5 Tips to Protect Yourself From Spam Scams (That Don’t Quite Work)

Written by Paul Cunningham on November 26, 2009

computerNBC Chicago published a list of 5 tips for people to protect themselves from scam emails.  Although they mean well, and the tips are a step in the right direction, they are far too simple to be really effective at stopping spam.  Let’s take a look.

Tip 1 – If you don’t know the sender, don’t open it!

This tip is a carry-over from the old days of computer viruses where people were advised not to trust attachments in emails that they were not expecting.  These days the malicious payload of an email is rarely in an attachment, rather it is usually hosted on a website somewhere in the form of a product sales scam or a web browser hijack exploit.

The tip doesn’t work for two reasons:

  1. Emails from people you know can be just as untrustworthy as emails from people you don’t know.  If someone you know has their email or social networking account compromised then you are likely to receive malicious email from “someone you know”.
  2. Businesses could not survive if they did not open emails from people they don’t know.  An analogy in the physical world would be not opening the door to your store for anyone you didn’t recognize, cutting off all new customers from your business.

A more practical approach would be to assess emails based on their contents, and use alternate channels to verify anything that seems unusual or out of character.  A graphic designer receiving an email from someone they don’t know would be turning away a customer if they didn’t open it, whereas a person trusting the message from their friend asking for money in an emergency could easily fall victim to a scam.

Tip 2 – Watch out for emails that request personal information

This tip is oversimplified with the statement “No legitimate organization will ask for your social security number”.  Protecting your sensitive personal information such as social security and credit card numbers is important, but what about seemingly harmless information?

Let’s say you receive one of those amusing chain letter emails asking 25 questions about you such as the name of the street you grew up in, your favorite movie, your pet’s name, and so on.  Now consider that in doing so you are revealing useful information about yourself that can be used in future attacks.

The information could be used to target you with scams that relate to your particular interests, or even to retrieve your passwords from websites (how many websites do you visit that use your pet’s name or mother’s maiden name as the password reset question?).

A better way to approach this is to consider whether you would be willing to give out the same information in an email, even an email to friends, as you would if you were saying it out loud among strangers.

Tip 3 – Be careful with emails that look like they are from Paypal, Facebook etc.

We all know that Paypal scams are a serious problem on the internet.  The problem is that sites such as Paypal and Facebook will send you genuine communications by email as well.  Having to be cautious and assess every single email from these sites in detail would take up far too much time.

The good news is that these emails tend to use email forging techniques that any good anti-spam system can detect and block for you.  As long as you have spam protection for your email accounts you will have far fewer emails to deal with and be far more likely to only receive the genuine ones.

Tip 4 – Watch for typos or spelling mistakes

It’s true that a lot of spam contains atrocious spelling and grammar.  Unfortunately it is not as simple as considering every such email a scam.

One of my own personal stories is of a genuine Paypal email that contained three glaring spelling mistakes.  I emailed them to ask about it and they confirmed they had sent the email and made the mistakes, apologizing for the confusion.

On the other side of this is the large volume of spam emails I have seen that contained perfect spelling and grammar.  Worse still they contained very effective marketing language and had fooled some normally cautious people.

A good anti-spam product uses more accurate metrics than spelling and grammar when it determines what is and isn’t spam.

Tip 5 – Watch for red-flag phrases

Phrases such as “You have won!” and “Verify your account” are common in spam.  Where this tip goes wrong is declaring “Genuine firms never send emails like that”.  This is untrue.  Signing up for most websites will generate a “Verify your account” email to you, and a lot of companies are using the web to run competitions and notifying winners by email.

The better approach to this type of email is anticipation.  If an email containing one of these “red flag phrases” is anticipated then it is probably not spam.  If you entered a competition by Company X and they later send you a “You have won!” email, then it is probably legitimate.  But if Facebook sends you a “Verify your account” email and you don’t remember requesting a password reset from them then it might just be a scam.

Protecting yourself from spam is something that can’t be boiled down to 5 simple tips.  No single tip taken in isolation provides adequate protection, and even combinations of these rules do not make for effective protection.

The most effective spam prevention is a combination of good anti-spam software, personal threat awareness, and safe online behavior.

About Paul Cunningham

Paul lives in Brisbane, Australia and works as a technical consultant for a national IT services provider, specialising in Microsoft Exchange Server and related messaging systems.

Comments

Pingback: News and Links for November 11th, 2009 | Exchange Server Pro

  • (required)
  • (required)