The recent massive data leak from email services provider Epsilon means that it is likely that many consumers will be exposed to an unusually high number of email-based scams in the coming weeks and months. So this is an excellent time to point out some useful resources and tips that can help readers defend against phishing attacks and other nastygrams.
Don’t take the bait: Many people are familiar with the traditional phishing attack, which arrives in an email that appears to have been sent from your bank or ISP, warning that your account will be suspended unless you take some action immediately, usually clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Commercial emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email. Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment (most phishing scams are hosted on hacked, legitimate Web sites). If you’re really concerned, pick up the phone (gasp!) and call the company to find out if there really is anything for you to be concerned about.
Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window. Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link. The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you. Want to learn more cool stuff about links? Check out this guy’s site and you’ll be a link ninja in no time.
“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged. If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email. The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers. Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at About.com. Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.
When in doubt, type it out: If you’re not sure about the validity of an email, don’t click on the link in the message. Instead, take a moment to visit the Web site of the sender in question by typing the URL into a Web browser, and access your account normally.
Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a Trojan that steals all of the sensitive data on victim PCs. So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.
If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it. Do your homework before installing programs, plug-ins, or ActiveX controls, and always try to download the installer directly from the vendor’s Web site if you can.
Think Ahead: While this may be of little help to folks who received multiple warnings from companies impacted by the Epsilon breach, the best way to avoid dealing with email scams is to be very selective in giving out your email address. If you don’t already have one, consider creating a second email address to use when signing up for any services that require an email. Alternatively, if you’re sure you won’t need a specific service or site more than once or for more than a few minutes, you can take advantage of a free service like 10 Minute mail; as its name suggests, 10minutemail.com lets you create throwaway addresses that give you just enough time to sign up for something and then check your inbox for the message containing the obligatory confirmation link.
Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy. When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as firstname.lastname@example.org. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder. That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked, too!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.
Let’s summarize with a few quick rules:
1. Don’t open emails if you don’t recognize the sender’s name or domain.
2. Take a moment to check that the sender is really the one whose name appears as “From.”
3. Don’t click on links in emails or open attachments unless you are sure the sender is trustworthy.
4. When in doubt, go to the senders’ websites by typing their addresses in your browser bar. Or call the senders – they probably need to know that spam is being sent in their names.
5. Your email address should be kept private if possible. Consider using a second or throwaway address if you are required to provide it.
6. Be extremely cautious when a website tells you that you need to install an add-on or download of any sort.