Email: The Backstreet Analogy

Full article

Let’s consider malicious but innocent-looking email and a few steps that may help avoid being caught out by clicking on a link or opening an attachment that surreptitiously installs a malicious program.

The few steps first, for people in a hurry, thank you for stopping by. More on the gravity of the problem further down. On another occasion I’ll deal with a few of the treacheries this malware can get up to in computers and networks.

Malicious emails are often faked to be from sources we trust, be it a bank, supermarket, or whatever, with juicy offers, etc, and links to sign up or for ‘refunds’ that it’s easy to get caught. What should we look out for?

A few things:

  1. Would the email stand up to a tough reasonableness and common-sense cross-examination in terms of who it’s from and what it’s about? If in any doubt, don’t reply to the email, pick up the phone and check.
  2. Do not click, but hover the cursor over the ‘From:’ name. A pop-up should appear after a second or two with the email address of the sender. Does the email address in the pop-up correspond closely with the sender’s name in the ‘From:’ text-box?
  3. Do not click, but hover over any links in the email. Again, a pop-up should appear after a few seconds with the URL behind the link. Is the URL in the pop-up what you would expect from the sender’s apparent organisation?
  4. Is the English composition of the email what you would expect from the purported source? Or is the composition and grammar poor?

If any of these points don’t fully check out, stop, don’t delete the email and report to line management if in an organisational context, or delete the email if in a private context.

Here’s an image of just one such email I got, supposedly from Allied Irish Bank. I have never banked with AIB. But if you hover the cursor over the sender’s email address the link shows the details of the likely real source. Hovering over the AIB Internet Login link, the web address behind the link is actually legitimate, but probably what happened was the site may have been hijacked as one of an army of remote controlled zombies for denial of service (DoS) attacks, spambot or such like. Probably via a malicious email too. The website appears to be ok now, so the ruse must have been taken down.

 

Here’s some of the background.

94% of malware in the business world is delivered by email.

That is, the malicious payload was offloaded onto a victim machine or network, mainly with the help of the ‘unwary’ clicking on malicious email links and attachments. So says the 2019 Data Breach Investigations Report, page 13, from Verizon, a global communications provider.

That in itself points to a serious issue in terms of the level of security awareness, but when the global volume of junk email in circulation is also taken into account the scale of this problem goes into orbit, as we see next.

500 Billion near enough (5 followed by 11 zeros) emails hit the optic fibres globally every day.

Of those, more than 400 Billion are junk or unwanted emails (85% of the total, which includes malicious emails) and just 15% that could be classified as useful or wanted. Shocking.

These figures come from the Cisco Cybersecurity Series report for June 2019. Cisco are strongly placed to validate and make that call, being the front-runner in the global network technology and security equipment space and featuring prominently in the global Internet infrastructure that is weighed down with such a volume of junk.

Some perspective – if every child, man and woman in China were to send about 300 emails per day it would be about the same total, just for the junk emails. Not accusing China for sending all the unwanted emails of course, but just to illustrate magnitudes.

About 1 in 10 (10%) of emails, or about 50 Billion daily, contain malicious links or attachments according to Symantec’s Internet Security Test Report for February 2019. A lot of nasty stuff!

And that’s the real problem, these attempt to fly under the radar to deliver insidious tidings of little joy to the computers and networks of the employers of people who oblige the cyber criminals by unwittingly clicking on malicious links and attachments. Pardon the blunt message, but there’s no other way to put it without diluting the gravity of the situation. More on that below.

So how effective is malicious email in delivering such digital misery in terms of deception, violation of our trust, invasion of our privacy and destructive effect on our digital and real everyday lives?

In a word – very!

Back to the ‘unwary’ problem – how big is it?

Big! If we consider that 94% of the malware infecting organisations comes from email.

Each of us would be helping the organisations we work for, and in most cases depend on, enormously by playing our part in improving cyber security awareness. How?

So let’s deal with the title of this article, ‘Email: The Backstreet Analogy’, to illustrate the ‘How’.

Would any of us hesitate to accept a drink we ordered served in an open glass by a spiffy waiter at the Shelbourne Hotel, St Stephens Green, Dublin? We don’t need to answer that I’m sure.

Now, let’s say we’re down walking through a backstreet off the North Wall docklands, again in Dublin not that far from the Shelbourne, and some dodgy looking character steps out of a dark side alley, offers us a free drink, again in an open glass but looking good with a well-known label on it. Would we say cheers mate, smile, and swallow it? I hope we don’t need to elaborate on what our response should be – but polite response of course!

The matter of emails from unknown and untrusted sources with clickable links or attachments is the Backstreet Analogy.

Don’t click!

If it’s in an organisation you are associated with, stop and report it to line management.

Appreciate that there are more dark back alleys on the Internet than there ever will be in the real world – luring us in from the comfort of our office or living room.

Please just remember – clicking around a secure, well-known website is like the drink at the Shelbourne – smiles and good times. Clicking on links and attachments in emails from unknown sources, and therefore by default not to be trusted, is analogous to swallowing whatever was in that glass in the backstreet – too late when it turns out not to be what it looked like!