In this blog, our partners at East Midlands Special Operations Unit (EMSOU) outline different techniques for protecting email accounts from cyber criminals.
Supposedly, the first email ever sent was in 1971 by Ray Tomlinson, the engineer who invented the email program on the ARPANET system.
He sent the message to himself and received it on a computer sitting right next to him! Since then, it is estimated that over 340 billion emails are sent daily, completely changing the way we live, work and communicate.
Why hackers want to take over your email account:
Unfortunately, your email account is like the winning lottery ticket for a cyber criminal. This is because:
1. A hacker can monitor your emails over a period of time and then – when they understand the lay of the land – they can write emails masquerading as you. Unsuspecting recipients will then fall for any elaborate con the hacker can dream up.
2. You can use an email address to request a password reset for other accounts. As such, your shopping, social media, utilities and even financial accounts are at serious risk of compromise.
Why hackers want to send you malicious emails:
These days, it is very hard to spot malicious emails. They often look like the real McCoy, sound like the real McCoy and use clever psychological tricks to socially engineer the recipient into taking actions they would not normally consider.
The hacker writes an email containing a malicious link. The link will encourage you to visit a fake website. When you enter your credentials to log in, the cybercriminal captures them.
The hacker writes an email containing a malicious link. The link encourages you to visit a poisoned website. The website scans your computer for vulnerabilities, and if found, downloads a harmful program onto your device, often giving the hacker remote access.
The hacker writes an email containing a malicious attachment. When you open the attachment, the code runs and infects your device. This code might plant a virus, encrypt your data or plant a backdoor.
And it gets worse....
Many malicious emails work because they are sent to thousands of people simultaneously. The hacker, therefore, is relying on someone, somewhere, falling for the con – which is fairly inevitable.
That being said, it doesn’t require much effort to make the emails even more potent. For example, your digital footprint – especially your social media accounts, often give hackers enough ammunition to make the email sound more credible.
o LinkedIn: announces your job history; where you were educated, what school you went to, your academic achievements, associations you are involved in and the people who endorse your skills.
o Facebook: Gives me your favourite movies; the clubs you belong to, your friends, your family vacations, your favourite foods, places you've lived and much more to boot.
o Twitter: Tells me what you are doing right now, your opinions and emotional state.
Many emails also use scare tactics to encourage you to respond quickly and without thought. This is why threats from so called ‘official organisations’ are so successful.
1. Strong passwords: An email account should always be protected with a lengthy password - perhaps 3 random words separated by numbers or special characters. This is because email accounts are often so instrumental in the creation and maintenance of other online accounts.
2. Two-Factor Authentication (2FA): Usernames and passwords require us to 'know something' but we can prove who we are by 'having something' too, such as a pin sent to our phone. When we protect accounts with something we know and something we have, we are using 2 factor authentication. This is incredibly secure and should be used wherever possible. Even if your password is compromised, your accounts are probably safe. See here for more.
3. Mind your digital footprint: How often have you ever researched your own name in a popular search engine? Always consider carefully what is publicly available and how that information may be used by others. Most online accounts have privacy settings and it pays to be familiar with them.
4.Train yourself to identify fake emails. This starts with the basics, such as:
o Spelling and grammar
o Tone, vocabulary and other tell tale idiosyncrasies
o Factual inconsistencies
o Changes to the 'From field'. This is probably the most important clue as to whether the email is fake. Be especially careful of transposition errors (bbc.co.uk not bcb.co.uk) and slight changes in spelling.
o Always be sceptical of urgent and hurried requests to transfer money. Verify those requests either by phone or in person.
5. Independently verify: Do not use the details from within the message to verify if the communication is authentic and reliable. Instead, seek out an authoritative representative from the organisation by other means.
Forward suspicious emails to email@example.com. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).