Email is one of the greatest inventions of the 20th century, but it’s also one of the most common ways that people use to spread viruses or attempt to steal your information. In today’s modern digital age, being able to recognize email scams is as fundamental as looking both ways before you cross the street.
Before you go away thinking you already know not to click on email attachments so you’re fine, think again. Today’s email scam is much more sophisticated than the past, so it’s important that you reeducate yourself about today’s evolving threats.
Understand that email scams are a business that steal billions of dollars each year. Email scammers are there to steal your money and they are very good at it. They’ve been evolving techniques for a long time. Scams that started back with direct mail or faxes, have become even more pernicious today. Scammers have gotten smarter, through years of trial and error. Armed with a powerful understanding of human psychology, scammers often trick even the smartest people into clicking a link they otherwise wouldn’t. They want to steal your money and make no mistake about it they are good at it.
Phishing
The most important modern email scam to understand is phishing. Phishing is an email that looks like it came from a legitimate source, like your bank or the post office, but it is really from a scammer. Phishing works when you click on a link in the email that directs you to a fake site, that looks just like the real thing. You think you are looking at the real Bank of America or US Post Office website, but really you’ve just entered your username and password and pin number into a website that recorded it secretly and will now use it to run up charges or steal money from you!
First, the most important thing to remember is to never, ever click on a link in an email that says you owe them money, that you need to change your password, that your account was compromised, that you need to change your pin, etc. Keep your wits about you. Clicking on that link is the worst mistake you can make. If you get an email like that, close your email, open your web browser and type in the URL of your bank or the post office or whatever. Change your password, just to be safe, but just don’t ever click the link in the email!
Second, don’t ever make the mistake of thinking that scammers are stupid and that all of their scams will be filled with laughable misspellings and broken English. They are counting on you thinking that way. Some are laughable, but those are only the bad criminals. There are criminals who are just as good at their job as you are at yours.
Now most people think they would never fall for this. Not true. These attacks have gotten very sophisticated. Let me relate two phishing experiences that almost tricked me, a professional IT guru for more than a decade.
A few years ago I started a business that helped third party sellers on Amazon do business better. Amazon had just released what’s called an API so programmers could talk to their databases and build applications. I raised funding from friends, family and business associations and hired a programmer. In order to test our application I had to set up a business account with Amazon and it had direct access to my bank account. I was very excited. The new business was like my baby.
Well, during the midst of all this, I got an email from “Amazon,” that said my account had been broken into. Now I was really nervous, because this was linked to my bank account and not my credit card. The email was incredibly clever. The HTML looked exactly like Amazon’s. It was flawless. It had no misspellings or the grammatical errors like you see with so many scams. The domain they had registered was cleverly disguised to look just like Amazon’s domain with some typical web code after it. A typical Amazon web link might look like http://www.amazon.com?sadf3fad,adf=query. The stuff after the question mark is programming code. The fake domain was something like http://adf2345f.us, so it was designed to look like code. When they added fake host names to the front of it, like so: http://www.amazon.com.adf2345f.us, and then added some code after it, like so: http://www.amazon.com.adf2345f.us?fad5fadf=query, it was very hard to spot. Can you see the difference? If you don’t notice the period after .com, then you missed it.
I missed it and I clicked on the link. The page it took me to looked just like Amazon’s page, except I logged in and it told me that account didn’t exist. Right then I knew I had screwed up. I knew my Amazon user names and passwords better than my phone number. I knew something was wrong, so I looked closer. Then I spotted the trick. I immediately closed my web browser, opened it up again and typed in the Amazon.com address so that I knew I was going to the real thing and changed my password. No damage done. But it could have been, if I hadn’t caught it right away. Most people, I imagine, were not so lucky.
The second example almost tricked me just the other day. A client of mine got a virus. I use certain programs to help clear out viruses, one of them is Malware Bytes Anti-Malware. I went to download one of them and noticed that the site had a slick new redesign. Now I had seen that site a million times so I knew something was strange. It turns out the virus was redirecting me to a fake page so that I would download more viruses from a page that was designed to look just like the anti-virus tool page! The thing is, the html design on the fake site was actually better and more professional than the real Malware Bytes page! Not only that, it means the virus writer actually knew about Malware Bytes, knew I would try to use it to clean the virus and actively built a counter attack.
The point is if I can be fooled, you can be fooled. So when you are clicking through your email, just remember my cautionary tale and remember never to click on any link in an email that wants information from your in any way.
