Resources   >   Compromised Mailboxes & Email Phishing
 

Compromised Mailboxes and Email Phishing


The Dangers of eMail Phishing and Protection Methods


What Can a Criminal Do With My Email Password ?
The Different Types of Phishing Scams
What Are My Defences ?
How To Recognise a Phishing Email


The term "phishing" refers to a scammer or cyber criminal attempting to trick you into parting with your email mailbox username and password. Some people receive multiple phishing email scams by email every day. This article explains the consequences of falling for those scams and offers some ideas to help you protect yourself.

In short, what is phishing ?

A few years back you were probably among the millions that got an email, purporting to be from your bank, that warned of a security breach and the need for you to reset your bank account password. You followed the link, signed in with your account login and password and provided the new password. They thanked you - you ticked off the task - and the following day found out that your account had been cleaned out. Well, maybe you were smarter than that but many didn't know about the scam and they learned a quick lesson. And they learned the phishing word very quickly.

Things are much more sophisticated today and even the most sussed of us will fall for the odd well crafted trap. But there are ways to cut down the amount of spam mails you receive, and then many ways to reduce the risk of being deceived. And things you can do to minimise the damage after you may have parted with information. We will address that here.

In this document the general use of the word "spam" refers to unwanted email usually promoting services that you have not requested and have no interest in. A sub-set of spam is scam email where the email has been created with malicious intent and is the gateway to obtain password codes from you for fraudulant use. The word is rarely used as a noun but we refer to "scam mail" and "scammer" (as opposed to spam and spammer) in this article to differential between harmless/annoying and malicious/dangerous.

The banks have done a good job of making sure their customers are aware of banking phishing scams. And one has to be very naive to part with a banking login password. So the scammers have focussed on extracting your email password from you. And with it they can create havoc in your life. It is only by educating yourself that you can escape the dangers. We can refer you to many real examples from cases where we have been asked to assist.

And why call it phishing with that wierd spelling ?

Phishing is derived from the similarities with the word fishing. There is a sea of potential victims out there, which the fisherman cannot see. The bait is tossed out and every now and again it results in a good bite. Very bad for you, the fish! Hackers and scammers love to reinvent spelling and often use "ph" in place of using "f" and used to refer to themselves as phreaks. So spelling fishing as phishing is quite descriptive and avoids any confusion.


WHAT CAN A CRIMINAL DO WITH MY EMAIL PASSWORD ?


Plenty ! It is important that you understand this section. And yes, scammers are people (very smart people) with criminal intent.

  • SMTP Mail Relaying
    This is the oldest and once most common violation where your smtp details are used to relay large amounts of advertising (spam) mail through your ISP. Most ISPs today can detect this sudden mailflow and will respond by scrambling your password to protect the server, bandwith, recipients and you. The cost and risk to you is low, but there can be some major reconfiguring inconvenience.
    But by the time the scanners revert to this compromise they will have already exhausted the much more lucrative exploits outlined below. It's the final lick out of the cake mix bowl.
     
  • Plant and Execute Trojans
    If a scammer has your email password he can attach an executable file which he sends to you. With mailbox access a scammer can plant trojans and arrange for them to execute on your PC after download. That effectively means he could control your PC remotely and could plant keyloggers. These monitor your keyboard keystrokes, accumulate these in a file and return that data to the scammer. A simple programme can pick up the string "www.fnb.co.za" and it follows that your bank password will soon be typed in. That's a rather chilling scenario.
     
  • Random Snooping
    A scammer making his way through your stored email folders could potentially cause havoc with the information there. Passwords, other people's information and personal information would all be prime targets. And then consider the implications of the POPI Act.
     
  • Blackmail
    If you maintain any personal communications with friends and family through the compromised mailbox then all that information is available for possible blackmail scams.
     
  • Identity Theft
    A very detailed personal profile can be made from prolonged examination of your personal communications. This enables scammers to eventually have enough critical information (including from attachments) to be able to pass themselves off as you and thereby transact and incur liability for you.
     
  • Keyword Monitoring
    One of the most common scams is to create a mailbox filter where every incoming email is scanned for certain keywords. "Password" would be a good one. So every incoming email which then contains the word password would have a copy mailed off to the scammer and you would be none the wiser. Consider what could happen after that.
     
  • Invoice Interception and Creditor Cloning
    These frauds have been with us from at least 2019 and they use the keyword filtering to identify your correspondents who are making payment to you. Having identified someone they then monitor the mail between the two of you and when the time is ripe they then intercept your invoice, change the banking details from your account to one of theirs, and then wait for your customer to pay them instead of you. Extremely effective. Although complicated to execute they are becoming quite common.
    Best you read up on Invoice Interception Scams and how to protect yourself there.
     
  • Ransomware Attacks
    You receive an email telling you that your data files have been encrypted and that a payment of say $500 or a Bitcoin equivalent will unscramble them. You take a look and every spreadsheet, Word document and other format files are all corrupted and unusable. What do you do? Research tells you only 20% of the scammers will give you a legitimate unscrambling code after payment. You may have backups but there is a ton of restore work ahead of you. You do not want this to happen.
     
  • Gain Access to your Outgoing Sent Mail
    This is not so easy but can be achieved under certain conditions with certain mailing platforms. It opens a whole new world of fraudulent opportunity for scammers.
    For security reasons we prefer not to discuss those issues in this public space.
     
  • Gain Access to Every Stored Email in Archives and Current Folders
    You are at major risk here if your mail protocol is IMAP as opposed to POP3. IMAP is used where you wanted to have access to all current and historical email for the account. IMAP stores your old mail on the server and synchronises (if so set) to also store on your PC. But the important issue is that all your historical mail is on the server. And therefore accessible by the scammer.
    We strongly recommend that someone looks at what mail is in these folders and assesses the potential harm that could be caused to your company if a hacker has this information. Most fraud and abuse specialists assume that all this mail would have been downloaded by a scammer for off-site examination. It is prudent to assume this.
    Consider reviewing your policy on mail protocol for users with sensitive information.
    Not so important, perhaps, for a low level employee. But it could be very damaging for a CEO, senior personnel or your transaction handling employees. Please be very aware of these dangers
    It is precisely for this reason that we recommend that IMAP should not be installed as a default protocol for staff who have access to sensitive and vulnerable information if their usage can be served by simple POP protocol which is much safer against phishing intrusions.
     

THE DIFFERENT TYPES OF PHISHING SCAMS


1.   -   Basic Email Phishing

The basic phishing email is sent by fraudsters impersonating legitimate companies, often banks or credit card providers. These emails are designed to trick you into providing log-in information or financial information, such as credit card numbers or Medicare details.

Other spoof emails might try to trick you into clicking a link that leads to a fake website designed to look like a retail business or your bank. These fake websites can then install malware or other viruses directly onto your computer, allowing hackers to steal your personal information or take control of your computer, tablet, or smartphone.

Then there are the Special Offers and Incredible Giveaways.
All you have to do is fill in a form and you could be a lucky recipient of one of 5,000 airline tickets being given away. They seem to want marketing data which you happily provide and it's simple stuff - interests, hobbies, town of residence, etc. There is of course no no free ticket coming your way but the scammers now have a personal profile on you which they can use to craft a customised spear phishing attack to send your way. See the next item.
(The red flag here is an offer that sems too good to be true.)

2.   -   Spear Phishing

While most phishing emails are sent to large groups of people, there is one type of attack that is more personalized in nature, spear phishing.

Spear-phishing emails are targeted toward a specific individual, business, or organisation. And unlike more generic phishing emails, the scammers who send them spend time researching their targets. The technique is sometimes called social engineering. These criminals will send emails that look like they're from legitimate sources.

For instance, in 2016, millions of customers in the United States who had made a purchase from Amazon received an email with the subject line 'Your Amazon.com order has been dispatched' with an order code after it. When consumers opened the email, there was no message, just an attachment. If they opened the attachment, consumers ran the risk of installing ransomware on their computers.

In another spear-phishing example, emails might target a company employee. The email may appear to come from the boss, and the message requests access to sensitive company information. If the spear-phishing target is tricked, it could lead to a data breach where a company or employee's information is accessed and stolen.

3.   -   Clone Phishing

Clone phishing may be one of the most difficult attacks to detect. In this type of phishing attack, scammers create a nearly identical version of an email that victims have already received.

The cloned email is sent from an address that is nearly, but not quite, the same as the email address used by the message's original sender. The body of the email looks the same, too. What's different? The attachment or link in the message has been changed. If victims click on those now, it will take them to a fake website or open an infected attachment. The net result is that the victim will pay money meant for you into the scammer's account.

These scams have been around for years and have become very sophisticated and are common. We take it that seriously that we have a dedicated page on "Invoice Interception Email Scams". We recommend you read it!

4.   -   Initiate a Ransomware Attack

This is probably the most disruptive and deadly of all the scammer actions. With the email access they can see what usual trusted mail arrives for you. They then duplicate one of those emails which will dupe you into opening the usual attachment. But this attachment will actually infect your machine with a delayed action ransomware bomb. When that triggers (purposefully delayed so that your backups are also infected) then all your data files will become encrypted and unreadable. This is a separate and complex issue but the results are usually devastating and severe. And it is a growing threat.


WHAT ARE MY DEFENCES ?


Hopefully you would by now have realised that disclosure of your email password can have severe consequences. And as with any business risk you need to assess the threat and take whatever preventative measures are available and required.

Your ISP protects you

Your first level of defence is that your upstream mailbox (where incoming mail is stored until you send/receive) is protected with efficient anti-spam and anti-scam filtering. Most of these incoming spam mails are picked up at this level and moved into a Junk or Spam folder and destroyed after a period of time. You should know how to access this mail and check it for legit email that has been wrongly identified as spam - preferably weekly. If you don't know how to do that then read this article on EMail Deliverability.

You can adjust or turn down the aggression level and whitelist trusted domains and control other aspects of how this filter works. We strongly recommend that you check this filtered out mail regularly.

Don't give users their passwords

This is a little contentious, and maybe insulting to some, but if users don't know their passwords then they cannot give them away.

This will mean that someone (you) may have to keep a master password list and your IT support will need to do configs when necessary. A user, once the client software is set up, shouldn't need a password anyway.

Educate yourself

The fact that you are reading this article is a good start. Your next step is to make sure you understand it and figure out what you need to do to at least stay abreast of any news related to changes in scammer's modus operandi and the emergence of new threats and scammer trends. Read articles you come across and review what you are doing to minimise this risk.

Educate your staff

Once a scammer has unfettered access to one user's mailbox, then that user would be subject to any executable program that the scammer presents by using the "masquerading as a trusted correspondent" method. So they can get a colleague of yours to unwittingly install software that lets them access your internal network. After that they could have access to your servers and to every other user's machine. Including yours. So you being aware and informed is not so great if you are now vulnerable due to a co-worker being uninformed.

You have to address the weakest link which means that everyone in your organisation and inside your office network is educated on these issues and follows best practice principles and procedures.

All staff, at a minimum, need to know the dangers. They need to know how to recognise a phishing email. They must be encouraged to advise support if they think they may have initiated a breach. They must know the extreme danger of covering up and doing nothing.

There are services available which, given your staff mail addresses, will attempt to test them to see how well they recognise and respond to common basic phishing emails. The problem with those services is that the one that your staffer will fall for will be something more subtle that resembles a mail from your own ISP, or your bankers. An offshore service cannot test your staff at that level.

Be wary, cynical and suspicious

Perhaps not quite how your Mum brought you up to be - but this is a hostile environment and you are effectively under constant cyber attack. There is no other way to call it. Always better to be safe and apologetic than to have been the source of a major data breach. Check everything and be wary of everyone. If you are not expecting something, and the slightest thing seems odd or not quite right, then don't open it.

They will eventually get through you. Yes they will !

You probably don't want to hear this, but sooner or later we all make mistakes and will open an email we should not have and will either run the attachment or access their website link. If the attachment is an executable (a file with a .com or .exe attachment) then your local email client (Outlook?) should block it. If it is a spreadsheet containing macros then Excel etc should warn you of that. It is unusual to receive such files as the server defence should have worked - and you still have your PC based anti-vrus programmes to deal with it. But generally they will try to dupe you out of your password with a login type form that requires your email password.

So at this stage you are not at real risk. You have entered the cage but not met the lion yet. The form and the request for you to complete it (with password) should raise the big red flag for you. You realise what you are looking at and you retreat and close down. This two stage route gives you the chance to reverse out.

Aaaaargh !   I have done it.   All is lost !

No it is not! To wreak their havoc they need stealth. They need for you to not know what you have done. They need time to see what prize they have won and what it is worth.

DO NOT PANIC ! as that sometimes causes its own damage. If you know how to change your email password then do that without delay. If you do not know how to do that then get hold of your PC support and arrange for it to be done as soon as possible. Switching off your PC will not help as the email they can access is what is coming through your server and not that on your PC. Once the password on that mailbox is changed they will be locked out.

Have a policy to change passwords regularly

This is a solution that nobody likes. It's a pain and can always be put off. But if everyone in the organisation changed password at least once a month then the possibility of a sleeper being somewhere on the network would be an average of 15 days and a max or 30 days. It is a radical response but an effective one. And you should make sure that the passwords used are strong and different to the "my usual one" practice.

If a breach is suspected, force global password changes

A staff member may report that an "email was opened and acted on but I think I closed down" or "I am not sure of what I did." Get that person to change password immediately and alert all staff to a possible breach and get everyone to change password as soon as convenient. This action should be part of the procedure under "Educate your staff" above.


HOW TO RECOGNISE A PHISHING EMAIL


Scammers have become more sophisticated when it comes to sending out phishing emails. But there are still some signs you can look for.

It is important to understand and be able to spot the concepts, rather than a particular mail. If someone warns you about a Netflix cancellation then that's fine. But what you really need is to know enough about phishing mails to get the Netflix email (unannounced) and immediately spot that is a phishing scam by seeing all the warning signs. Each one should raise a red flag and with a few flags fluttering it should scream "SCAM" at you. That's your very best protection.

  • Too good to be true offers. Phishing emails may try to hook you with what appears to be incredibly cheap offers for things like smartphones or vacations. The offers may look irresistible but don't fall for them. They're likely phishing emails.
     
  • A bank is asking for your account information or other personal financial information. Your bank, or any financial institution, will never ask for your bank account number, or PIN by email. Never provide this information in response to an email.
    ISPs will generally never ask for you to put in a password to get access to email being frozen or withheld because you did not validate something.
     
  • Spelling and grammatical mistakes. There was a time when you could easily spot phishing emails because they were littered with spelling and grammar mistakes. Scammers have improved at avoiding these errors, but if you do receive an email littered with typos and clumsy grammar then that email might be sent from someone phishing. English is often not their first language
     
  • No branding. What bank of ISP or major company is going to send out mail to their customers without clearling identifying themseles and without their all important logos and brand names everywhere. That attempt to be generic is supposed to work with anyone (you wouldn't give ABC Bank your password if you banked with XYZ Bank) but that very blank text-only genericness is not anything like what ABC Bank would send you. If the origin looks non specific and fuzzy, and you're not sure where it is from .... then don't open it.
     
  • The generic greeting, Dear Xyz. Phishing emails might not be addressed specifically to you. Instead, the email might start with a generic greeting such as 'Dear Sir or Madam' or 'Dear Account Holder.' Most anti-spam filters (at your ISP mailbox) will heavily penalise emails with these greetings.
     
  • A call for immediate and urgent action. Phishers want you to act quickly, without thinking. That's why many will send emails asking you to immediately click on a link or send account information to avoid having your bank account or credit card suspended. Never reply hastily to an emergency request. Urgent requests for action are very often phishing scams.
     
  • The reason for the password input is not logical.
    - why would you have to confirm a password to "verify" your email.
    - why would your password have "expired". That doesn't happen.
    - if there was "suspicious activity" on your account they would ask you to change it yourself using the normal process. Not tell you to enter it again.
     
  • Senders you don't recognise. If you don't recognise the sender of an email, consider deleting it. If you do decide to read it, be careful not to click on links or download files.
     
  • Senders you think you recognise. You might get a phishing email from a name you recognise. But here's the catch: That email may have come from the compromised email account of someone you know. If the email requests personal information or money, it's likely it's a phishing email.
     
  • Hyperlinks. If you receive an email that requests you click on an unknown hyperlink, hovering over the option might show you that the link is really taking you to a fake, marginally misspelled domain. This link is created to look legitimate but is likely a phishing scam. Any URL that starts with an IP address (ie. 56.203.47.30) should be avoided. The use of renegade country designators , such as .co (Columbia) and .ru (Russia) are often used by scammers.
     
  • Attachments. The sender included attachments that don't make sense or appear spammy.
     
  • As a rule, never respond to communications asking you to provide or confirm personal data, bank details or passwords.
     
  • Be generally suspicious. Challenge, reject, refuse or ignore any messages or requests that seem suspect or that you're unsure of.
     
  • Be vigilant and stay informed about the new types of phishing attacks you may encounter and the tactics that criminals use.
     
  • Don't visit websites you don't trust or click on links received from an unfamiliar source.
     
  • If you receive a communication or email from a person/entity you trust that seems unusual or suspicious, contact the person/entity directly to check the message was legitimate.
     
  • Be extra careful with communications requesting money, fees, or upfront payments for whatever reason - these should immediately raise your suspicions.
     
  • Ensure all your devices are updated with the latest security patches and that antivirus solutions are current and up to date with virus ID data.
     
  • Remember that no ISP would ever ask you to provide a password input from an email. because this is such a major fraud method to phish passwords they have all agreed, as best practice, to never ask you to do that. Remember this as a golden rule.
     
    • If you are not 100% sure this is valid, and is also expected, then DO NOT PART WITH YOUR PASSWORD without checking with the relevant party by telephone or via a trusted email address.


    Last Updated : 21-Jun-2024
    Print Friendly and PDF  
     
      Anything we left out, stuff you don't agree with.?
    Good article, bad article.?
      Please give us your comments and suggestions.