“Hi Timmy, your mom asked that I pick you up from school and take you to soccer practice.”
You’re Timmy and you don’t know this man. But, he knows your name and he knows that you have soccer practice this afternoon. Is it possible that your mom really sent him to pick you up? What would you do?
Now, what if this man was disguised to look like your mom and he drove a car that is the same make and color that your mom usually drives? That’s email spoofing.
Email spoofing is the act of sending emails that pretend to be from someone else. For example, an attacker may send an email address as orders@amazon.com when their real email address is jimbo214@roadrunner.ca. Or, an attacker may setup their own email server that fakes the identity of an AMAZON.COM email server. The reasons people send spoofed email include, but are not limited to;
- To convince you to provide sensitive information such as credit card numbers or bank details.
- To convince you to take action, such as initiating a bank transfer, clicking on a malicious link to collect login details or downloading an infected file to install unwanted software on your computer.
- To steal your identity.
How To Avoid Becoming A Victim
To the surprise of many, the key to combating email spoofing is not some new-fangled technology –it’s education. And, it begins by asking a few questions.
Was I expecting this email?
If you receive an email from orders@amazon.com but you have not bought anything from Amazon recently, treat that as a red flag. If you have any reason to be suspicious do not click on anything in the email. You can investigate by opening a separate browser window and logging into AMAZON.COM directly. From there, you can check your order history. This holds true for most online retailers and websites.
If you receive an email from a friend or colleague that you’re unsure about, contact them directly to verify whether the email is legitimate.
How does the attacker know my name and email address?
In many cases we unintentionally give attackers our email addresses. Take Timmy for example. If Timmy is wearing soccer cleats and a backpack that has his name, “Timmy”, embroidered on the back of it, he’s a much easier target. Likewise, engaging in certain activities make it much easier for you to become a target such as:
1. Chain E-Mail
Jokes, prayer requests, that must-see-video, we’ve all gotten them. But, chain emails are among one of the quickest ways for an attacker to get your email and collect information about who you know. Chain emails are messages that are forwarded to a group of recipients who are then encouraged to forward the email again to additional recipients. A key characteristic of chain emails is that the email addresses of recipients are exposed for everyone to see! Hackers use chain emails to harvest names and email addresses to target other people.
How To Fight Back
If you personally know the individual who forwarded the chain email to you, send them a polite note and ask them not to include you on chain emails. If it’s a group email that you would like to receive, ask them to move your email address to the BCC or Blind Carbon Copy field. Adding an email address to the BCC field allows the recipient to receive the email without the other recipients seeing their name or email address.
Also, the body of chain emails will often include a list of email addresses that the message was previously forwarded to. Ask the sender to delete that list before forwarding the message on to other recipients.
2. Online Offers
It seems that everything you do online requires you to provide your email address. Many websites ask you to provide your email address before downloading a free offering such as a coupon, an e-book or software. Most online retailers require an email address before you can complete a purchase. Hackers target websites like these to get large lists of names and email addresses.
How To Fight Back
Be careful and very discriminating about who you share your email address with. Create a free Gmail or Hotmail account such as NotByTheHairOfMyChinnyChinChin@Hotmail.com that you only use where you don’t want to share your primary email address.
Pay attention to red flags. By being vigilant you can avoid exposing yourself and others to email spoofing attacks.