Deciphering The Legitimacy of an Email: Sender and Receiver

Cybercriminals love email not only because it can be used to easily manipulate potential victims, but because it is also very easy to spoof.  Cybercriminals will set up fake email accounts and corresponding addresses in order to make the message appear to be legitimate.  Spoofed emails are difficult to identify without a careful examination of email message. Specifically the email “header.”

Each email message contains two “headers.”  The first is the visible header, which one can see at the top of any email message. The visible header contains the From,  To,  Date,  CC,  and Subject lines. We see visible headers everyday but never pay much attention to them. Spoofing is so easy that it does’t take a cybercriminal to manipulate  the message header to change the sender’s identify so an email looks like it is coming from someone else.

The second header is called the technical header and which I will discuss in my next post.

One way to begin deciphering the legitimacy an email is by reviewing the visible email header, starting the From: and  To: fields.

From: The Sender 

  • Do you recognize the sender’s email address? Carefully check the address since a bad guy can spoof an address similar to one you may be used to seeing. Check how the name is spelled since the address could contain one dropped or have additional characters.
  • Does the email appear to be sent from someone inside the organization but the subject and content unusual in some way? For example, a manager asking you to buy gift cards when they never asked you to do that before no do you have the authority to do so.
  • Does the sender’s email address look familiar but actually from a different domain then you are used to seeing? For example instead of Your_Boss@Your.Institution the messages comes as
  • Do you have no relationship with nor have had any past communications with the sender? These email cold calls may simply be “legitimate  SPAM” but may be nefarious in intent.
  • Is the message from someone you haven’t recently communicated with?
  • Is the message from someone who is a friend of a friend that you may know by name but never communicated with? Cybercriminals will often hack email addresses books and harvest such names.

To: The Recipient

Cybercriminals will send their email messages to a group of people in an attempt to get at least one to take the bait.

  • Is your address a CC on an email sent to one or more recipients you are unfamiliar with? If you don’t recognize the other recipients the criminal may have harvested an email address book from someone on which your name appears. Instead of sending individual emails they do an email blast.
  • Is there any pattern to the other the recipients such as all names starting with the same letter?

If there is any question about an email or a specific request pick up the phone and calling the person you think sent the message to confirm its legitimacy.

Deciphering The Legitimacy of an Email: The Message Header

Cybercriminals love email.  They love email not only because it can be used to manipulate potential victims but also because it is also very easy to “spoof.” Simply put, a spoofed email is one in which the address in the From field is not that of the actual sender. However, how often do we just scan our our email messages for specific names or subjects and just assume they are legitimate? Every.Single.Day. This is why the bad guys love email.

Identifying a spoofed email requires the careful examination of the  message, starting with the email “header.” Before we get into how to  examine a header it is important to understand how an email gets transmitted.

After you construct an email message and hit Send your email program (e.g. Gmail, Outlook) uploads the message to a SMTP (Simple Mail Transport Protocol) server, a computer that begins the process of transmitting the message to the intended recipient. Your message is the then relayed from SMTP server to SMTP server across the Internet to its final destination domain (e.g. .

When your message arrives at it’s destination domain it is stored in the recipient’s mailbox at an IMAP (Internet Message Access Protocol) or POP (Post Office Protocol ) server. This email server provides a temporary in-box where the message waits until it is fetched by an email program.

The information contained in the email header provides the details on where the message is coming from, and where it is going to, so all the servers can assist in the routing. Every email message contains two headers. The first is the visible header, which one sees at the top of any email message and contains the From,  To,  Date,  CC,  and Subject lines.

The second email header is called the technical header. The technical header is almost always hidden from view but can take a bit of digging in your email client to figure out how to make it visible. The information included in the technical header is all the – you guessed it – technical details required for routing of an email message.

Over the next few posts I will discuss details of the visible header and what to look for in the header to help decipher the legitimacy of an email. I will also discuss the technical header and how it is used by servers and SPAM filters to weed out illegitimate messages.

Deciphering The Legitimacy of an Email

Cybercriminals utilize a wide variety of tools and tactics. By far the most popular tool one is the use of email. Criminals like to use email in part since it is very easy to spoof an email and email address.  There are even free sites that let you send one-off emails using a spoofed or custom disposable email addresses.

However, much more importantly for the cybercriminal it is even easier to get the recipient to believe it is legitimate.

There are ways to help to decipher an email since most of the email tactics used by cybercriminals do leave traces that help in determining if the email has been spoofed. To uncover these traces one needs take some time to break down the message.

The basic email header contains information such as From, To, Date and Subject and the full header will contain detailed information about where the email came from and how it was routed. The body of the email and attachments can also help to provide additional traces that help to determine the email’s legitimacy.

Over the next series of posts I will be breaking down the content of an email to help to decipher the legitimacy.

Social Engineering and Cybercrime

At one time the name Kevin Mitnick was synonymous with the term “hacker.” In his 2002 book, The Art of Deception, Mitnick claims he did not use software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security. Instead, he compromised computers solely by using passwords and codes that he gained using strategies to get people to unwittingly divulge information, or file-less attacks. In 2017, 77% of US businesses were compromised due to attacks and exploits which similarly do not involve the installation of malicious software but also through file-less attacks.

Social engineering is an act of psychological manipulation of an individual into performing an action or divulging confidential information. Cybercriminals leverage social engineering by stalking individuals in the social world and manipulate somewhat predictable levels of trust and gullibility [1].  The techniques used by cybercriminals are based on specific cognitive biases attributes of human decision-making. These biases are exploited in various combinations in the creation of almost all attack techniques. [2]

Cybercriminals use social engineering tactics because it can be easier to exploit an individual’s natural inclination to be trusting than to spend time building software tools to break through firewalls and system security. In short, it is much easier for a cybercriminal to get someone into giving up their password than it is to try and hack their password. By crawling though social information shared by the target in online profiles and social media posts the cybercriminals can craft a custom strategy to manipulate them into divulging confidential information or even into carrying out their malicious attacks through influence and persuasion.



[1] Bosworth, Seymour, and Michel E. Kabay, eds. Computer security handbook. John Wiley & Sons, 2002. Chapter 19 “Social Engineering and Low-Tech Attacks” Karthik Raman, Susan Baumes, Kevin Beets, and Carl Ness.

[2] The Human Factors of Cyber Network Defense Robert S. Gutzwiller1 , Sunny Fugate1 , Benjamin D. Sawyer2 , & P. A. Hancock2 1 Space and Naval Warfare Systems Center Pacific 2 University of Central Florida 2015, Pages 113-122,

“Watering Hole” Cyber Crime Tactics

20 years ago cybercriminals only used a few techniques to lure in potential victims. One was sending an email with the subject line of “ILOVEYOU” which contained an attachment that was a virus/worm which infected the user’s machine.  The second was sending messages sent from from a Nigerian prince, who offers a share of a huge investment opportunity and then asks for your bank account number so they can transfer the money to you for safekeeping –  for a small advance payment to cover the transfer expense.

Over the past two decades Cybercriminals have gotten very sophisticated in their tactics. One methodology targets specific individuals in an organization to unknowingly allow the criminal to gain access to the organization’s computer network. The tactic called the “watering hole” attacks an organization by compromising a web site that the target would generally trust – a watering hole.

To be able to identify a watering hole to bait the criminal first needs to deploy any number of commonly used tracking tools, like KISSmetrics or AddThis, to see which web sites are being accessed by the employees of an organization. This gives the criminal a map of the sites for them to target vulnerable sites for infiltration, those which don’t have strict security. The criminal then plants malicious code on the watering hole site and simply waits for users to revisit the site(s).

Once users begin visiting the watering hole their device is scanned to look for known security vulnerabilities. Any device identified as having a vulnerability the criminal uses the “drive-by” downloading technique, meaning the criminal doesn’t even need to have the visitor click on a link or download any files. Instead, malicious code like Remote Access Trojan (RAT) is downloaded in the background. When the code is run it scans for additional vulnerabilities with an exploit code deployed that carries out the real intended network attack is delivered an executed.


Blood Sucking Hackers

On June 3rd, Quest Diagnostics filed a report with the Security and Exchange Commission (SEC) stating that  it was notified on May 14th that between August 1, 2018 and March 30, 2019 an unauthorized user access to American Medical Collection Agency (AMCA) system that contained information received from various entities, including Quest Diagnostics. The information included credit card numbers and bank account information, medical information and other personal information of approximately 11.9 million people.

The very next day LabCorp filed a similar brief with the SEC stating that the AMCA informed them that it is sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed.

AMCA is third-party collection agency that stores information such as first and last names, credit card and bank account numbers, birth dates, addresses, phone numbers, dates of services, health care provider information, and the amount customers owe. The information AMCA received comes from a company called Optum360,  a revenue cycle management provider. No information about lab results is passed on to the AMCA. Both Quest and LabCorp have suspended business with the AMCA.

The question most consumers are probably asking themselves is when they will be notified. Right now there is a lot of finger pointing. The laboratory companies systems were not breeched and neither were Optum360’s. The challenge is that while those companies appear to be committed to keeping all relevant parties informed the AMCA has not given them any specific information about the individuals impacted.

Are Your Online Activities Being Tracked? (Spoiler: Yes)

Ever do a search on Amazon and then have the same exact product you were looking at pop-up as an ad on a web or social media site? The reason this happens is in part to the fact that most Internet web-based services and Internet service providers actively monitor your network traffic.

This is not as nefarious as it seems but your browsing habits are for sale and are highly valued by retailers and marketing companies. Very often an individual actually has consent to some level of  tracking by simply agreeing to use a service. Still, there are ways you can limit what information about your online habits that your web browser is exposing.

One quick way is by using the Electronic Frontier Foundation’s (EFF), a San Francisco-based digital-rights advocacy group, site called Panopticlick.  This site evaluate’s your web browser’s privacy quickly and non-invasively and then provides suggestions on how to limit the about on information which is leaking out.

The EFF provides a description of  Panopticlick in a blog post. What Panopticlick does is to check your browser for four types of browser security. Does the browser:

  1. Block tracking ads, which harvests information from your browser without consent.
  2. Block invisible trackers, which are protocols sites implement to harvests user data, again without consent)
  3. Allows ads and scripts from third parties.
  4. Blocks fingerprinting, which identifies a user based on unique browser data.

While there are plenty of browser exertions out there that help to block trackers, the EFF promote their Privacy Badger. It should also be noted that Panopticlick site only scans for those security issues the Badger mitigates. Still, using the EFF scanning service and the extension is a great start to better privacy!

Credit Freezing and Unfreezing: Now Free!

When Equifax was hacked a while back there was social media outrange when their solution was for individuals to freeze their credit reports. The issue? They would change the individual a fee to freeze your credit report and then another to unfreeze.  The Economic Growth, Regulatory Relief and Consumer Protection Act enacted in May 2018 had the hidden benefit that it is now free in every state to freeze and unfreeze your credit file and that of your dependents.

If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.

Individuals much contact each of the three major credit bureaus to file a freeze/unfreeze request:

Equifax Freeze Page


By Phone: 888-909-8872

What is Multi-Factor Authentication?

The traditional method for accessing online systems is through the use of a login name and password. An active online user may have hundred login / password sequences to remember. Trying to remember of those sequence inevitably leads to people using the same login and password sequence or writing them down somewhere.  Sometimes over, and over, and over again. Once could call this single-factor authentication since one only really needs to remember the password associated with an email address.

The problem with single-factor authentication is that to remember passwords people generally use stuff they know like people’s names, dates, etc. This puts a person at risk since if the credentials for one account are discovered then access to multiple online accounts is a click or two away. To help individuals protect their online accounts an increasing number of providers have implemented alternative authentication methods.

Multi-factor authentication is a method of confirming a user’s identity only after successfully presenting two or more pieces of information from independent categories of credentials  – factors – as a way to confirm their identity. These factors may include knowledge (high school mascot?), a possession (a phone to call), and inherence (biometric info like a fingerprint).

Two-factor authentication is the more commonly use subset of multi-factor utilizing a combination of only, you guessed it,  two factors. An everyday example of two-factor authentication is using an ATM. ATM’s requires a correct combination of a bank card (a possession) and a PIN (knowledge) to allow a transaction. A popular two-factor approached used online involves sending a unique code to the phone paired with your account or using a code generator like Duo.

To protect oneself one should take advantage of two-factor and multi-factor authentication if an online provider uses them. They are reliable methods of verification. If neither are available, consider using a Pass Phrase rather than a simple password



Ransomware is a fast growing cybercrime. The most common ransomware technique involves locking your computer to prevent you from accessing it until you pay a ransom. While this digital extortion racket is not new, cybercriminals have improved on how the scheme works with the creation of cryptware, which encrypts the files on the computer using a private key that only the attacker possesses.

The beginnings of ransomware could be traced to floppy disks being sent to individuals inviting them to take a survey assessing their risk of contracting AIDS. When the disk was inserted, its software locked their computers and demanded $189 in cash be sent to a P.O. box in Panama.

Ransomware victims range from large corporations, to hospitals, small and medium enterprises, to individuals.

Instead of a single or group of cybercriminals writing ransomware and distributing it themselves, ransomware authors will open their code for use by other cybercriminals. According to a McAfee-CSIS report more than 6,000 illegal online marketplaces now sell ransomware products and services, offering more than 45,000 different products! Ransomware-as-a-Service (RaaS) allows authors to set up platforms where others can modify and deploy to their own targets.

Rather than attacking just one device, ransomware worms are self-replicating viruses that embed themselves into parts of a device’s operating system that are run automatically.  The worms work their way through networks to lock out many more computers than just the initial target. The WannaCry incident showed how these worms work, and it is likely that we will see more attacks like this.It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.