Be Careful with the Links in Your Inbox, Even If You Think That They Can Be Trusted
'Humans are the weakest link' is one of the most clichéd phrases in information security circles, but it must be said that as a statement, it's 100% true. While it's easy to believe the Hollywood movies where breaking into a computer system involves a person in a ski mask and lots of furious typing, the truth is that more often than not, attackers exploit human curiosity and naivety. And emails are a great way to do it because, whether at home or in the office, we check our inbox at least once a day, and we're often eager to find out what we'll find there.
Obviously, you've been on the Internet for long enough to know that emails can contain some really bad things. That's why you know that just like children shouldn't take candy from strangers, you shouldn't follow links and open files you don't fully trust. With that knowledge, you're pretty certain that none of the bad things that happen to other people will befall you. But is this really the case?
No, it's not. The sad truth is, the crooks have a few tricks up their sleeves which they've used for ages. What's more, fooling regular users often requires no technical skills whatsoever which further increases the chance of receiving a scam email and falling for it. Let's take a look at a scenario which will show you how you can be tricked at virtually every step of the way.
Spoofing the sender
As we all know, pretending to be someone you're not is rather easy on the Internet, and just because the email says that it's coming from firstname.lastname@example.org doesn't mean that your friend who happens to be a fan of Gmail sent it. Spoofing an email address requires nothing more than an email server and the right software. Once that's set up, all the crook needs to do is fill the "From:" and "To:" fields and click "Send."
But why would they want to spoof an email address if the victim isn't even going to see it? Indeed, most email clients, both desktop- and browser-based, don't display the sender's email address in plain sight at all. Before you open the message, all you see is the supposed name of the sender and the subject, and when you do open it, most of you don't bother checking out the actual address. Maybe you should think about changing your habits.
An email address you don't recognize is the easiest way to see that something's not right. Unfortunately, a supposedly trusted sender is no guarantee that the email is legitimate.
HTML in the body of the message
To the delight of marketing people the world over, emails can be comprised of more than just plain text. You can put pictures, frames, and QR codes in the message, you can modify the text size, and you can generally make an email look like one of the leaflets that come through the snail mail. Unlike a paper leaflet, however, you can also place a link under a button and make the whole thing both pretty and interactive. Legitimate service providers have been doing it for years, and so have phishing enthusiasts.
Malicious emails need to be carefully thought through if they are to work. Impersonating a trusted organization or a person is just half the story. You need to mimic the style of the email, the way it looks and its function. Some of the crooks are not very good at this, and we see phishing emails with hilarious grammatical mistakes, for example, on a daily basis. Others, however, know what they're doing, and the messages they send are often quite convincing.
Even in such cases, there is a way of avoiding the nasty link. On a desktop computer, simply hovering the mouse over a button or a link will show you where you're about to go in one of the bottom corners of the screen. With mobile devices, inspecting links before visiting them is slightly more inconvenient, but it is possible nonetheless, and you should probably try and do it as much as you can. After all, you wouldn't change your Google password at a URL that's not hosted on Google.com. Or would you?
Shortened URL services appeared a while ago when people suddenly realized that they need to exchange links through mediums that limit the number of characters that can be sent or received. They are still widely used today, both by legitimate organizations and by cybercriminals. The clever (or nasty, depending on which side you're on) thing about shortened URLs is the fact that usually, you have no idea where they'll take you until you click on them. There are services that can "expand" a shortened URL and show which internet address it's linked to, but not all of them are easy to find or use. As a result, it's best to treat them with even more skepticism than usual.
So, you've got an email from a spoofed sender. In it, there's a link carefully placed under a button that's designed to spark your curiosity, and for good measure, the link is shortened to make inspection just that little bit harder. As you can see, even if you think that you know what you're doing, you can often overlook the finer details that sometimes happen to be the most crucial ones. Staying vigilant has never been more important.