Avoid this security threat to keep your inbox from becoming a horror story - Technical.ly DC

Business

Oct. 28, 2019 12:50 pm

Avoid this security threat to keep your inbox from becoming a horror story

Dave Baggett, CEO of Rockville-based email protection startup Inky, writes of protecting your emails from spooky online predators.
This is a guest post by Inky CEO Dave Baggett.
It’s that time of year! We’re all having fun planning our Halloween costumes. What’s not so fun? Cybercriminals are doing the same thing.

Just as you can put on a Dracula outfit and look the part, criminals can camouflage their emails to present a perfect facade, too — of a brand you trust.

But crooks don’t have to buy their costumes: a phisher — let’s call him Vlad the Impaler — can just take a real email from, say, Apple, save its HTML content, and modify a few links. Vlad can then resend a perfect-looking Apple mail from a plausible sounding server like “apple-mail-gateway.com” and … trick or treat.

The trick is: Vlad makes that Apple email say something along the lines of “Log in to verify your payment details.” The treat (for them) is you click through and type your username and password into their fake login page. Maybe you’ll even enter your credit card information. Then Vlad sells this info on the dark web for a lot more than a bag of candy corn.

This deception is surprisingly easy for real world fiends: Vlad can register a new domain named whatever he likes for just a few bucks. How about apple-secure-mail.com? Once Vlad gets his new fake Apple domain, it’ll take him under an hour to set up a mail server and start sending out phishing emails targeting lists of potential victims he’s gotten from, guess where? The dark web.

In another few hours, he’s gotten the goods and is gone without a trace.

If this seems all too easy, you’re right. Email is a relatively “old” internet protocol and it therefore lacks security features of more modern protocols. There’s no way to ensure that the sender of an email is really who it claims to be. There’s no master list anywhere of “the domains Apple legitimately emails from.” And there’s no practical way to link a domain to a specific brand.

Furthermore, unlike social media and messaging apps, email is federated. That means anybody can run a mail server for free and exchange email with anybody else on Earth. A great triumph for freedom of access, but not so good for security.

Vlad also knows that as humans, if an email comes into your inbox claiming you need to “verify your payment” or “your password has expired” or something of that nature, we are very likely to be worried that someone has logged into our account and we are quick to react before thinking this through. The Vlads of the world prey on this tactic constantly. Human error is almost impossible to avoid or train for. Organizations can’t know what the next email scam is going to look like so therefore can’t prevent this from happening. This makes it super easy for Vlad to trick, or treat.

Advertisement

So how do you protect yourself from Vlad’s dressed up scams? The easiest way is to avoid clicking links in emails entirely. Instead of clicking on the link in that mail from Apple, just type “apple.com” into your browser and go directly there. Or call Apple via its customer service phone number.

As a rule, try to perform any sensitive transaction — one involving passwords, subscriptions, money, etc. — outside of email, even if the initial notification arrived via email. Make that especially if it arrived via email.

And above all, never assume an email is from who it appears to be from. While it may arrive in a convincing costume, its intention might just be to egg your virtual house.

-30-
CONTRIBUTE TO THE
JOURNALISM FUND

Already a contributor? Sign in here
Connect with companies from the Technical.ly community
New call-to-action

Advertisement

Cybrary’s $15M Series B will be used to expand its cybersecurity training platform

How to bootstrap a fintech startup in an industry lacking structured corporate innovation

CIT GAP Funds made an investment in Arlington-based Fend

SPONSORED

DC

Verizon is looking for the brightest ideas on how to use its 5G technology

Philadelphia

Vistar Media

Sr. Software Engineer

Apply Now

Philadelphia

Vistar Media

Front End Engineer

Apply Now

Washington, DC

Quorum

Account Executive

Apply Now

These are the winners from Northern Virginia Technology Council’s first Cyber Awards

We’re taking action for Digital Inclusion Week. Congress should, too.

How to better leverage the cloud for your tech business

SPONSORED

DC

Escape the August heat with cool AI tech

Philadelphia, PA - Center City

Odessa

Business Architect

Apply Now

DC, SF, NYC

Nava

Experienced Software Engineer – Backend

Apply Now

Philadelphia OR Baltimore

Technically Media

Technical.ly Editorial Intern (Spring 2020)

Apply Now

Sign-up for daily news updates from Technical.ly Dc

Do NOT follow this link or you will be banned from the site!