Detecting Bogus Email

I’ve noticed from the flood of complaints in the news, on social media, and talking to friends, that dangerous email is worse than ever. The pandemic has shifted the bad hackers into high gear. I can help stem the flood.

I don’t have a special talent, only a suspicious character and a bit of technical knowledge.

I may be struck down for this hubris, but I’ve never been tricked by a bogus email, even though I’ve sent and received email almost from the day it was invented. I don’t have a special talent, only a suspicious character and a bit of technical knowledge. I’ve evolved some robust techniques for weeding out the bad emails.

I’m not talking about spam. Spam is unrequested commercial email, which is annoying, but not vicious. I’ll even admit that a few times, I’ve welcomed a spam message that brought me something new. The stuff I’m concerned with today is fraudulent and malicious email that is intended to do harm rather than legitimately sell a product or service you don’t want.

These emails are often called “phishing,” a term that is a little too cute for a farm boy who shoveled chicken droppings every Saturday morning until he left the farm for college.

Email is convenient. I remember when we had only a few choices for communicating: go to see the person, call them on the telephone, or send them a letter. Each method was useful, charming, and pestilential at times, sometimes all at once. I gripe about my overflowing email inbox but clicking away the chaff is a lark compared to a line up at my desk or a phone ringing constantly. Writing letters was, and still is, an art, but it’s called snail mail for a reason. As annoying as it can be, and handy as Slack and other messaging style services are, email is still a communications workhorse.

Mail, telephone, and in-person fraud, harassment, and other scatter-shot deviltry abounded long before email. The worst of us never tire of devising new mischief to soil other peoples’ lives, but the rest of us have developed instincts, habits, customs, and laws that civilize our lives and tamp down the shenanigans that plague us.

Here, I’ll explain how I keep up with the email crooks.

However, instincts, habits, customs, and laws have not kept up with electronic innovation. Here, I’ll explain how I keep up with the email crooks.

I have a series of steps I go through with email. I divide the process into three phases: suspicion, confirmation, and reaction.

Suspicion

Do I expect this email? Do I know the sender?

If it’s Tuesday and I always get an email from my friend Peter on Tuesday, I feel safe reading it. Actually, at least half of my inbox is expected email from known senders. Faking a phone call or handwritten letter is more difficult than faking an email because voices and handwriting are laden with familiar clues to identity, but faking an email from a friend, outside of spy fiction, is still extremely difficult. Trust your intuition, it’s more powerful than you may think. If something feels off, check it out.

However, intuition breaks down as relationships get more remote, especially in impersonal business email, but you have a great advantage: criminals are seldom as fastidious as legitimate email users. They’re in it for easy money and they usually don’t care about the impression they make or attracting return customers.

As a consequence, they don’t pay proofreaders and formatting professionals to ensure that their emails are perfect. Few businesses will send out emails with misspellings or sloppy formatting, but criminals often do. At best, they will copy an existing piece of legitimate email and make a few changes. If you spot misspellings, grammatical errors, misalignment of type, uneven borders, colors that are not quite right, be suspicious.

Why was this email sent? What’s its point? Does the sender want me to do something? Is there money
involved?

Always be suspicious of any transaction you did not initiate. People and businesses are like slugs. They almost always react to stimulus from their friends and customers, but they seldom reach out unless they have something new to sell to you. Whenever there is money involved, be certain you understand exactly what the transaction is and why you are engaged in it.

Confirmation

If suspicion has set off alarm bells, check it out.

Uniform resource identifiers

Every savvy computer user should know a little about the Uniform Resource Identifiers, or URLs. Although URI is technically correct, everyone calls them URLs (Uniform Resource Locators.) Computing and network engineers have been evolving and improving the concept for over thirty years. They are a formal way of unambiguously naming almost anything and a key to computer based communication.

We are all familiar with them, whether we realize it or not. We all know web addresses like https://example.com. And email addresses like mailto://marv@marvinwaschke.com . Librarians know ISBN (International Standard Book Numbers). Even telephone numbers are now examples of naming systems that follow the URL standard.

Well. That’s fine for engineers and librarians, but what about ordinary users? Why should they know about URLs? Because knowing what a legitimate URL looks like often makes a fraud stand out like a black eye.

In another post, I’ve detailed reading URLs. Check out how here.

Recent hacker tricks

Lately, I’ve noticed that hackers have gotten very fancy with the characters in their URLs. I could indulge in a technical discussion of fonts versus character sets at this point, but I will simply say, look carefully at the characters in URLs. If I see an accent, squiggle, superscript, or an extra curlicue anywhere, I assume I am under criminal attack. Legitimate URLs and text avoid this. Hackers love it.

Circle back

Legitimate businesses have no problem confirming their enquiries. For example, if you get a question about your account with XYZ company, call their publicly listed number— not the one a hacker gives you— and ask for an explanation. You may be bounced from desk to desk and have to wait on hold, but eventually you will get an answer. Either a confirmation of a legitimate issue, or a statement that you can ignore the bogus email.

If XYZ is a company I would continue to deal with, the answer will be prompt, courteous, and helpful. If the process is difficult or the responses are impolite, I would look for an alternate for my future business. However, I always wade through to the end before accepting a hack. Personally, I will tolerate drek to deal with a situation, but I will take steps to avoid future drek.

Reaction

Two main routes can be used to report cybercrimes. I use both.

I am stubborn. I won’t knuckle under to cybercrime. When I am subjected to cyber assault, I report it and do my best to stop it. Frankly, with the state of cyber crime laws and enforcement, I don’t expect to see immediate results. I seldom anticipate that the criminal who assaulted me or my equipment will be punished, but I want to see cyber laws and enforcement strengthened. I hope international organizations will be formed or strengthened to punish or neutralize off-shore criminals. Nothing will change if crimes go unreported.

Two main routes can be used to report cybercrimes. I use both.

You can report crimes to law enforcement. I went into the details of reporting to local and federal law enforcement here. The Federal Trade Commission has a site for reporting identity theft and aids in recovery. They also have a site for reporting fraud.

Another way to report cybercrime is to report it to the organization that is affected. For example, if I received an email about Microsoft Office from m1crosoft.com (notice the “one” instead of an “i”), I would forward the message to phish@office365.microsoft.com . Many companies, especially tech-oriented companies, have facilities for reporting fraudulent emails. I use Google to find the proper procedure. American Express, as another example, requests fraudulent mail be forwarded to spoof@americanexpress.com.

Tedious, but worth it.

Our local, state, and federal governments and these companies all want to shut down the criminals. But they can’t unless we refuse to tolerate this form of crime and report it. Tedious, but worth it.

New Normal: Covid Phishing

It’s summertime and the living’s easy… The covid-19 weather is perfect for successful phishing expeditions, emails designed to trick you into jeopardizing your computer, your finances, or your business.

The other morning, after scanning incoming email, and doom scrolling the news (checking for new trouble on the current events horizon), I went to the kitchen for a glass of water. Ten minutes later, I returned to my desk with a dry throat. I had put the breakfast dishes in the dishwasher, taken out the trash, and watered the rose bush, but I forgot to get a glass of water. Preoccupation with the virus and the economy has turned my life into struggle to stay on subject, and from what I read, I am not alone.

I got an email yesterday from PayPal about a charge to my account. That was strange. I don’t have a PayPal account. My wife and I do use PayPal, but the account is in her name because in our marriage’s division of labor, I wash the dishes and she pays the bills. Luckily, I focused my concentration long enough to spot some clues that the email was not from PayPal. I forwarded the email to PayPal’s phishing detection email address. A few minutes later I was rewarded with a return email confirming my suspicion. I permanently deleted the phony email and breathed the sigh of relief that comes after dodging a bullet.

That was close. I could easily have missed the clues in my currently distracted state and clicked on a link in the email, starting down a path toward a hacked computer, a ton of hassle, and likely a hit on our bank account.

This evening, instead of doing the dinner dishes, I’ll sidetrack into some hints on how to detect a phishing attempt.

Rule #1 when dealing with phishing attempts: when reading any email, don’t click on anything, don’t allow images to display, don’t call phone numbers, or send messages until you are sure the email is genuine and not a phishing expedition.

Your email client, the computer application you use to view emails, should be configured not to automatically display images from untrusted sources. This is the default for most clients. If a box pops up asking if you want images displayed, take a second to think: can I trust this sender? The problem is that when your computer reads an image file, it runs a program to convert the zeroes and ones in the file into an image you can see. Hackers doctor images to run malicious code embedded in the image file. Your operating system and email client makes this difficult, but hackers are always looking for new ways to do this kind of stuff.

Here are a few points to consider:

  • Criminals know that many of us worry a lot these days and they know how to take advantage of your fraught state. If you receive an email that raises a worrisome possibility, think twice, turn up your fraud sensors. The fact that I do not have a PayPal account in my name was a whopping clue, but I could have missed it because the email brought up a disturbing possibility: it claimed someone had charged an expensive video game to my account. Exactly what would happen if a criminal script kiddy got access to my PayPal account. In my current distractible state, the haze of worry could easily draw my attention from the precautions I would ordinarily have taken.
  • Phishermen try to force your hand. Click HERE. Call THIS NUMBER. You must respond NOW. Emails that feel like frantic attempts to get a response, are suspect. My wife and I do buy video games occasionally, mostly for our grandsons. The charge could have been legitimate, but this email insisted that I click or call immediately. That is not normal. A legitimate warning would simply point out unexpected charges; not insist on immediate action. Again, cause for doubt.
  • Look at links and email addresses carefully. On most browsers, when you hover over a “live” link, the actual address will pop up somewhere, usually the lower left corner of the window. Look at those little popups. When reading internet addresses, the most significant part of the address is to the right. “support.microsoft.com” is the support division of Microsoft Corporation. “microsoft.suport.ru” is some unknown “suport” site in Russia that has nothing to do with Microsoft. Also, be on the alert for subtle typos and misspellings. If you see “mcrosoft.com” you can be pretty sure some hacker is trying to trick you.
  • When you have doubts, suspicions, or tiny qualms, you can always contact the sender and ask. But not via links, numbers, or addresses in the suspect email. I googled “PayPal phishing” and quickly found instructions for dealing with suspicious PayPal emails from the official PayPal site.

The summer of 2020 is tough. Don’t make it worse by letting some crudball take advantage of your concern for yourself and your neighbors.

Phish Spotting

This morning I was greeted by a spate of phishing emails in my inbox. How did I know? Because the Gmail Team spotted them for me. Google has gotten very good at spotting phishing. I began using Gmail as my main email client yesterday. This morning, the Gmail Team lit up my eyes. I had mixed feelings about Gmail’s unfamiliar interface and online requirement, but their phish spotting performance this morning moved the approval needle a whopping notch in the positive direction. Between 8 and 9 pm yesterday, Google recognized 22 phishing attempts on one of my email accounts. That is close to a denial of service attack, but Google took it in stride.

I’ll ignore the slightly disturbing fact that the phishing started an hour or so after I put the email address into Gmail.

If you are wondering, a Denial Of Service (DOS) attack uses a flood of messages of some kind to try to overwhelm a system. In this case, the flood was phishing email. More often, a DOS attack is on a web service, like Amazon or Google itself, in which a flood of requests for service are sent to the service. The effect is either to slow the service down to the point that legitimate requesters are unable to interact with the service, either because response is so dismal, they turn away, or the service itself fails under the bombardment of requests.

The most difficult type of DOS attack occurs when the attack comes from many different sources at the same time. This is called a Distributed Denial Of Service (DDOS). Often, a DDOS comes from a “botnet,” a collection of surreptitiously invaded computers, often home computers, that are subverted to send out requests at the bidding of the “botmaster.” Often, the point of a phishing attack is to secretly turn your computer into a bot.

Even though Google and other services are effective, don’t become complacent. Automated phishing detection is good, not perfect.

I skimmed over the crop of phishes; they were not well-crafted, mostly warnings of overdue payments from vendors with whom we never deal and notices from online fax services we don’t use. They were riddled with poor grammar and unprofessional formatting. They used slight misspellings in the URLs, like jpmoryan for jpmorgan, to appear that links were to legitimate sources. I’d give you more examples, but I followed best practice and permanently deleted the bogosities. Before I thought of writing about them. Ah well.

If you discipline yourself to look at all incoming email carefully, most phishing attempts are easily weeded out. Look at any invitation to click on a link with suspicion. Check the URL by hovering over the link and looking at the text (usually at the lower left of your display) for anything that looks suspicious like a “.ru” or a misspelled name.

Email attachments, especially zip files, are often treacherous. Don’t open them unless you are very sure of the source. If you know how, start up an isolated virtual machine and open dicey attachments there. If you don’t know what the previous sentence meant, don’t open the attachment. Get competent help if you feel you must open it.

Ask yourself if the message is reasonable. A request from a vendor or service you don’t deal with, for example, is not reasonable. If you think the message might be legit, but you have doubts, pick up the telephone and call their customer service. Don’t use a phone number in the message. Get a number from an independent source, like a secure (https) website that you find using a standard search like Google or Bing. Straight forward caution and common sense takes the day.

Caution, with the help of services like Google’s, will protect you from most phishing, but may not protect you from “spear phishing.” Spear phishing is insidious and seldom automated. Spear phishers study their prey. They can get to information on your preferences and habits collected by advertising services and they can purchase stolen information from criminal sites on the dark web. Or they can look at your public Facebook page, reviews on Amazon, even the book lists that you post at your public library site, to gather details about you, then craft emails that are plausible and hard to detect. For example, a spear phish might take the guise of a letter from a friend suggesting a link about a book you put on your library shelf.

Who wouldn’t be taken in by a friendly gesture like that? Google might spot some discrepancy or a connection to their long list of dangerous sites, but the best spear phishermen strive to stay way ahead of the white hats.

Fortunately, the kind of spear phishing I just described takes far more time, effort, and skill than hackers are willing to expend on random targets. Generally, the criminals rely on sloppy automated scatter gun attacks that only work because they hope for a one in ten thousand catch. However, if you happen to be a high-profile target, like a public figure or a person of interest to a foreign government, and worth the hacker’s effort, you must be cautious indeed. I suggest looking into something like Google’s advanced security program. Benjamin Wittes has a podcast on Google security that you may find worth your time.

Cyber Defense Skill: URL Reading

Want to quickly sort out real emails from spam? Spot a bad links on web pages? Identify sham web sites? I have a suggestion: learn to read URLs.

Learning to read URLs is like taking a class in street self-defense or carrying a can of mace. Actually, much better because reading URLs can’t be turned against you. You might end up in the hospital or worse if you resist a street thug with your self-defense skills, but you will never be injured spotting a bad URL.

Uniform Resource Locators (URLs), more properly called Uniform Resource Identifiers (URIs), direct all the traffic on the World Wide Web. Almost every cyber-attack directs traffic to or from an illegitimate URL at some point in the assault. If you can distinguish a good address from a bad address and develop the habit of examining internet addresses, you will be orders of magnitude more difficult to hack.

Addresses are constructed according to simple rules. You can master the rules you need to know in order to distinguish legitimate addresses from scams in a few minutes. And be much safer.

If you want to dig deep into URLs, take a look at RFC 3986. There is much more to URLs than I cover here.

Here is a typical simple URL:

https://www.marvinwaschke.com

HTTP

The first part, called the scheme, “http:” tells you that it is a HyperText Transfer Protocol (HTTP) address. You need to know two things about the HTTP scheme. First, almost all data on the web travels to and from your desktop, laptop, tablet, or phone over HTTP. In fact, if an address does not begin with “http”, it’s not a web address. There other schemes, the most important of these is “mailto:”, which designates an email address. More on this below.

Secure HTTP

There is an important variant of HTTP called HTTPS. The “S” stands for “secure.” Data shipped via HTTPS is encrypted and the source and destination are verified with a security organization. HTTPS used to be reserved for financial transactions, but now, with all the dangers of the network, HTTPS is encouraged for all traffic. When you see “https” in a web address, hackers have a hard time snooping on your data or faking a web site. HTTPS is especially important if you are on open public WiFi at a coffee shop or other public place.

Not too long ago, security experts used to say HTTPS guaranteed that a site was legitimate. That is no longer good advice. HTTPS is not a guarantee that a site is legit. Smart scamming hackers can set up fake sites with HTTPS security. You have to check the rest of the address for signs of bogosity. However, setting up a fake site with a legitimate address is still hard, so a good address with HTTPS is still a strong bet.

HTTP address “authority”

The part of the address following the “//” is the “authority.” Most of the time, the authority is a registered domain name. The authority section of a URL ends with a “/”. Notice that the slash leans forward, not backward. A backward slash is completely different. The “query” follows the forward slash. The query usually contains search criteria that narrow down the data you want retrieved and is often hard to interpret without specific information about the domain. You can ignore it, although sometimes hackers can learn secrets about a web site from information inadvertently placed in the query.

Domain extensions

In the above address, “marvinwaschke.com” is a domain name that I have registered with the with the Internet Assigned Number Authority (IANA). “.com” is the extension. In the old days, there were only a few extensions allowed: “.gov”, “.edu”, “.net”, “.com”, and “.mil”. They are still the most common, although many others— such as “.tv”, “.partners”, “.rocks” and country abbreviations— have been added.

You can use extensions as a clue. For instance, most established firms and organizations still use the old standbys. A web site with a “amex.rocks” domain is likely not the American Express you think it is. We all know that some countries harbor more hackers than others. If an address has an extension that is an abbreviation for a cyber rogue state, be careful.

Remember, these are clues, not rules. A street lined with wrecked cars and broken windows may be crime free, but more often than not, it is a dangerous neighborhood. The same applies to incongruous domain names. They could be safe, but there is a good chance they are not.

Authority subsections

The authority section is divided by periods (“.”s) and reads in reverse. The extension that immediately precedes the first forward slash is the most important. “.com” in “marvinwascke.com” indicates that the marvinwaschke.com domain is in the vast segment of the internet made up of commercial ventures. “marvinwaschke” determines which commercial venture the address refers to. “www” indicates that the address points to the “www” part of the “marvinwaschke” venture. I could set up my website to have a “public.marvinwaschke.com” section or a “public.security.marvinwascke.com” section if I cared to. The “www” is historically so common, most browsers will strip it off or add it on as needed to make a connection.

“Microsoft.marvinwaschke.com” only indicates that my web site has a section devoted to Microsoft. “Microsoft.marvinwaschke.com” has nothing to do with Microsoft Corporation. Hackers make use of this to try to fool you that “Microsoft.pirates-r-us.ru” is a Microsoft site. It’s not! Hackers are creative. Make sure that the right end of the domain name makes sense.

Email URIs

Email addresses are URIs that follow a different scheme but use the same domain name rules. Usually, email addresses drop the “mailto” scheme but they can always be fully written out like mailto://boss@example.com. If you see an address like captain@microsoft.pirates-r-us.ru you can be fairly certain that the mail did not come from Bill Gates.

Near miss URIs

A favorite hacking trick is to register a domain that looks real, but is just a little off. For example, micrasoft.com instead of microsoft.com. Keep an eye out for those little tricks.

When in doubt, Google it

When you see a link or address with a suspicious domain name, Google the domain name before you use the address. Most of the time, Google will pick up information on dangerous domains.

Look at every link with caution

The internet is all about grabbing your attention. Absurd promises abound that that few people would take seriously after they took a moment to think. Losing weight is hard, wealth management is useless if you aren’t already accumulating wealth the hard way, and no miracle food will prevent cancer or make you a genius. Not all ads are scams, but  don’t tempt fate by clicking on links that prey on impossible hopes.

Finally

Make a habit of looking at internet addresses. Often, a link on a webpage or in an email is text like ” here “.  Hackers hide bogus URLs under innocuous text. They also sometimes use a legitimate URL for the text and stick in a dubious URL for the real target.  Like this: https://marvinwaschke.com  If you place the cursor over a link or address, most browsers and email tools will display the working address in the lower left-hand corner of the window. Look at the address remembering all the cautions in this post. Does something look wrong? If so, use care. Try the two links in this paragraph to see what I mean. The habit of looking at addresses will make you much harder to hack than unsavvy computer users.