Hazards of email

We tend to be much less cautious about emails - we believe they are from people or companies we know and trust.

How did the criminals get my email address?

There are many ways this may have happened. Here are a few:

  • A data breach: Very sophisticated hackers - often supported by hostile countries - target online organisations, often with the aim of accessing their data. Any personal information gathered - your name, email address, account number, etc will then be sold on the "dark web".
  • From the web or social media: A "spambot" roams the web gathering any email addresses it finds, and "reporting them back" to the hackers. Again to make lists for sale.
  • Using a virus: Email viruses often spread by causing the malicious message to be sent to everyone in the original victim's address book.
  • Phishing: You may have been tricked into giving them your email address.

What harm can it do if they have information about me?

The main problem is including this information makes an email more credible. Suppose by "phishing" or a data breach they have discovered your broadband provider is talktalk - and they have your account number. (yes this HAS happened). They may also use information they can reasonably suppose - such as your bank, mobile or broadband provider, or that you are expecting a delivery.

 

Example email from "Primark.co.uk"

To expand our customer base we are giving away £5 gift cards to new customers. To receive your card please complete the attached form giving your name and full address and click the "Send" button. You will receive your gift card by post within 14 working days.

 

So to "get your card" you need to: open an attachment (could be a virus); enter your personal information (to add to their list); and click a button (that could do anything)

 

Example email from "talktalk"

Dear Jenny; we are sorry to inform you that there has been a problem with your account (last three digits of account number) which may have resulted in a loss of service. In line with our general conditions you are eligible for a refund. To claim your refund please follow this link to your account page, and confirm the details are correct. ...

 

Can you see how the inclusion of some information they have already can make the email more believable? Of course the "account page" would be a fake.

Social engineering

Spam emails use "social engineering" to entice - or worry - you into being less suspicious of the content of a spam email. The examples above use greed as an incentive - more insidious scams use fear.

The top email scams currently include:

  • COVID-19 Payment Scam – the promise of a pandemic payment
  • Amazon Cancellation Scams – a fake Amazon order and offer to cancel it
  • Netflix Phishing Scam – an attempt to get your details
  • PayPal Order Confirmation – works on the fear of missing an order
  • Delivery Scam – is there a parcel waiting for you?
  • Apple iTunes Scam – fake email orders
  • Sextortion Scam – the threat of leaking private information
  • Apple Account Recovery Scam – the danger of locking you out of your Apple account
  • Bank Phishing – an authentic looking financial email
  • Investment Scams – tempting offers to invest your money
  • Facebook Activity Alerts – imitating genuine Facebook notifications
  • Google and Gmail Alert Scams – attempts to get your login details

All of the above scams attempt to trick victims in a similar fashion. You're encouraged to click through a link, at which point, victims can inadvertently hand over sensitive data to scammers.


Example from REAL scam email

Links - especially in emails - can take you to an information harvesting page that aims to steal your identity. Here is an example copied from a real scam email, but made safe, and with corporate graphics removed (so I don't get prosecuted by AMAZON). The email claimed a payment had been refused.

Click to see it.

 

Stay safe

The simple rule is in most cases, unless you are certain its a valid email from a friend or company you know, always check. And DONT USE LINKS IN EMAILS!

A valid email from a reputable company will never ask you to click a link. If you get an email from e.g. Lloyds bank saying "your account is overdrawn" use your normal log-in procedure to check.