Deciphering The Legitimacy of an Email: Sender and Receiver

Cybercriminals love email not only because it can be used to easily manipulate potential victims, but because it is also very easy to spoof.  Cybercriminals will set up fake email accounts and corresponding addresses in order to make the message appear to be legitimate.  Spoofed emails are difficult to identify without a careful examination of email message. Specifically the email “header.”

Each email message contains two “headers.”  The first is the visible header, which one can see at the top of any email message. The visible header contains the From,  To,  Date,  CC,  and Subject lines. We see visible headers everyday but never pay much attention to them. Spoofing is so easy that it does’t take a cybercriminal to manipulate  the message header to change the sender’s identify so an email looks like it is coming from someone else.

The second header is called the technical header and which I will discuss in my next post.

One way to begin deciphering the legitimacy an email is by reviewing the visible email header, starting the From: and  To: fields.

From: The Sender 

  • Do you recognize the sender’s email address? Carefully check the address since a bad guy can spoof an address similar to one you may be used to seeing. Check how the name is spelled since the address could contain one dropped or have additional characters.
  • Does the email appear to be sent from someone inside the organization but the subject and content unusual in some way? For example, a manager asking you to buy gift cards when they never asked you to do that before no do you have the authority to do so.
  • Does the sender’s email address look familiar but actually from a different domain then you are used to seeing? For example instead of Your_Boss@Your.Institution the messages comes as Your_Boss@yahoo.com.
  • Do you have no relationship with nor have had any past communications with the sender? These email cold calls may simply be “legitimate  SPAM” but may be nefarious in intent.
  • Is the message from someone you haven’t recently communicated with?
  • Is the message from someone who is a friend of a friend that you may know by name but never communicated with? Cybercriminals will often hack email addresses books and harvest such names.

To: The Recipient

Cybercriminals will send their email messages to a group of people in an attempt to get at least one to take the bait.

  • Is your address a CC on an email sent to one or more recipients you are unfamiliar with? If you don’t recognize the other recipients the criminal may have harvested an email address book from someone on which your name appears. Instead of sending individual emails they do an email blast.
  • Is there any pattern to the other the recipients such as all names starting with the same letter?

If there is any question about an email or a specific request pick up the phone and calling the person you think sent the message to confirm its legitimacy.

Deciphering The Legitimacy of an Email: The Message Header

Cybercriminals love email.  They love email not only because it can be used to manipulate potential victims but also because it is also very easy to “spoof.” Simply put, a spoofed email is one in which the address in the From field is not that of the actual sender. However, how often do we just scan our our email messages for specific names or subjects and just assume they are legitimate? Every.Single.Day. This is why the bad guys love email.

Identifying a spoofed email requires the careful examination of the  message, starting with the email “header.” Before we get into how to  examine a header it is important to understand how an email gets transmitted.

After you construct an email message and hit Send your email program (e.g. Gmail, Outlook) uploads the message to a SMTP (Simple Mail Transport Protocol) server, a computer that begins the process of transmitting the message to the intended recipient. Your message is the then relayed from SMTP server to SMTP server across the Internet to its final destination domain (e.g. gmail.com) .

When your message arrives at it’s destination domain it is stored in the recipient’s mailbox at an IMAP (Internet Message Access Protocol) or POP (Post Office Protocol ) server. This email server provides a temporary in-box where the message waits until it is fetched by an email program.

The information contained in the email header provides the details on where the message is coming from, and where it is going to, so all the servers can assist in the routing. Every email message contains two headers. The first is the visible header, which one sees at the top of any email message and contains the From,  To,  Date,  CC,  and Subject lines.

The second email header is called the technical header. The technical header is almost always hidden from view but can take a bit of digging in your email client to figure out how to make it visible. The information included in the technical header is all the – you guessed it – technical details required for routing of an email message.

Over the next few posts I will discuss details of the visible header and what to look for in the header to help decipher the legitimacy of an email. I will also discuss the technical header and how it is used by servers and SPAM filters to weed out illegitimate messages.

Deciphering The Legitimacy of an Email

Cybercriminals utilize a wide variety of tools and tactics. By far the most popular tool one is the use of email. Criminals like to use email in part since it is very easy to spoof an email and email address.  There are even free sites that let you send one-off emails using a spoofed or custom disposable email addresses.

However, much more importantly for the cybercriminal it is even easier to get the recipient to believe it is legitimate.

There are ways to help to decipher an email since most of the email tactics used by cybercriminals do leave traces that help in determining if the email has been spoofed. To uncover these traces one needs take some time to break down the message.

The basic email header contains information such as From, To, Date and Subject and the full header will contain detailed information about where the email came from and how it was routed. The body of the email and attachments can also help to provide additional traces that help to determine the email’s legitimacy.

Over the next series of posts I will be breaking down the content of an email to help to decipher the legitimacy.

Getting SPAM Texts? Forward them to 7726

The use of text messaging is a growing tool for marketers. Many texts are legitimate and originate from service providers you may have given your number to.  However, the number of SPAM text messages appears to be growing rapidly. According to the Federal Trade Commission, “It’s illegal to send unsolicited commercial messages to wireless devices, including cell phones and pagers, unless the sender gets your permission first.” The same would hold true for text messages that are sent from robo-callers.

If you’re receiving random messages from unknown numbers or entities it is probably illegal SPAM from someone phishing for information and trying to scam you. So, what can one do?

Report to your carrier

A little known service provided by most cell carriers is SPAM reporting. On an iPhone, select the spam message by holding it down with your finger. A menu will pop up. In the lower right, select More and then the arrow icon. This will create a new message that can be forwarded. On almost all carriers forward the message to 7726. Make sure to copy the phone number that send the message since an auto-reply may ask for it as well.  Why 7726? It spells SPAM.

Block numbers

On an iPhone, go to the offending text and press the “i” in the upper right-hand corner. That is where you will find the option to Block the number. There is no way for the robs-callers to know you’ve blocked them so they can send all the messages messages they want. There is one caveat. The blocked number can still leave a voicemail but you won’t receive a notification. You may notice voicemails piling up on you.

Resist the urge

You may feel the urge to reply to a SPAM text. Maybe you want to tell them how you feel. Maybe you love practical jokes and you want to mess around. Don’t.  Don’t even responding to their request that you reply “NO” to stop their messages. Engaging the sender in any way will make the problem worse.

*Don’t Press 1* : Neighbor Spoofing

Odds are this HAS happened to you.

A call comes through on your phone. The caller ID  shows it is coming from the same area code AND the same

https://www.flickr.com/photos/mag3737/5982743771

https://www.flickr.com/photos/mag3737/5982743771

first three digitals as your phone number. Your first though is that it has to be a neighbor or someone in the community calling. Sometimes it is YOUR number calling you!

However, when you pick up it isn’t a neighbor. Far from it. It turns out top be someone selling an exclusive vacation deal – just “Press 1” and you will get a fantastic price! This technique, called neighbor spoofing, uses an automated robocaller that generate a fake caller ID number that will almost match your number.  It is an illegal activity to trick you into picking up and respond to their questions in an attempt to giving out or confirm personal information.

A robocall is a pre-recorded automated call, usually for telemarketing purposes.  While some robocalls are legitimate (emergency weather alerts), many calls can be predatory or deceptive.  In August 2017, the FTC issued a warning to Hurricane Harvey victims about a flood insurance scam in which homeowners were advised that their flood premium was past due. According to the Robocall Index, maintained by YouMail, 2.6 billion robocalls were placed in July 2017 alone! The FTC reports that robocalls are the top complaint received by the agency.

On the Do Not Call list? It doesn’t matter. The scammers are engaging in illegal activity so why would they obey the registry? What can you do? Unfortunately, the scammers will keep calling. But following the first two suggestions below are important in trying to reduce the number of calls.   

Don’t Answer

When one sees a number they think is a neighbor the first reaction / behavior is to answer since there may be a problem! However, by simply answering such a call thinking it is a neighbor may subject you to even more calls.  There is an underground market for phone numbers for individuals that pick up or respond to questions. Numbers on such lists on are used by robocallers with increased frequency.

Don’t Respond or Confirm

If you do pick up and you can tell it is a robocall, hang up right away. Do not engage the caller and certainly do not respond to any requests to press additional numbers. DON’T PRESS 1. Pressing any number, even if it is responding to their suggestion that doing so will take you off their list, only confirms your number is active and that they reached a live person.

Some people love to engage telemarketers for entertainment, but doing so may actually put you an their “call frequently” list.

Do Block

There is a reason it is called “spoofing.” It prevents you from knowing where the call is really coming from. It may be coming from out of the country! One approach is an block a particular numbers. However, by the time you do that the same scammers have probably moved on to a different number.  While it do takes a bit of work and is annoying, you could systematically block callers, even though it will seem like a finger in the dike approach.