Many people who are of my generation remember the day that we got our first email address, and it was something goofy like “email@example.com” or “firstname.lastname@example.org”. Don’t look so innocent! You remember your first email address and you remember the jokes that ensued from your friends, family members, and employer prospects. Okay – the employer prospects were a stretch, but you get my point. The first emails that I received were from the famous “long lost uncle” and the “Nigerian prince” who both wanted to give me 1.5 million dollars.
Today, these scams have more than taken over our spam folders and even have begun to wreak havoc personally. There are plenty of emails that are being sent on our behalf promising a blue pill will solve our life’s problems or asking for help to get us out of prison. Fortunately, many of our friends and family realize that we didn’t send those emails, however, what happens when someone gets an email that eerily seems like it is from someone you know? How does it happen?
How do we prevent it?
It is important to know what you are dealing with and why. This type of email is called phishing which is a form of social engineering where a threat actor poses as a trustworthy colleague, acquaintance, or organization to lure a victim into providing sensitive information or network access. Typically, these come in the form of an email, text message, and phone call. Phishing is the top crime reported to the FBI. Cyber crimes account for over 10 billion dollars in loss.
Try to avoid the saying “how can anyone be so stupid...” It is happening to thousands of people all over the country and with losses like we are seeing, it is undeniable that it is much easier than you think. These emails cover topics from tech support to lost money that was found in a bank needing your login information. The most common is the tech support that has a bill saying that the customer owes money for a service.
Let’s talk about Joe. Joe is checking his emails and gets an email from “Geek Squad” saying that their Norton is about to expire and attached is a bill for $199 to renew the product. The customer, Joe, is instructed to call Geek Squad to make changes to their subscription. So Joe calls Geek Squad to cancel because he doesn’t remember signing up. Joe is instructed to go to his computer and download a remote access program to connect to Geek Squad’s secure “server” to cancel their subscription.
It seems so far out as you read this, however, it is happening at an alarming rate. I have personally seen this with people in my life and they genuinely think that they signed up for something but forgot about it. Let’s take a look at an example of what I received and break down how to read the red flags.
Actual Email Received:
1. An official email coming from a legitimate company would have their website address in the email address (i.e. email@example.com). The email address on this “from” is NOT an email from a company. This one shows a person’s name and most of the time, this is the case. They will open an account with a webmail service and send emails from that account.
2. A legitimate business curates a strong subject line and is grammatically correct. This subject would make sense to the person receiving the email.
3. The name appearing on an email from an official company would show the name of the person who sent it and not some random invoice number.
4. These are fake numbers. You can call the phone number and give them any “invoice” number and they don’t have a way to verify it. Most of the time. It’s always a fake number but there are some that have a list and can pull it up. Typically, they do not.
Actual “Invoice” Received:
1. A toll-free phone number listed on legitimate receipt would show 1-800-xxx-xxxx. In addition, there would not be a (+) before the phone number.
2. The person sending this email doesn’t even get your name right. Who is “Joseph D. Davis?”
3. This “shipping address” is not your address. If you Google the address, it will come up as an apartment complex. Many will use this type of address or a post office mailing service address like UPS Store.
4. This is a critical thinking exercise – why am I paying UPS overnight shipping for online protection?
Arm Yourself with Information
· Companies don’t typically reach out to you via email unsolicited.
· Reverse lookup the phone number on the email.
o This can be done by going to White Pages or Google. After a little sleuthing, you will find out quickly what is valid or scam.
· Don’t click on a link within an email.
o Copying and Pasting the web address into https://search.google.com/search-console/welcome?action=inspect&utm_medium=referral&utm_campaign=9012289&sjid=14833984494414985176-NA will confirm if a website is safe.
· Look at the email address and text.
o If there are misspellings in the email, text, etc., is a clue that it is not legitimate. Companies, on the whole, spend way too much money on their marketing for spelling errors to occur.
· Don’t download anything.
o Most companies are not going to require you to download anything.
· Don’t alert the criminal that you are reporting them.
· Stop answering calls and emails from the person.
How to Report
· Go to www.ic3.gov or call 800-372-8347.