In part 1 of this series about teaching cybersecurity to our next generation, our kids, we started discussing ways to help school-age children raise their cybersecurity IQ. Today we’ll continue that conversation with a focus on how to scrutinize email and maintain good email security.
If you have ever seen “Return of the Pink Panther”, you will remember those ridiculously hilarious scenes of Inspector Clouseau being attacked every time he comes home, leaving a swath of destruction. Clouseau instructed his servant Cato to launch surprise attacks to keep him alert. Sometimes Cato’s attempts are better than others, like when Clouseau opens the fridge and Cato pops out, covered in frost, and starts to choke Clouseau. Lucky for us, we don’t need to hire a servant for this. Every day our email inbox and social media feeds are full of free surprise attacks to keep us vigilant. It’s up to us to scrutinize every message, every link, and every attachment before clicking or opening.
Challenge: Turn Off Automatic Image Loading
How are people able to tell when you read their email? They place image links in the email body, and they can monitor when your device downloads the image from their servers. By default, most email applications will load all images, but most have a setting to disable it. When you receive an email with images that you want to see, you just click the ‘Load All Images’ (or similar) button. On a mobile device, this also cuts down on unwanted cellular data and makes things a bit smoother when the data connection is poor.
- In GMail, it’s the ‘Ask before displaying external images’ option under Settings/Images.
- On iPhone, it’s the ‘Load Remote Images’ option under Settings/Mail.
Here are some quick tips to help identify phishing emails. Attackers need you to take action for their ploy to work… you have to click a link, open an attachment, or call a phone number. Without your action, they are powerless. So before clicking any links, or opening an attachment, do the following first:
1. Check Sender
Does the email address and name look legit? Names can be spoofed, but the sender email should match the originating domain. Therefore, if the name is ‘Amazon Support’, but the email is something like firstname.lastname@example.org rather than email@example.com, it’s phishing.
2. Check Links
Does the URL domain match what we would expect? An order from target.com should not contain a link like orders.target-corp.pl/something?ddd. Use of third-party URL shortening services like bitly.com has made this more difficult to spot.
3. Something Unexpected
If you receive an email with an attachment for an invoice for something you never purchased, be very suspicious. If an email is about a UPS or Fedex package, or an account to be closed, or a need to reset your password that you weren’t expecting, or a legal notice or official notification, then don’t click any links before thoroughly checking.
4. Something Unwanted
If you receive some nasty spam or an unwanted newsletter or solicitation offer, do not click on the unsubscribe link. You are just confirming your email address to the spammer, or, worse, visiting a malicious website that may result in system compromise. Simply mark it as spam to your email provider and let the spam filter take care of it or add it to the block list for your email client application.
5. Grammar and Spelling
Would you believe me if I said that attackers intentionally use poor grammar or spelling to filter out the smarter prey? It may just be a non-native English speaker struggling with our difficult language. However, it has also become a litmus test to filter out the smarter people who can quickly spot a fake.
It’s worth repeating here: Attachments need special care because they can contain scripts, especially Microsoft Office documents. Never click on the Microsoft Office Enable Content link, never. The next screen you see after that click could be a ransomware demand or worse.
Treat all unexpected attachments like the bomb squad treats a suspect package.
CSO Summarizes it well here. It’s usually a fake when you see statements like “Urgent action required!”, “Your account will be closed!”, “Your account has been compromised!”, or “A warrant has been issued for your arrest!”. The attacker expects recipients to panic and rush to the linked fake login page to enter their credentials or to hastily click to open a threatening legal document that has been weaponized with malware.
Challenge: Test Your Phishing IQ
SonicWall has a short interactive challenge, where you can test your skill at spotting phishy emails. Phishing IQ Test at SonicWall
Challenge: Install an Ad Blocker
If your kid doesn’t already have an Ad Blocker extension for their favorite web browser, get one installed. There are plenty of websites that depend solely on advertising for their income. If you like their content, and can usually trust their advertisements, you can add them as an exception. Now that you are logged in with a Standard user account, your risk is less than before.
Warning: Watch for fakes! Ad blockers have become so popular that there is malware masquerading as well-known ad blockers. Be wary that fake ad blockers, fake antivirus, fake security tools, and counterfeit security apps are everywhere, don’t be fooled.
Extra Credit: How Are They Malicious?
Here are couple of scenarios that illustrate how malvertising can disrupt.
Ransomware encrypts your files and extorts money from you with the hope that you can recover your data. In order for this to work, it needs to escape the browser and run as a separate process. Which means that it has to exploit a vulnerability in your browser or one of its extensions. ZDNet article on Mole ransomware.
In January 2018, Trend Micro and other discovered Monero bitcoin mining scripts hidden inside some ads served on YouTube. If you were a victim of this campaign, you would notice your system running hot, perhaps the fan was running high, and you might have noticed your system was sluggish while your browser was open to those pages. TrendMicro Finds Monero Mining Malverts So the malware didn’t steal any of your data or infect your system, but it used your computer’s compute power to help them mine currency.