In the early days of social engineering, people would make a phone call and use these “engineering” techniques to get personal information from you. By asking pertinent yet innocuous questions, they would learn answers that would allow them to access bank accounts, credit cards, and other valuable data.
Today, we have moved into the more ‘modern world’ of email phishing and spoofing (when a hacker pretends to be someone known by a person or network in order to access sensitive information, often in pursuit of financial gain. ). This happens more often than we would like to recognize.
The question now is how are they using MY email to send out messages to my friends and/or business associates?
These days it is easier than ever for these disreputable individuals to phish and/or spoof. All they need to do is send an email from a ‘reliable source’; in other words, from someone you trust or know. Getting your email address is easier than ever. After all, our email addresses are constantly going out ‘there.’ If you have ever subscribed to a product, signed up for newsletters or updates, requested information from any company of any kind, or if you are on a board of a company or group – if you are a supporter of a non-profit or have donated to any cause, your email is out on the internet and readily available. Email is still the number one way to contact not just your friends but 95% of businesses – making your email address available for someone to grab and use.
You may have received an email from “your bank” saying that they need you to login and change your credentials due to being compromised or safety measures. When you click on the link, it takes you to a ‘spoofed’ site, asking you to fill out all your information again to “confirm” you are who you say you are. (Information requested can include your birthdate, social security number, address, etc.) The spoofers have now grabbed the information they were after from you – all without any physical contact with you. (This is how individuals end up with someone using their name and information.)
An Important Reminder
Remember that the majority of companies will NEVER require you to redo your (personal) information in order to change your password. They will simply email you a confirmation link that takes you to a site to enter your new password. (Of course, if you didn’t request a password change, you should never be getting one of these emails.)
If you ever wonder about an email that comes to your inbox, be sure to call or email the company directly and see if it was sent to you by them. Don’t use the “reply-to” to ask via email. Instead, create a new email and type in the email address to the person/company you are contacting. This action will assure that you are sending it to the person or place where you want it to go.
Email can be altered to make it appear that it is coming from someone you know, or a company with which you do business; however, the reply-to email address has been changed. (You don’t see the reply-to address unless you hit “reply”. Most of these emails won’t have you reply – instead, they will usually include a clickable link in the email message. In the event they do, they are hoping you won’t be paying attention to where the message is going; instead, they count on your focus being the message itself.)
In this way, they can use your name and email to make it “look” like it comes from you, but then the reply-to will be a different email address. The result: you aren’t in contact with the person you “think” you are, but rather an evil spoofer intent on harming you in some way, usually by stealing your crucial information about your account(s). Sometimes, the reply-to might be a very ‘close’ variation of the actual email address, perhaps adding one extra letter or digit into it. At other times, it will be blatantly obvious – an email address that isn’t recognizable at all!
Links in emails can be treated with the same considerations. They can be altered – so you see the title but if you aren’t paying attention to where the link is going, you can end up on a spoof site or something altogether worse, like a site that automatically downloads a virus onto your computer.
It has been a common theme where these individuals and/or groups to use the name of a company to create a spoof site that will collect your information.
You can easily check links by putting your mouse cursor over the link; the target window for the link will show in the lower right or left hand corner of your browser. (At least in Chrome, other browsers may vary.)
A Little Show and Tell
Please note: the information below is not all inclusive of the necessary steps to create an email spoof. It shows a general knowledge of how it can be done and how to double check it. Methods people use will vary. However, the reply-to will not be to the proper email address due to various restrictions. We recommend always double checking when you feel the message seems ‘off’.
Here you can see my information when I usually send out an email.
I am going to double check to see if this is indeed “from” Sue. Right under her name is my information with a little down arrow. (This is in gmail.) When you click on this arrow it will display the ‘reply-to’ address. Or I could simply hit ‘reply to’ and check to see the email address it is going to.
As I click on this arrow, it opens a box that shows who the email is from – it has her name but my reply-to email address is different.
Since this isn’t an email address I know, I am going to open up a new email and send it to the email address I have listed for her. I might also decide to forward this email to her and ask her about it, rather than hitting the reply response. This circumvents the problem of my having to ask her about it and lets her know that her email is being spoofed.
Unfortunately, when someone ‘steals’ your email address and uses it for things like this, there isn’t much you can do. It happens to both major corporations and individuals. For the spoofer/phisher, it is just a numbers game. Someone will eventually repond, and fall victim to their nefarious schemes. All we can do is remind you that it is out there, and to be on the look out for suspicious sounding emails.
Big companies, such as your bank, Amazon, Google, etc. usually have a “spoofing” or “phishing” email address so you can forward these types of emails to them. This will allow them to track down the information and find the person(s) responsible, or at the very least, they will make their consumers aware of the problem.
When in doubt, call – especially when it comes to your financial investments. Taking the time to make that call, even if it means hanging on hold, can give you a much needed peace of mind at the very least. Or save you from identity theft or fraud.
If you are not sure where an email came from:
- Don’t use any of the information in the email.
- Don’t click on the link or call the number.
- VERIFY that the information is correct by going to your financial institution’s website address.
A quick email, forwarding the email or a phone call could save a lot of heartache and time.
In Summary
We are seeing more of this type of scheme happening in various ways:
- Emails threatening to “hold your site” hostage if you don’t make a payment using bitcoin or some other form of payment method.
- Emails reminding you that your domain name is about to expire and giving you a link to pay it that doesn’t go to your domain host.
- An email stating that you have images on your site that ‘belong’ to someone else and you need to “click on this link” to see what images you are using which ‘belong’ to them are.
These emails are suspect for a reason. We make it our job to deal with the websites we manage to give our clients peace of mind, working hard to keep up with what is going on in the world of scams. We want you to stay informed, so you can stay safe.
We do not use images unless we know you have the rights to them or we know where they come from, whether we supply them or they come from sites that allow their images to be used, such as Unsplash. It is better to ask us about a suspicious email and feel that you ‘might’ be asking a dumb question, than to become an unintentional victim.