Wi-Fi.
- Avoid using the same passwords for multiple accounts. Storing logins and passwords in a password-protected Word or Excel file is not secure. Consider using a good password manager application like 1Password, Dashlane, Keeper, or similar. Those products are also offered at the enterprise level, where password sharing is required between team members in a department e.g., accounting department requiring a login ID and password to various vendor portals to retrieve bills.
- Always make sure to keep your computers and devices up to date with the latest Operating System’s security patches and updates. In addition, ensure the software applications you are using are fully updated. Although there are Artificial Intelligence-based antivirus applications available, many traditional antivirus software e.g., MacAfee, still rely on the virus definition database. Keep an eye on your antivirus subscription and ensure to configure your antivirus application to receive multiple updates daily. Avoid using free antivirus software as they may only provide basic security, and some may gather your personal data in lieu of their service.
The above are some ways you can protect yourself and your organization. Using a combination if not all the above methods will help you protect your email account, identity, data, and your organization.
Of course, each organization’s security needs may be unique to their environment with some commonality, so be sure to consult your IT support provider for additional tips, tricks, and strategies to keep your organization’s intellectual property safe.
You can report any spam and phishing emails to cyber.gc.ca or visiting CAFC’s website: www.antifraudcentre-centreantifraude.ca/report-signalez-eng.htm