blogarticle

How to spot SPAM emails

Working in the Information Technology (IT) sector, we often get asked or forwarded e-mails with the simple question “is this SPAM?” A section of SPAM e-mails concern themselves with trying to fool a user into believing they are a genuine e-mails and in this article we look at the various methods we employ to separate the good from the bad.

Introduction

Firstly I must clear up that we are not talking about the SPAM emails whose agenda it is to advertise products that otherwise never cross our ever innocent minds, such as Cialis, Viagra, Blue Pills, Red Pills, Rabbit holes and increased performance (if you have found this article because you have searched for one of these terms please accept my humble apologies).

The SPAM emails we are concerned with are the ones that try to get the user to perform an action. Email clients (such as Outlook / Thunderbird / Webmail) locally or on-line, have become very good at not immediately infecting your computer, just because you have opened an email. Instead, the would be spammer must first make you open the innocent looking attachment or click the link that could only lead to your Barclays Bank log in screen, right?

linkedin invitation spam email

Spotting a SPAM email

This type of scam has become more prevalent with a higher amount of people being caught, presumably because a higher percentage of us now have a multitude of on-line accounts. Possibly the most famous of these was the so-called Love Letter virus " a spam email that masqueraded as a love letter from an secret admirer that the user had to open the attachment to view; the scam artist exploiting our most humanist frailty of wanting to be loved. The result of such a pursuit ends with our hearts as fragmented as our hard drives. If you have time before finishing the end of this article, call your significant other or possibly your mother. Tell them you love them before they become prey for a well targeted fake email.

There are several types of these SPAM email and I have listed some you may recognise below. The SPAM artist is a devious character so these may differ dependant on your on-line accounts. These are often collected via cookies to
ensure the spam e-mail looks as genuine as possible.

  • Banking
  • Paypal
  • Skype
  • Facebook
  • Twitter
  • MySpace
  • Ebay
  • Western Union
  • LinkedIn
  • E-Cards

Lets cover the ways in which I personally use to determine if an e-mail is genuine. I believe one should use Occam’s Razor in most instances, for when I hear hooves I should surely think of horses instead of unicorns.

  1. Do I use the service the e-mail is from:”Unauthorised access to your Santander Bank Account”We receive this email and immediately run to our mattresses afraid that our life savings has been somehow taken and imagine Dick Dastardly’s maniacal laugh on a beach in South America. But wait, hold on, I don’t actually have an account with Santander. There is a temptation to imagine that someone has somehow set up an account in my name, but lets not forget our razor children. If you don’t have an account with the institution mentioned, Bin it!
  2. Multiple Emails:Although I foolhardily believe that I am my bank’s foremost priority, my belief is stretched when instead of sending me the one damning unauthorised account e-mail they actually send me 8 in the space of 10 minutes. There have been times where I am almost convinced by an email only to receive exactly the same one two
    minutes later.This is further proven if, as many of us have, multiple email addresses receive the same message. I have actually never heard of a person getting an e-mail saying their bank account has been breached, let alone 5 emails.
  3. Who is it from:The following things are configurable when sending an e-mail for anyone with a rudimentary understanding of the system:Sender Name
    Reply To Address
    Sender Email Address
    Priority messageDependant on your e-mail client you should be able to see the full ‘from address’ (if not consult the help files). Probably the most e-mails I foil is because they are from Barclays Bank. If the email address or any of the details above don’t match, Bin It.Any real e-mail should come from the same domain as the name, e.g. Barclays Bank accounts@barclays.co.uk, although be careful of derivatives.
  4. Attachment Hell:”To re-access you accounts, fill out the attached form”How very helpful. Despite my in-built hatred for forms I may be tempted to open the attachment to re-access my, unbeknownst to me, Santander account. These attachments are either executable (exe) files " an executable file / program that if run will run rampant across the plains of my Windows Desktop Background or they will be HTML files that will use my browser to actually forward me to sites selling blue pills or worse (red pills). In some instances it could be actual forms that collect everything bar you inside leg measurement that you can helpfully forward back to dave@yahoo.com.Please note I am using dave@yahoo.com as an example. As far as I know he is not a Spam artist and I am sure, a lovely man.As best practice no site I am aware of ever would send an attachment in the range of circumstances the e-mails purport to. Attachment = Bin It
  5. Which Rabbit Hole does the link travel:Instead of the “more comprehensive that the census” attachment, an email may give you a series of links to rectify an issue or respond to an invitation. Remember that the link text can be different from the link itself (else we couldn’t have the ubiquitous “Click Here”). Spammers will use this fact to sometimes put the link text as a URL; for those who recognise a little bit of HTMLhttp://www.barclays.co.ukOn the email this would simply show “http://www.barclays.co.uk” but in fact would go to the other site. To check this out hover over the link and see the link location in the status bar (consult your help files if this does not work).
    Alternatively right clicking should you allow you to copy the link location or see properties. If it does not go to the real site, Bin It! Also be sure to check all the links on the e-mail.
  6.  Content is King:”You’re account was been infiltrated. Fix problem here like.”Although I could see the above as a damning indication of the UK schools system, more likely it is the result of a spammer whose first language is not English and is sat in Transylvania (or wherever they live) with Google Translate.Most bank related emails will contain a high level of design and copy. Although I have picked an obvious example be careful when email content is familiar but easy to copy such as the “Dave has added you as a friend of Facebook” type email (see rules below on how to deal with these). Furthermore most companies will use information not generally known to identify the e-mail as genuine.

Despite these rules even the most learned amongst us can be fooled by an e-mail. Often you will receive emails that do not violate any of the above. I recently got an e-mail from Skype saying my password had been reset. The e-mail was from the Skype domain, it did not contain an attachment and all the links pointed to Skype. In these cases the reason may be a mistake that Skype (or Microsoft) have made themselves, falsely sending e-mails. It could also be that the point of the e-mail was to alienate Skype’s users against the company. The e-mail didn’t contain any information to identify it as real, however such as my user-name.

What is possibly more important than recognising a SPAM e-mail is to gives yourselves rules to follow should you believe an e-mail to be genuine.

Suggested rules

  1. If  genuine, visit the site directly. Links can be misleading especially where it links to a sub-domain or contains the name of the company, i.e. http://skype.billpay.com " is actually just billpay.com. If you believe the e-mail to be real manually visit the site rather than using one of the links provided.
  2. Pay attention to your accounts’ rules such as “we will never ask for your password”. All responsible agencies have clear rules on how they communicate with you. This includes what information they will give you and what they will never ask. If you are concerned about a specific company’s e-mail, read their guide.
  3. If using attachments beware .exe and .htmlAttachments are probably the single most dangerous aspect to any e-mail since it represents the most access to you precious files. I generally never open an attachment I was not expecting. Even if I recognise the person, the attachment itself could still be infectious or sent without their knowledge.
  4. Auto PreviewEnsure that you e-mail client has the relevant security features turned on. This includes not auto-previewing any attachment. Generally ensure that you have the latest version of the client as well as an up to date virus scanner.

Date: 22/10/2012

gettingintouch

If you like to get in touch, please telephone our offices on +44 (0) 1364 582017 or complete our on-line form and we'll get back to you as soon as possible.

stayingintouch

Stay in touch with what we're up to at Ayrmer Software by following us on one of our social media feeds: we'd be delighted to welcome you as a follower on twitter, become friends on facebook or add us to your circle on Google+. You'll also find us on Linkedin, of course.