Email Spoofing – 2018’s Purloined Letter?
Recently, I received an email purportedly from a trusted colleague. It said, “Open this investment portfolio, review it, and get back to me.” While the individual and I have a refreshingly direct relationship, the missive sounded brusque. So, I allowed my cursor to hover over her name. Lo and behold, the underlying email address was revealed, and it was not hers! Alarmed, I contacted both my friend and our firm’s technology consultant, True North Networks. My colleague and I were unhappy and worried, but I quickly learned that we were not hacked, instead, we were spoofed. Being “hacked” means a wrongdoer has gained entry into your computer system, has the ability to steal your private information, and generally wreak havoc in your life. Being “spoofed” or “phished” means someone is using your name and pretending to be you to cause an email recipient to click on a link or an attachment. The spoof or phishing attempt is designed to trick the email recipient into divulging personal information, or worse, directly hack into the recipient’s computer system to plant malware or a lovely virus. Since I had not clicked on the attachment, I could end the problem then and there by deleting the email.
To our chagrin, we learned that there is little to be done to prevent email spoofing attempts, short of traveling back in time and joining Thoreau at Walden Pond. As tempting as that solution might be, it is not a feasible way to live in 2018. As True North said, “Unfortunately this type of spam, called spoofing, is impossible to control and there is little to nothing you can do about it. It is becoming a much more common method of choice [for wrongdoers to lure people into difficult situations] and we see it on a daily basis with many of our clients.” Our True North representative assured us, “I also spent some time reviewing the email settings for Deighan.com to ensure you had an SPF (Sender Policy Framework) record in place as this is one of the recommended ways to combat spoofing emails. You do have this in place and it is being recognized.” An SPF record isn’t a cure-all, but rest assured that we have taken all of the steps we can to protect your privacy. She went on to suggest that we warn clients to be sure to first determine that emails come from a true and trusted source before opening attachments, and that is the point of this missive.
Communication spoofing is not new. It goes back as far as the written word. Consider Edgar Allen Poe’s famous short story, The Purloined Letter, published in 1844. In the story, Dupin, the detective protagonist was charged with finding a hidden letter with contents that would be damaging to an unnamed woman. Dupin, ever on his toes, spotted the blackmail letter, cleverly disguised, but hidden in plain sight. He retrieved the letter before it could be published, saving the day for the British Queen. Similarly, unexpected emails that purport to be from trusted sources, should be viewed with healthy suspicion. If you are not expecting the email, contact your friend, advisor, or colleague by phone, text, or using a trusted email address to be sure it is from them. If it is not from them, delete the email to avoid being hacked.
If you do make a mistake and click on a spoofed email attachment, there are steps you can take to help protect yourself. We found useful the advice in an article written by Carrie Kerskie, “5 Steps to Take After Clicking on a Phishing Link”. A link to the full article is provided at the end of this post where you can not only see the article, but practice your mouse hovering skills to reveal the link’s destination before clicking on it!
We recommend you read the article in full, but we have posted important excerpts below:
- Disconnect Your Device: The first thing you need to do is immediately disconnect the device from the Internet.
- Backup Your Files: Now that you are disconnected from the Internet, you should backup your files. Data can be destroyed or erased in the process of recovering from a phishing attack.
- Scan Your System for Malware: Whom you choose to carry out the next few steps depends on your level of technological expertise. If you are not very tech savvy, I suggest you take your device to a professional to have it checked for malware.
- Change Your Credentials: Malware may be used to harvest sensitive information, including online usernames and passwords, credit cards numbers, bank account numbers, and other identifying information. If you think you have been tricked into acting on a phishing message, change your online credentials immediately. This applies to all online accounts—email, online banking, social media, shopping accounts, you name it. Do not make the mistake of using the same username and password for all of your online accounts. This makes it easier for criminals to steal your identity and access funds.
- Set up a Fraud Alert: Contact one of the major credit bureaus and ask for a free 90-day fraud alert to be placed on your credit report. This may seem like overkill, but it is better to be safe than sorry. The three major bureaus are Experian, Equifax and TransUnion. Once you have notified one of these bureaus, they are required by law to notify the other two on your behalf. This will make it more difficult for fraudsters to open new accounts in your name.
Ms. Kerskie warns us to always proceed with caution since email spoofing has become a “dangerous, yet unavoidable, threat in the digital age.” She echoes True North’s advice saying “Your best protection is to err on the side of caution and use the “delete” button on emails that seem sketchy. Remember, a legitimate organization or business will never ask you to share sensitive, personal information via insecure channels like email, text or pop-up messages. If the message is truly important, the sender will attempt to contact you through verified methods like telephone or snail mail.”
It is tempting with the recent Facebook headlines, the Experian data loss, and other sordid tales of Internet based privacy loss to cut off all ties and rely on hand deliveries and snail mail. However, we do not believe this is the best answer since technological advances will never retreat. To revert from a digital to an analog society is like asking the machine age to disappear, or to choose the horse and buggy over the automobile forgetting all of the dung produced by our equine friends until we step into a pile with our satin shoes. For good and for ill, technology has made formerly simple acts that took a lot of time and effort permanently faster and far more powerful. Consequently, we must rely on and constantly refresh our most powerful root defenses: our brains, our processes, and our common sense to protect us. In the meantime, at Deighan Wealth Advisors, we will remain vigilant and do all we can to stay ahead of the race, and protect your privacy.
Link to full article referenced above at AgingCare.com by Carrie Kerskie, “5 Steps to Take After Clicking on a Phishing Link”: