Let’s Talk About Spam – What to Do when You’ve Done the Unthinkable

Written by Casper Manes on July 3, 2012

We’ve been talking about spam on a strictly non-technical, friends and family level for the past several weeks, in an attempt to either provide you with a way to discuss spam with those who have a need to know but not necessarily a technical inclination, or just as likely, to give you a series you could link to when your Uncle Bob asks you a question you don’t want to answer. In this post, we’re going to provide a list of things to do in case someone has done the unthinkable – they’ve clicked a link, found their machine to be infected, submitted personal information to a form, provided their username and password to a phishing site, or forwarded a chain mail.

You’ve clicked a link

You got an email, you thought it seemed kind of strange, but you saw no harm so you clicked your mouse. Something flashed on your screen, you antivirus software threw up a warning, and now you are in a panic. What do you do?

First, don’t panic. It’s not (necessarily) the end of the world, yet. Close all your running applications, and then launch your antivirus software. Run a full scan of your machine, setting the options to scan everything that you can. This could take hours to run, but let it run to completion. If you do find a virus, read more about what to do below.

Check your browser to be sure nothing has been added to it. Here’s links to how to do that for some of the more popular browsers.

You found a virus

You’ve run the scan, and it found a virus. Review the results, delete any files in quarantine, and then run the scan again to be sure. Many IT professionals (myself included) will format a machine and reinstall everything from scratch, rather than deal with an operating system that has been infected, but this is often an overreaction, and remember, we’re IT pros, so rebuilding a machine from scratch is what we do for fun. Yeah, we do really need to get out more, don’t we?

Of course, if you haven’t kept your antivirus software up to date, things just got a whole lot worse. You can use one of the online antivirus scanners you can find online, but an ounce of prevention is worth a pound of cure, and if you’d kept your antivirus software up to date, you might have been fine. Once you get this squared away, make a good back up of all your critical data, and keep that up to date. That way, if you do get hit again, you at least have your critical data safely stored away. I use Dropbox, an online storage system. If you’d like to get a free 2GB account with an extra 250MB of space, you can use this referral link http://db.tt/W5FMJvy. That gets me some added space too.

You provided NPI into a form that later turned out to be bogus

Try to recall what information you provided. If it was just your contact details, you may have to do nothing more than start screening your calls and dealing with more spam in your inbox. However, if there was more sensitive information involved, you will want to contact your bank, credit card companies, etc. and set up a fraud watch on your account. In the US, you should also notify the major credit bureaus to flag your account so that if someone tries to open credit in your name, they can flag that. See this site for more information on how to do this. http://www.fightidentitytheft.com/flag.html

You’ve given up your credentials

Immediately contact the security team or admin of whatever system is involved and let them know what happened. It’s simple. “Hi, I think I was just victimized by a phishing attack, and may have given out my credentials to what I thought at the time was a legitimate request.” They can immediately take steps to prevent further damage, and will help you to reset your account.

Trust me, they will be much happier that you notified them immediately. People make mistakes, and it’s how we deal with them that counts. Security professionals will not yell at you or curse you for a fool; they will thank you for responsible reporting.

You CC’d hundreds of unrelated individuals when you should have used BCC

This could get ugly. People can get really upset when they see themselves copied on an email with dozens or even hundreds of others that they don’t know, because this frequently leads to a spike in spam. The odds that at least one person on the recipient list has a virus that is harvesting email addresses from their mail is pretty good, and you just fed that bug everyone else’s email address.

Apologise by sending a BCC email to all, set up a blind Distribution List to use going forward, and grow some thicker skin. It’s likely you will get some scathing replies, but at the end of the day, learn from the mistake and do better next time. That’s really all anyone can ask.

You forwarded a chain mail

Okay, for this the response is a bit more radical. Go to the chalkboard, and write out 1000 times “I will not forward chain mails without using BCC.” Really, that is all there is to that. Delete all the paragraphs of email addresses from the body, only put your friends and family into BCC, and then, if you are absolutely certain each and every one of them will think this is a LOL, send it. But if you are not sure they’d love that sort of thing, skip this one.

Just remember, accidents happen, and we’ve all learned from our mistakes. The trick when making a mistake is to not make the same one twice. We’re all human, and next time, you’ll know better. After all, Bob’s your uncle, right?

Comments

Vincent Walker July 4, 2012

More often than not, it’s the people who are trained and are “professionals” at online communication that are going to feel more embarrassed about committing one of the mistakes on this list. There’s still no shame in admitting a mistake, and openly communicating the danger gives everyone a better shot of protecting themselves.

Chao Timmons July 25, 2012

At the risk of getting the ire of tree huggers who rage against too much paper use, I say, print this article and tack it on each of your employees desks, or if not company bulletin board (but only a few read those) as a help guide.

People need to be reminded AND empowered to do some troubleshooting or damage control for whatever security booboo they did. This is a war, after all. If protecting sensitive data or people’s money is not worth a few more print-outs, I don’t know what is. I always subscribe to the adage that if it is not seen, it will be forgotten, or something to that sort. So, yeah, print this out.

  • (required)
  • (required)