4 minute read
Protect Your Emails
There is a high probability that you receive spam, phishing, or unsolicited emails in your mailbox occasionally…if not daily.
If you don’t have an email account, you can go back to living your life happily under a rock. For those of us who depend on that medium of communication with the world, sending and receiving emails is an essential part of our day.
Some of us even have multiple email accounts to keep our personal and work lives separate and multiple work emails to keep communications organized.
The more email accounts you have, the more time you spend trying to decipher what is a legitimate communique and what is spam or phishing. Spammers send unsolicited promotional emails and want your attention to encourage you to buy their products or services; they can be annoying.
Threat actors, on the other hand, are the technology-savvy bad people who use spam emails to penetrate a device or an organization’s defence structure by sending viruses and malware in the forms of links or attachments. Those types of attacks are called phishing.
Threat actors not only try to steal company data, they try to gain access to your personal bank information, steal credit card information, or try to steal your identity.
...to entice you to open an attachment or click on a link. The attacks have various names— spearing, whaling, smishing, vishing, etc.
According to Canadian AntiFraud Centre (CAFC), in 2021, more than 43 thousand people have fallen victim to losing more that $360 million. That whopping value keeps increasing as Internet scammers get craftier every day.
Before we begin going into how you can protect yourself from receiving spam or phishing emails in the first place, it is important to outline the different forms of spam and phishing emails.
Where did we get the term Spam?
The name Spam was adapted from a Monty Python sketch in which the canned pork product called SPAM is featured in every breakfast menu item in the sketch. The word spam began to be used to refer to junk emails flooding the Internet in the 1980s. The repetitive, unsolicited, and sheer volume of spam emails can set back your day and divert your attention from being productive.
Threat actors use similar techniques to send malicious emails to access your contacts, read your emails, or access your data. A few different techniques can be used by Threat actors or spammers in a phishing attack.
Phishing
Those types of attacks start with a well-crafted “fake” email. Threat actors send emails with an infected attachment or malicious link. By opening that attachment or clicking on the link, you give authorization to the Threat actors who gain access to your computer or infect your device.
Those approaches are modified and made better over time, to entice you to open an attachment or click on a link. The attacks have various names—spearing, whaling, smishing, vishing, etc. Every month thousands of new phishing attacks are launched. Phishing attacks typically work 1 out of 10 times. The phishing emails may appear to be from a trusted partner or provider that is your bank or other familiar businesses.
The subject line may start with “RE:” to indicate it is an ongoing thread. Other deceptive ways are used to persuade you to open the email. As you click on the link or open the attachment in the phishing email, it may self-install a malicious program to gain access to your computer or company network.
That is when the scammers get to work monitoring your emails, studying your communication habits, and reviewing your emails to your frequently emailed contact list—including your personal or company private and privileged information.
Spearing
Unlike a general phishing attack where a threat actor sends a malicious email to many people, a spearing phishing attack is more targeted. The attacker has some prior knowledge of who you are through social media or previously captured information from another contact, etc. Those types of email attacks are more convincing as they may bypass your default visual verification, where on the surface the email does not appear to be a phishing email.
Whaling
Like a spearing email attack, a whaling attack is designed to target senior management. The context of a sophisticated email is designed for a busy executive or CEO. Sometimes, employees may receive an email with an urgent request that looks like it is from their CEO or an executive team member.
Smishing and Vishing
Threat actors not only rely on sending malicious emails, they send a similar message through text message or Short Message Service (SMS), Teams Chat, WhatsApp, or other messaging platforms. The text typically comes from an unknown or unrecognized number with some urgency, requiring you to click on a link or to perform an action.
Angler Phishing
Social media is another domain for sending malicious links designed to lure you into opening the link or redirect you to cloned websites or posts.
Squishing
Threat actors use a Quick Response (QR) code to direct or redirect someone to a website that is hosting malicious codes. By scanning the QR code and opening that website, they can run those malicious codes on your device to infect and gain remote access to your device.
Pharming
That type of phishing uses Domain Name Service (DNS) “cache poisoning.” DNS is typically provided by your Internet Service Provider. It is a service that translates a website address or
Uniform Resource Locator (URL) to an IP address where the website is hosted. Threat actors attempt to redirect the request to a malicious IP address.
Other Scams
You may receive an email claiming that a hacker has gained control of your computer and webcam and has embarrassing videos of you. That is becoming increasingly widespread. The attacker sends an email from an email account that may appear to be yours. They are fake emails with spoofed email addresses. The threat actor then demands money in the form of bitcoin with a deadline, or else they will release the embarrassing video to all your contacts.
For those types of spam emails, check the email properties to see the source of the email. There is a high probability the email did not originate from your computer and the threat actor hasn’t really gained access to your computer.
How to Protect Yourself
Phishing attacks continuously evolve as threat actors refine their antics. Unsafe email practices are the single biggest threat to online security. For a phishing attack to be successful, the victim user needs to click on a link or open an attachment.
Those links may look very convincing to open. As soon as you open the link, you may be directed to a well-crafted website that looks like a Microsoft SharePoint, OneDrive, Google Drive, Dropbox, or other online file storage provider. That page is designed to capture your credentials.
To avoid that, you need to stay up-to-date on this topic and provide continuous education programs to your staff to refresh their memory and keep email security at the forefront.
