I’m talking about when the heir to the Nigerian throne would reach out to your Hotmail account to help him secure his inheritance, or when an attractive woman or man you’ve never met before would email you out of the blue asking if you were single; spam has always been annoying, but back then, it was clearly just junk that could be ignored.
Today, it’s not so simple.
Here’s the thing though; those common email scams we look back on and laugh about today were common for a reason—they worked sometimes. Folks fell for them. Gullible widows wired cash overseas in the hopes that the Prince of Nigeria would share some of his vast fortunes with them, and life-sentence bachelors fell for the steamy romance that started with a canned email.
Modern spammers are driven by success. The goal isn’t to just flood your inbox with junk mail, but instead they see it as a numbers game. A certain percentage of users fall for different spam campaigns, and the scammers have learned over the many years that certain tactics have a better conversion rate. With these tactics, they know if they send x-number of emails out, a certain percentage of people will fall for the trap.
To protect yourself from dangerous spam scams today, you need to be aware of these tactics.
You wouldn’t expect an email from Amazon, Paypal, your bank, Microsoft, or Google to be dangerous, right? What about an email from your family or friends, your boss, or your partner?
Spammers can easily mimic email addresses that look legitimate in order to give you a sense of trust. Traditional email phishing attacks have been doing this for a long time, where the scammers pose as legitimate companies like Google, Amazon, or your bank. These types of attacks are easy to just blanket out to a million inboxes, because there’s a pretty good chance most recipients will have an Amazon account, or a Google account, or a Microsoft account, etc.
They can also be targeted toward specific contacts who definitely do business with an entity. If your bank suffers a data breach where the list of email addresses of their users are leaked, spammers can easily target all of them with personalized scams.
Thanks to social media, it’s also pretty easy to determine who a person interacts with in their daily life. You could easily look up a friend or colleague and usually figure out their family members, and with a little digging, figure out what their email addresses are. It only takes a little technical knowhow to spoof those email addresses and run highly personalized spam campaigns.
Homograph and Punycode Attacks
These tactics are a little harder to wrap your head around if you aren’t technical, but essentially this is one method scammers can use to make an email seem more legitimate. A homograph, in the English language, is where two words look the same and are spelled the same, but have different meanings. For example, the word bow (like a bow made of ribbon on a gift) and the word bow (like to take a bow after a performance), or the word tear (like what comes out of your eyes when you cry) and tear (the act of ripping something).
When it comes to online scams, homograph attacks are used to trick a recipient into trusting an email or website. It’s a little complicated to explain, but essentially non-traditional keyboard characters get translated to look like traditional letters. This means someone can easily spoof, say, Paypal.com, without actually owning or controlling the domain for Paypal.com.
Homograph and Punycode attacks don’t just take place in email either. Fake versions of legitimate websites can be created that steal information, and scam messages can be sent on various iOS and Android messaging apps and social media. Essentially, you need to be a little cautious whenever you receive any correspondence, anywhere. If something seems overly urgent or too good to be true, be a little skeptical.
Email inboxes can be hijacked altogether. This is one of the oldest methods for distributing spam and malware, and it still takes place today. If your email becomes compromised, either from a weak or stolen password, or by malware, it can send emails out to all of your contacts to continue to spread.
The emails would come directly from your account, so to most recipients, it will look legitimate. When the recipient opens it, the process is repeated and it hits all of their contacts with the same spam. It just explodes outwards from there.
When someone doesn’t have very good cybersecurity hygiene, it can be ridiculously easy to gain access to their email.
For example, let’s say Bob uses the same password on his Netflix account and his work email. Bob shares his Netflix account with his kids, who log in on their mobile devices. One kid’s tablet gets infected with malware that steals passwords.
Suddenly Bob’s Netflix username and password are publicly up for sale on the dark web, in a big list with tens of thousands of other stolen accounts that this malware was able to grab. For less than a dollar, Bob’s record gets bought by scammers and cybercriminals on the dark web. Dozens of entities could now have it. It only takes one of those entities to think “hey, I wonder if this Bob guy uses the same password for his corporate Outlook account…” and voila! They are in Bob’s email with full control over everything.
They can email your contacts, read your messages, change passwords to other accounts tied to that email, request password resets from bank accounts, and so much more.
The cybercriminals can then use Bob’s email to scam his coworkers, his friends, his family, and his clients. Suddenly, Bob is just one of dozens or hundreds of victims in the middle of it all.
More often than not, your friends, family, and colleagues might be taking shortcuts when it comes to their cybersecurity, which means you could be one of their victims.
Preventing Scams and Cyberattacks is All About Being Aware and Skeptical
Since phishing attacks and other scams can be so hard to identify, the real defense against them is just being overly cautious. We recommend taking a zero-trust approach. If you didn’t request an attachment, and had no idea it was coming, don’t download it or click on it.
If a bank account emails or texts you saying there was an unauthorized purchase, sit down at a computer and log into the account the same way you would normally, and not through the link sent in the email or text.
You can build this culture of caution by making sure you don’t assume recipients should trust your emails too. If you send a contact an attachment, pick up the phone and call to let them know they are getting it, unless they are already expecting it from you. Even tell them why you are calling first, because you want to always take a security-minded approach to your correspondence.
Wear it like a sign of respect; and if you and everyone else starts treating email this way, it will lead to a much safer world.
If you get an email that looks suspicious, and want our techs to check it out, give us a call at (646) 741-1166.