While there are many spamming methods, there are two main types of spam which are Advertising and Malicious.
Advertising Spam
Advertising spam can be extremely irritating by filling up your inbox on a daily basis, but usually the messages are in fact from legitimate companies that you have unknowingly subscribed to. Often these messages begin when you order something online from a legitimate company. During the order process there is usually an inconspicuous checkbox that says something to the effect of ‘Please send me notices about news & special offers’. Unless you want to receive those potentially annoying messages, you will need to hunt this checkbox down and uncheck it. Not so surprisingly, once you are on a company’s mailing list, your information is often also shared with any of its partner agencies such as advertising firms & sub-companies. Soon thereafter you end up with an inbox full of ads from multiple companies who also share your information. Most of the spam that makes it to your inbox is advertising from legitimate companies.
The good news about legitimate Advertising spam is that it is usually painless to stop. Any legitimate company should include in its message a method to Unsubscribe. Sometimes it may be a link, other times it may be an email message sent to a certain address. The Unsubscribe options that are included in messages from legitimate companies are safe to use, and usually the messages stop within a day or two, but sometimes as long as a week.
Occasionally you may see an advertising message make it to your inbox which is not from a legitimate company. These are usually easily recognizable and offering a deal on something like Viagra. You would not want to use any Unsubscribe methods on a message that is not from a legitimate company.
Legitimate companies can also be faked. Paypal, Amazon, Fed-Ex, and banks are among the frequently faked companies. One method for identifying fakes is by paying attention to the address that pops up when you hover the mouse over a link. If your message includes the real looking Paypal logo hover over the link without clicking and look for an address in the form of https://paypal.com/somethingsomething. If the link shows something completely different like http://sendusyourmoney.cn/somethingsomething , or perhaps a misspelling such as https://payapal.com/somethingsomething then there is a good chance that it is a fake. Of course you would not want to try to Unsubscribe from one of these fakes either.
Any messages that slip through the filters that are not from a legitimate company should be forwarded ‘as attachment’ to your IT department.
Any spam that continues to come in from a legitimate company after a week from using their Unsubscribe method should be forwarded to your IT department so that they can blacklist them for not playing nice.
Advertising spam review:
- All legitimate companies should include an Unsubscribe method which is safe to use.
- Not all messages with an Unsubscribe method are from legitimate companies.
- Watch out for fakes of legitimate companies.
- Use the hover method on links for proper identification prior to clicking.
Malicious Spam
Most of the malicious type spam is filtered out before it makes it to your inbox. For this reason, the ones that do make it through can be difficult to identify. To be safe you will need to be able to recognize the main types of malicious spam which are spoofing, phishing, and malware.
Spoofing
Email spoofing is the practice of forging an email. One of the reasons that email should never be considered secure is because anyone can easily use literally any name and address they like in the ‘From:’ field. With so much of our information out on the web and social media, it is not difficult for spammers obtain the information needed to run a successful spoofing scam.
Example & Prevention
Imagine receiving the following email from your sister Sally back East who checks in regularly on your dad who is in a nursing home.
From: Sally Smith(sally.smith@verizoneast.com)
To: Sammy Smith(sammy.smith@verizonwest.com)
omg help! we need to pay dads nursing home bill before the end of day or they will move him back over to south wing!!!!. they need 5000. I only have 3500 of it until next friday. please can you wire over the remaining 1500 and I will pay you back next week
BankAmerica
acct# 5555-5555-5555-5555
route# 4444-44444
let me know as soon as it is done
i will call you tonight to explain everything
The scary thing about this is that the bad guys can get all the information needed to pull off a scam like this from free online sources such as Facebook & Google. To prove the point, next time you are on your home computer, try doing a search for “Happy Birthday” on Facebook. Pick a random birthday wish with many shares, and then pick a random person that shared the wish with a sibling, parent, or child. Once you have found a family whose pages are open to the public, take a look at how much you can learn about their family just by scouring their social media pages, and doing a few Google searches.
Using your best practices checklist would help to identify a forged message such as this. If Sally and Sammy had made it routine practice to simply include the same signature every time, a message like this would never be convincing. The lack of proper grammar would be the next tip off, and lastly the urgency of the message.
Phishing
Email phishing is practice of tricking their victims into providing information. This information can then be saved for later and used for things such accessing your online bank accounts, identity theft, and other fraud. Phishing and spoofing often are used together in order create an even more authentic look.
Example & Prevention
One common phishing attack involves setting up a fake site that looks identical to your banks official website. They then send you an official looking email warning you of suspicious activity and asking you to login and verify that your accounts look normal. They also include a convenient link that takes you to their fake site. Once you land on their fake site and attempt to login as you normally would, they warn you to double check the password entered then redirect you over to the official website. In doing this, they have obtained your bank login credentials, and since you are now logged into your bank where you can see your accounts, you are convinced that the message was legit, and all is well.
Using your best practices checklist would help to identify the phishing scam by hovering over the links and verifying the address before clicking. When it comes to sites that require a login, such as banks, don’t use links from the email instead find it in your favorites, or memorize the address. Also be very careful not to mistype web addresses as this will often lead you to a faked phishing site.
Malware
Malware spam seldom makes it to the users inbox these days, but it does still happen. Spammers can send a file attachment that appears to be a normal file, but includes a virus, worm, or Trojan. Often these files are simply a Microsoft Word document with malicious macros. Messages with malware are usually very informal and provide very little information about the attachment. They often include horrible grammar and many misspellings. Malware spam can be easily identified by using your best practices checklist.
If an attachment ever pops up with a prompt asking you to ‘allow’ an activity or macro, the correct answer is to ‘not allow’, then forward the message to your IT department for closer examination if you believe it to be legitimate.
Summary
Malicious spam can be very costly to an organization. Costs can involve significant amounts of money in addition to critical data loss. Spam cannot be completely prevented therefore the best defense we have is to educate ourselves on its identification.
- Memorize the best practices checklist and apply it to all incoming and outgoing messages.
- Advertising spam is mostly harmless and can usually be prevented.
- Learn to recognize the different types of malicious spam and handle them accordingly.
- It is better to be safe than sorry. If you receive a questionable message forward it on to your IT department to be examined.
Best Practices Checklist
- Subject line is appropriate
- Proper opening salutation
- Proper grammar used
- No spelling errors
- Description of, or reasoning for attachments/links
- Signature including contact information
- Hover over links to verify authenticity before clicking