Author’s Note: This was first posted on the Classic and Cozy blog, but the subject is important, so I’m reposting it here.
It’s a jungle out there…and in here, too. I’m talking about the Internet, and right now, email specifically. You just can’t be too careful when dealing with email.
Because I’m both an author and a web designer, my main email address is pretty well-known across the Internet. Certainly the spammers and scammers know about it. I currently get 20-30 spam emails a day. Most of them are annoying, but pretty innocuous, trying to sell me goods or services I don’t need. The weight loss tips, get rich quick schemes, special tools, prescription drug, and great rates on shipping from China offers are aggravating mostly by their sheer bulk.
But some of them are less innocuous. By now the Nigerian prince or defecting diplomat scheme is so well-known as to be the butt of numerous jokes. But people fell for it. Plenty of them. And, having seen the amount of money to be made, the schemers and scammers have moved on to more sophisticated tricks.
For a while I got five or six notices a day from various banks that I had an urgent message and needed to log into my account. Generally poor grammar and wording were a dead giveaway that those messages didn’t really come from their supposed senders, along with the fact that I didn’t actually have an account at any of those banks.
The first time I got an email purporting to be from one of my web clients saying she’d been mugged in some foreign country and needed help, I was both concerned and suspicious. I hadn’t heard of this scheme, so I actually responded with a request for more information. The reply I got was so unlike my client, I knew it was a scam and ignored all further emails related to it. I later got four more versions of that scam relating to other friends or clients.
The scammers are getting better at it, though. The emails telling me I’ve won a $50 gift certificate from Amazon look very legit. The messages saying there is a problem with my Paypal account carry the Paypal logo and are nicely worded. It’s only when you put your cursor over the link to see where it’s really going that you can tell they’re trying to get you to enter your Amazon or Paypal login credentials on a page that most definitely isn’t attached to either site.
Any attempt to get someone to click on a bad email link or open a malware-laced document is generally called a Phishing attack. But it gets worse. What are sometimes called “spear-Phishing attacks,” where the link or attached document is tailored to a specific environment, can cause an unfortunate click to produce widespread devastation.
I’ve gotten emails purporting to be business documents from a co-worker. I don’t work in a corporate environment, but if I did, an email from firstname.lastname@example.org claiming to have a spending report attached might trick me into opening it or clicking on a link.
Those are perilous emails because a click on a bad link or document can give hackers access to an entire corporate network. Thousands of businesses have been hit with ransomware attacks. The city of Atlanta’s computer network was shut down for weeks when held for ransom. My local church’s computer system was also disabled for several days due to ransomware. Those attacks can almost always be traced back to someone clicking on a bad link or opening a document containing malware. The infamous hacking of the Democratic party started with a Phishing attack.
A few days ago, though, I got an email that topped all the others for me personally in terms of the general nastiness of the scam. It was basically a blackmail attempt. It said that I’d visited a porn site and while I was there, the sender had installed malware on my computer, turned on my web cam, caught me in a compromising action on the camera, stolen all my contacts information and would send the video to all of them if I didn’t pay their demand of sending 3,000 Bitcoin to the sender.
I’m an author. I do research all over the web, including some of its shadier corners. I’ve probably even been to a porn site a time or two, though I tend not to linger in such places. Otherwise I knew that the rest was pretty much impossible (in my case), so I didn’t take the threat very seriously. I suppose there are people for whom some of this might be a real possibility and such a note would worry them.
What did actually give me pause was that the subject line contained my name and an old password I once used in a couple of places. I imagine the sender got that from somewhere on the dark web, where all sorts of hacked data, including some from famous huge data breaches like the Yahoo and Equifax debacles, is available for sale. And don’t kid yourself. Your information is up there somewhere, too.
I no longer use that password, and haven’t for some time, but this was a good reminder of why you should never use the same password in different places and why it’s a good idea to change those passwords occasionally.
Apparently I wasn’t alone in receiving this email, according to this article I found, which echoes the conclusions about it I came to about it:
Stay safe, my friends!
Some email safety tips:
• Don’t open emails from unknown sources.
• Never, ever open an attachment unless you’re very sure of what it is and who sent it to you.
• Keep automatic open of attachments turned off in your email program.
• Don’t click on links in emails unless you’re very sure of what it is. Remember that your friends’ email accounts can be hijacked, and spammers can spoof the names and email addresses of people you know into the “From” field.
• Any time you get an email from a bank or financial institution saying you have a message, don’t click the link. Go to the institution’s site and log in. If the message is legit it will be posted to your account.
• Keep your computer’s virus protection up to date.
• Don’t log into your email account on open, public wi-fi.
• Change all of your passwords periodically and never use the same one at two different places.