Today, spam email is a pain for everyone. Constant newsletters you don’t want or updates from websites you haven’t used in years. Even people trying to sell you things. It’s annoying and it can be very difficult to stop. However, what can be worse is when your spam emails are also nefarious. This week’s blog will focus on some simple methods you can use for detecting how an email might be nefarious or untrustworthy.
First things first: Never open any email attachment without assessing the email for trustworthiness. Whilst you haven’t interacted with those attachments, they are relatively (although not totally) safe. As soon as you try to open one or start interacting with it, a nefarious program within it has opportunities to interact with your computer. This is very important. If you do download an attachment and get a message asking you to enable macros, be suspicious. Macros can be exploited by an attacker. Chances are, if you don’t know what Macros are and how they work, you shouldn’t enable them to view an email attachment.
For my next couple of points, let’s look at an email I threw together here in the office:
There are several things you should look out for: Impersonality, poor use of English, poor authentication and the address of the link hidden behind that blue writing.
This email is impersonal, it’s not “Hello James, It’s been a while” <- if the sender doesn’t seem to know anything about you outside of the obvious, then you should be suspicious. Furthermore, there’s an inexplicable questionmark at the end of the first line in the email. Many nefarious sources are overseas so as to escape prosecution, therefore, poor English can be an indication that the mail is not genuine.
This email also says nothing about the sender. It’s something about an invoice but for what company? There’s not even an e-mail signature. Serious companies tend to have very informative and trendy signatures nowadays that tell you everything you need to know to contact the sender. No signature or a poor signature could be an indication that the mail is nefarious.
There are two more concrete signs of things being awry: the first is if the links in the mail are misleading. That “totally genuine link” – where does it go? What if that link said “www.facebook.com” but actually directs you to “www.Ilikestealingmoney.ru”. The second is if the return address doesn’t fit the sender’s name.
Here’s a genuine piece of nefarious email I received from “Richard Butterknipe” (A genuine work contact who I have renamed for this article).
How did I know this was nefarious? The name at the top of the page is “Paypal” but there is no Paypal branding anywhere in the mail (no signature etc). The actual sender address, Lucero@esexpress.com.mx, doesn’t look like it has anything to do with paypal, a huge indication that something isn’t right. Then, if you hover over the link in the email, you notice that the first part of the link is not paypal. Anything after the “.com” can be whatever the website owner wants it to be and may or may not be real. But the actual website name (www.yourwebsitename.com) has nothing to do with paypal. What’s worse is that the link text (0E7VK0Z2OT1NUZXR) could display as www.paypal.com but show www.imgoingtostealyourmoney.co.uk when you hover over it. It’s very important to check this before you follow any link out of an email.
What could we do here to be absolutely sure? Don’t click on any links, open a web browser and go directly to www.paypal.com and go check your transactions there. If you don’t know the right website link off the top of your head, you can go to www.google.com and google it. This is more secure than taking a risk on the links in the email. Just by clicking a link and going to a website, that website can gather all sorts of information about your location and your computer system, even without you clicking anything or entering any details on the website. Think of it this way; your computer has to communicate with that website in order to display it on your computer. There’s a lot more going on under the bonnet than you might think. Furthermore, what I did was to call Richard Butterknipe and ask him if he knew anything about the mail. He didn’t and he informed me that somebody was sending out emails pretending to be him (they don’t even need access to your email address in order to do this – more on that in a future blog).
While this particular mail is blatantly nefarious, I have had clients and even my own mother call me and say that they’ve put their passwords into a website after being prompted to do so in mails that demonstrated all of these characteristics. If you’re not tech savvy and you’re not sure about a link, the best thing you can do is call a professional. Don’t be embarrassed, if there’s no risk, we won’t judge. If you clicked something called “thiswilldestroyyourcomputer.zip” and feel a bit silly, we won’t judge. We know things about IT that you don’t just the same way you know things about your industry that we don’t. We can assess the risk of what you’ve done and advise you on how to proceed.
If you’re in any doubt, give us a call and have a chat. But, hopefully, this post will have given you some tactics for spotting these problems before they emerge.
- Mike from the J&L team.
Michael McGettrick is a software developer working at Jarrett & Lam in Surrey, UK. He has extensive knowledge in web-based application development, internet security and database design. He is also fluent in English, Spanish and French with working proficiency in Russian and Mandarin.
Jarrett & Lam has over 20 years of experience in email support and digital security consultancy. For help and advice regarding email and security, click "Contact Us" and get in touch.