ROUGHLY 69 PERCENT OF SPAM EMAILS ATTEMPT TO TRICK USERS INTO VISITING A MALICIOUS URL 6 – F-SECURE

Back in the middle of summer 2017 in a quiet suburban housing estate in the South East of England, it was just a normal weekend. The temperature was in the high 20s, the windows on the rows of detached houses were open with the sun beating down against the background sound of muted chatter and distant music. A couple was enjoying the first settled summer in their forever home, after a year of having really got to grips with making it their own.

Having decorated indoors over the winter, the next step was to tackle the garden and they had an agreement in place with a groundworks company to redo the patios, put in a new pergola and change the overall layout. The work was due to start the following week ahead of a small party they had planned.

The weekend gradually faded into Monday morning, whereupon the couple were greeted by an email from the contact at the company that would be doing the work. It requested a bank transfer for half of the agreed fee to ensure the deal and allow for purchase of the necessary materials. The email included the account details to arrange the BACS transfer into. Having had numerous email conversations with his contact, they thought nothing of this process, which seemed perfectly standard, and transferred the money.

The landscaping team arrived at the house as planned and the work was completed by the following Friday. The couple transferred the remaining money on the Sunday after the work was completed and texted the contractor to let him know the money had been transferred and he should see it by Monday morning. On Monday evening, the contractor called to say he hadn’t received anything and also ask how the money was transferred as he hadn’t sent bank details. Shocked, the couple brought up the email that requested half the fee at the project outset. Unfortunately, the contractor responded that his standard process was always to be paid in full upon completion of a job and never request money up front for materials. Perplexed, both sides met up the next day to review the emails and transaction details as something was clearly wrong. It became apparent that the original email requesting funds was not sent by the contractor and these were not the details of the business’ bank account. You’ve probably realised by now that his email account was hacked and that fateful email was of course, fraudulent.

There is a lot more to this story and we’ll come back to the consequences for both the couple and the contractor later in the chapter. But first, let’s revisit the question asked in the chapter title – my email’s been hacked, it’s no big deal, right? Wrong. It could be a very big deal, not just for you but for your contacts as well who may receive emails from someone else that they believe is you. It’s also misconception for some (certainly in this case for the contractor) that someone would need physical access to your phone or computer to hack your email. This is incorrect, as for the vast majority of email accounts all that’s required is a username and password to access it from anywhere.

We’ll look at this in the next chapter on passwords, but the bottom line is that most of us will have had an email account hacked at some point in our lives whether we know it or not. The consequences could have been minimal – for example, you may have spotted a suspicious login and changed your password. Moving up in the threat level stakes, you could have had malicious links spammed out to your contacts without your knowledge. I would suggest that many of your contacts likely wouldn’t have clicked on suspicious links like this, but some will have (although hopefully awareness is reasonably widespread that an email that contains only a link is suspicious). Beyond this, every once in a while, the consequences of a hacked email can be dire and lead to much more serious financial impacts as in the case of this couple.

So, how does your email get hacked? Well, one of the most common ways is through a nefarious actor getting hold of your login details through some method or other – again I’ll discuss the issue of stolen login details in depth in the next chapter on passwords. The other very common way for your email, and many other personal details, to be compromised is through a phishing attack (both of these are not only a risk for email, but all other accounts you hold online with similar login methods). As you know this book is not about getting into the technical details of cyber-attacks and cybersecurity so the best way I can explain phishing is that an attacker will send you an email purporting to be from a person or organisation you trust, asking you to click on a link and/or provide some personal details which they can then make money from in some way.

For example, I use PayPal for online payments sometimes. A couple of years ago I received an email from a sender titled PayPal.Inc Security Center. The email was entitled “You sent a payment of £71.77 GBP to FarmVille”. Now I’ve never played the Facebook-based game, FarmVille so was initially slightly alarmed, until I read the content of the email. In the body of the email, it quoted my PayPal user ID (my email address that the email was being sent to) and said that a charge of £69.46 GBP was made to Facebook from my PayPal account. It went on to say that if I had not authorised this payment, I should cancel the payment and get a full refund by clicking on a link, which was apparently for the PayPal Dispue Centre (I think they meant Dispute). The spelling mistakes and mismatch of the amounts in the title and email body are the first indicators of the email not being genuine, but the real giveaways were the link to the so called dispute centre – firstly that there was a link at all and secondly that it was not a paypal.com domain – and the sender’s email address (revealed when you click on the name of the sender), which came from a .co.au domain which did not include PayPal.

Let’s compare this to a legitimate email about a compromised account, again which I received a couple of years ago, this time from eBay. The email was entitled “Unauthorized use of your account – action required” and explained that the company had reason to believe that my account had been used fraudulently without my permission. It went on to say that my password had been reset, any link to a PayPal account disabled to protect funds and any fraudulent activity cancelled with funds returned as necessary. In the email, eBay also requested that I reset passwords to my linked email and listing account and also reset my eBay password, before then providing step-by-step instructions on how to do it once logged into my eBay account.

So, what are the key differences that signal that this email is legitimate and not fraudulent? Well, for one it is the tone and structure of the email – no errors, detailed instructions and some links to helpful information at the end which are clearly to ebay.co.uk . The second indicator is that there is no attempt to hide the sender domain – it came from no.reply@ebay.com , a legitimate eBay domain with no altered sender title that you had to click on to see the actual email address. The final clue that it is legitimate is that the email is not asking me to click on a link to reset my password or take any action on my account. Fraudsters will almost always provide a fraudulent link for you to click on in the hope that you do and give them the details they want (or the link could download malware onto your computer), whereas most companies that contact you will never provide a link to take account actions in the event of potential fraud. They know that you know how to access their website and your account and will provide instructions but not a link – exactly as eBay did in this email.

I wish these examples covered it, but unfortunately there is a lot more to the phishing thread than contact from fraudsters pretending to be trusted brands. You may receive emails from those posing to be friends of yours who are stuck in a foreign country, have had their phone, passport and wallet stolen and need you to send money. There are the emails from fraudsters in other countries who claim to have millions that they can’t access and need a UK bank account to get the money out, which they promise to share with you. And there are literally hundreds of other ways that you could be targeted by fraudsters over email.

I obviously can’t go into all of them, but I should add that this method of scamming has moved over from email to text messages as well with the proliferation of smartphones. Only the other day I received a text message saying “The best price has been won for your recent accident, fill out…” along with a link. I also saw a recent example on Twitter of a message purporting to be from a well-known high street bank saying they had tried to contact someone about their online banking and that they needed to verify their details by clicking on a (clearly fraudulent) link. Now I had not had an accident and the person that received the banking text didn’t use this bank, but that doesn’t matter to fraudsters. It is very cheap for them to send out thousands of emails and text messages and they’ll inevitably hit a few people that either have had an accident or use that bank and then click the link without thinking.

As I review this chapter at the end of March 2020, currently in self-isolation, another text scam has been doing the rounds in recent weeks – the scam plays on people’s fear around major events. As we are in lockdown in the battle against COVID-19, there has been news of a scam text informing people that they have been fined for leaving the house too often (based on their mobile phone location data) and to call a number to appeal. This plays on people’s fear in the hope that they will call the number without even thinking, perhaps making money for the fraudsters through call charges or eliciting personal information from people.

Speaking of COVID-19, this is also an extreme example of a major world event which will also drive cyber criminals to target consumers and cash in on their fear to make money. According to a BBC article in April 2020 , Google revealed that it had been blocking 18 million Coronavirus related scam emails to Gmail users every day – a major increase in phishing attacks in an attempt to obtain personal data. According to the article, “Individuals are being sent a huge variety of emails which impersonate authorities, such as the World Health Organization (WHO), in an effort to persuade victims to download software or donate to bogus causes.” 7

In addition, an article from ZDnet in March 2020, citing multiple reports stated’ “Cybercriminals are now creating and putting out thousands of coronavirus-related websites on a daily basis. Most of these sites are being used to host phishing attacks, distribute malware-laced files, or for financial fraud, for tricking users into paying for fake COVID-19 cures, supplements, or vaccines.” 8

It should be clear by now that there is pretty much no opportunity that cyber criminals won’t take advantage on to attempt to steal data and/or money from unsuspecting consumers. This has even led to the National Cyber Security Centre (NCSC) in the UK to launch a new service allowing people to report suspicious emails for review by experts.

With all this in mind, when it comes to emails and text messages you really must think before you click links, open attachments or call numbers. To help reduce your chances of falling victim to scams of this nature, I suggest you follow the below steps where possible:

• Take your time – As we’ve seen from the examples in this chapter (and as you will also see in the later chapter on phone scams) criminals rely on creating a sense of urgency and panic to get you to follow their requested actions. When you receive an email or text message that makes you panic a little, remember that it’s likely not legitimate and that you shouldn’t do anything until you’ve taken the time to reread it and check a few things.
• Always check who the sender is – Most scammers will always change the sender name to something involving the company they’re impersonating, you won’t see the real email address immediately. Always make sure you click on the sender name, to reveal the actual email address. If it doesn’t come from the actual domain of the company (e.g. ebay.com or ebay.co.uk ) then it’s almost certainly fraudulent. I’d recommend checking it carefully since some fraudsters try to catch you out by making the sending domain as close as possible to the domain of the legitimate company.
• Never click on a link in an email (without checking) – As mentioned earlier, if you receive an email about fraudulent activity or changing your password, legitimate companies will not ask you to click through on a link so do not do this under these circumstances. If you’ve verified the sender is legitimate and the email is to do with other things then links may be fine to click – but remember, marketing emails could also be fraudulent.
• Go to the right website independently – If an email has you worried that your account may be compromised, then open a new browser window and type in the web address of the site that you know is correct, login and check your account that way.
• Delete the email or message – This may seem obvious, but when you’re sure an email or message is a phishing scam you should delete it, and perhaps warn friends and family about it if you think it’s appropriate.
• Report the email – There are literally hundreds of thousands of phishing emails sent every day, so I’m uncertain whether reporting every one you get will have much of an impact. However, if it is a particularly clever attempt then helping to raise awareness could stop others falling for it. An article from the Money Advice Service 9 advises that you can report emails to Action Fraud either over the phone or online and there will also be a report option provided by most email providers.

These are all good tips to avoid falling for a phishing scam, but what should you do if you do fall victim for one? Well, it really depends on how far you’ve gone with it. If you’ve simply clicked a malicious link, then immediately change all passwords on related accounts, run a virus scan on your computer and be vigilant to any unusual activity. If you’ve gone as far as entering personal or financial details, then you’ll need to contact your bank to make them aware of potential fraudulent activity and keep an eye on your bank and other personal accounts for any strange activity.

In addition, if you are really worried that your personal details have been stolen you can sign up for monitoring with a fraud prevention service such as Cifas , “a not-for-profit fraud prevention membership organisation, which manages the largest database of instances of fraudulent conduct in the country.” 10 Protective Registration with Cifas costs £25 for two years, but will ensure that your details are flagged as a risk on the National Fraud database, meaning if anyone tries to open an account or get credit in your name it will be flagged and blocked.

We’ve talked a lot about the issues related to your own email being hacked and of course phishing, but what if you are impacted by someone else’s hacked email? Well, let’s revisit the story of the couple in South East England. After realising that the contractor’s email had been hacked and they had transferred the fee for the work to a fraudster, they of course reported it. Both the couple and the contractor sought advice under the agreement that they did not want to go to court.

The upshot was that, as the work had been done and the contractor had not received the payment he was due, the couple were liable. They had to pay the contractor in full, despite the fraud taking place as a result of the contractor’s email being compromised – so they ended up paying double. I guess the moral of this story is whenever you receive an email asking you for money (even when expected) make sure you verify its legitimacy before you make the transfer.